db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92

General

Target

db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe
Size

176KB
MD5

3666330031fe957cf31bc170fb793f5b
SHA1

6231b729f475efc4545c622788d3b89014a45007
SHA256

db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92
SHA512

77f0efe1cd6097015514450bfe8da716eb9906e8e82e5c5044d9ec53d9abfdf259f4539f9ad438e020466bc872fc44a0ad192c30697c85a748eb247b00adf737
SSDEEP

3072:sc4GQx3mAbm5XgshrK6RLzaVE1Hvb3qzpUupNctpAIZbhIMxSiBP61:OGEoh260VOHvb6fpCAIRrSiJk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1964	winservice.exe

Loads dropped DLL 2 IoCs

pid	Process
780	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe
780	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\winsystem\winservice.exe	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe
File opened for modification	C:\Windows\winsystem\winservice.exe	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe
File created	C:\Windows\winsystem\Task.xml	winservice.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
780	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe
780	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe
780	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe
1964	winservice.exe
1964	winservice.exe
1964	winservice.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 1964	780	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe	32
PID 780 wrote to memory of 1964	780	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe	32
PID 780 wrote to memory of 1964	780	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe	32
PID 780 wrote to memory of 1964	780	db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe	32
PID 1964 wrote to memory of 2764	1964	winservice.exe	33
PID 1964 wrote to memory of 2764	1964	winservice.exe	33
PID 1964 wrote to memory of 2764	1964	winservice.exe	33
PID 1964 wrote to memory of 2764	1964	winservice.exe	33
PID 2764 wrote to memory of 2652	2764	cmd.exe	35
PID 2764 wrote to memory of 2652	2764	cmd.exe	35
PID 2764 wrote to memory of 2652	2764	cmd.exe	35
PID 2764 wrote to memory of 2652	2764	cmd.exe	35
PID 2764 wrote to memory of 2208	2764	cmd.exe	36
PID 2764 wrote to memory of 2208	2764	cmd.exe	36
PID 2764 wrote to memory of 2208	2764	cmd.exe	36
PID 2764 wrote to memory of 2208	2764	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe
"C:\Users\Admin\AppData\Local\Temp\db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\winsystem\winservice.exe
  C:\Windows\winsystem\winservice.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c mode con cp select=437&schtasks /query /tn "Microsoft\Windows\Windows Error Reporting\QueueReporting" /xml
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\mode.com
      mode con cp select=437
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /query /tn "Microsoft\Windows\Windows Error Reporting\QueueReporting" /xml
      4⤵
      System Location Discovery: System Language Discovery
      PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\winsystem\winservice.exe

Filesize
176KB

MD5
3666330031fe957cf31bc170fb793f5b

SHA1
6231b729f475efc4545c622788d3b89014a45007

SHA256
db556f215eb5529d17505dc63193c735ec7b72a74fc12c6a9a5631f407a40d92

SHA512
77f0efe1cd6097015514450bfe8da716eb9906e8e82e5c5044d9ec53d9abfdf259f4539f9ad438e020466bc872fc44a0ad192c30697c85a748eb247b00adf737

Download Submit

Analysis

Sharing