1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6

General

Target

1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe
Size

521KB
MD5

f2736d53d3a1d83765d4b0c9b1c66cc0
SHA1

c5987fc8a3906b73b08bacee747b88a564bfdf0d
SHA256

1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6
SHA512

c48a030b09b11bee9f955b8057539899804411044d88168570d5b652c6ee36e9e2f4669f8231d258220b17cb9efcf91bda86f27e7219f2f845a87fa782e50ecf
SSDEEP

6144:KyH7xOc6H5c6HcT66vlmneTEyz4Y+kh6wHfta4FSzAfPbIa:KaVz4C6IHfPbH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1992	svchost.exe
2472	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe
1476	svchost.exe
2400	Un_A.exe

Loads dropped DLL 8 IoCs

pid	Process
1992	svchost.exe
2472	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe
2400	Un_A.exe
2400	Un_A.exe
2400	Un_A.exe
2400	Un_A.exe
2400	Un_A.exe
2400	Un_A.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un_A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2400	Un_A.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1992	1680	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe	31
PID 1680 wrote to memory of 1992	1680	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe	31
PID 1680 wrote to memory of 1992	1680	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe	31
PID 1680 wrote to memory of 1992	1680	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe	31
PID 1992 wrote to memory of 2472	1992	svchost.exe	32
PID 1992 wrote to memory of 2472	1992	svchost.exe	32
PID 1992 wrote to memory of 2472	1992	svchost.exe	32
PID 1992 wrote to memory of 2472	1992	svchost.exe	32
PID 2472 wrote to memory of 2400	2472	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe	34
PID 2472 wrote to memory of 2400	2472	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe	34
PID 2472 wrote to memory of 2400	2472	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe	34
PID 2472 wrote to memory of 2400	2472	1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe	34

C:\Users\Admin\AppData\Local\Temp\1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe
"C:\Users\Admin\AppData\Local\Temp\1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe
    "C:\Users\Admin\AppData\Local\Temp\1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2400

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
\Users\Admin\AppData\Local\Temp\1066659b0a4d81ab4291c100dfa2e770a2a0d71cf1e7912a26efde7cff9a9cb6N.exe

Filesize
486KB

MD5
19d88c388f768c1b4a449f005a73f068

SHA1
55d61025da4dd78d4c2593c2bf4e4d41d2d01d41

SHA256
7e11941a4c296c8f11295c81e6de7b176bbb2a801d3ab76bdb5aa6aeba6ee18c

SHA512
09291c081cc2bb828199e17d812e3ab07abf9af7c13bec4b2105a743e47eb29f3a27696f3e14228025e1f35287fc0cc9cea835a83b07abcd5ed2f2ebd40ee123

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB14.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB14.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB14.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nstDB14.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
memory/1476-63-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1680-5-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1992-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing