d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a

General

Target

d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a.exe
Size

208KB
MD5

dc1df38e26eca38e38b6fcb0d7bd6901
SHA1

c7fc2d4102d8e70f05c82762f324b23e5f84d7a3
SHA256

d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a
SHA512

376baa0a98b9ef5df8b0633cb9ec35e0a8167bc77f77c25d8e828eadb6d9523af6cc9f7bef1a38aa910857c6ea1debfaea55302e995bc13386c9c17f124cb7e6
SSDEEP

3072:JO+bY++73VQdqPg7WqD+NhGJZstCVH9xGSp+BPq19XAHtUcmzM:MWWzcJZs0d91WPquUcmg

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a.exe

Executes dropped EXE 1 IoCs

pid	Process
1580	IEMontior.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEMontior.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3952	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	IEMontior.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4532	3644	d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a.exe	87
PID 3644 wrote to memory of 4532	3644	d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a.exe	87
PID 3644 wrote to memory of 4532	3644	d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a.exe	87
PID 4532 wrote to memory of 3952	4532	cmd.exe	89
PID 4532 wrote to memory of 3952	4532	cmd.exe	89
PID 4532 wrote to memory of 3952	4532	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a.exe
"C:\Users\Admin\AppData\Local\Temp\d6b1942ae351c4aa9a324b636228c5cc6623102b2651ccd65daafdc792a3284a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "IEMontior" /tr "C:\Users\Admin\AppData\Local\IEMontior.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "IEMontior" /tr "C:\Users\Admin\AppData\Local\IEMontior.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3952

C:\Users\Admin\AppData\Local\IEMontior.exe
C:\Users\Admin\AppData\Local\IEMontior.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IEMontior.exe

Filesize
208KB

MD5
a7cc268c2400c3ebfec656c742a17710

SHA1
c0585651cf41c62686b67a65e8ef9e12f925c6e3

SHA256
e8d01bd504fcfeb9f1ea11fb1b2840d2d4f90215b39c74f755ccfd02be2266fe

SHA512
e2c26ce37ff658646e4dc977fd71e152f30e3f4425288a5c8a01da23110fbcd7db7503bc7650160f1b87cbe2d4e55c80113fadd8b7908a2de574a80605505554

Download Submit
memory/1580-9-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/1580-10-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/1580-11-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/1580-12-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/1580-13-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3644-0-0x0000000074AD2000-0x0000000074AD3000-memory.dmp

Filesize
4KB

Download
memory/3644-1-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3644-2-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3644-3-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download
memory/3644-6-0x0000000074AD0000-0x0000000075081000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads