a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4

General

Target

a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe
Size

34KB
MD5

579ba1f94a20b664bbf50263b093c750
SHA1

cb5a6bd565b0cd8792b319263422cda67b75398b
SHA256

a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4
SHA512

9665e476db44bbded331b9c6536fa6327971dd6614a5739d3e8b4c79d0dfd714a3bd81b10eb68023cafcc11789e63bb67f158608eb7907200ff53ddbcc13db29
SSDEEP

768:Mp2FrwTmoTvjC0+ydn5GAX3+gUDog3FlJA:gwr2C0+yEZDogHK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	viewpdf_updater.exe

Loads dropped DLL 4 IoCs

pid	Process
2756	a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe
2672	viewpdf_updater.exe
2672	viewpdf_updater.exe
2672	viewpdf_updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viewpdf_updater.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2672	2756	a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe	30
PID 2756 wrote to memory of 2672	2756	a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe	30
PID 2756 wrote to memory of 2672	2756	a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe	30
PID 2756 wrote to memory of 2672	2756	a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe	30
PID 2756 wrote to memory of 2672	2756	a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe	30
PID 2756 wrote to memory of 2672	2756	a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe	30
PID 2756 wrote to memory of 2672	2756	a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe	30

C:\Users\Admin\AppData\Local\Temp\a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe
"C:\Users\Admin\AppData\Local\Temp\a774ee443fdfaf299c71a9e59eb9e2e4f907edc49807ff328128d164d5d855f4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\viewpdf_updater.exe
  "C:\Users\Admin\AppData\Local\Temp\viewpdf_updater.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\1103UKp[1].htm

Filesize
269B

MD5
63180a4464f3eec5c14f60e7e5be16f6

SHA1
c23a7baf3c8fae6ccc6916222a930be661e90806

SHA256
870aee10a54afcdb8ec5b50a2cb71c1aad26dc326273662c90bbb643c6985883

SHA512
7fe0f02a658b64c10e05b5f9e079f24a7c9b03a88c265e5644144e28ace0bdb70f6075f99b86f4af67f0400e1935367681f807c9b7a4dbbc92171925ce382f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\1103UKp[1].htm

Filesize
246B

MD5
0e7ef54c21a9cec1973643337acba393

SHA1
fb282cc3d39c1525b96feb53a658305178f3cc06

SHA256
12c0454bb10fd175f2a7fa7b3650883008c48bf2b1a7fe60dcf0109f0c505f8c

SHA512
a03b8f71783f178f41ad752b8c7904b5842483154a691a9e50327e85049ee113475f4b203aa2ea793de0c685f0ec64a0761db04a74aba4250e45b5d552019217

Download Submit
\Users\Admin\AppData\Local\Temp\viewpdf_updater.exe

Filesize
34KB

MD5
457fce982b9c3580d08218b37566c786

SHA1
d8570acba4d46015793fe8a4536f9271e61cd0bc

SHA256
9c839f0ee771e67cf70ac0491b1cf6171d98f695c1b1d0c25f32e520a1404291

SHA512
ac5d1dff1d7ba76ce6f2fd9effa9b8a5371833aa6dcbac3e9e88634f7e93e7a1bc0f1f82bdb5d04ee4622bde34c66c0f51abb79749c98150c397390c84cc44c1

Download Submit
memory/2672-14-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/2672-13-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/2672-16-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/2672-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2672-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2672-21-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/2756-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2756-1-0x0000000000402000-0x0000000000404000-memory.dmp

Filesize
8KB

Download
memory/2756-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing