ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03

General

Target

ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe
Size

673KB
MD5

9698e68f2aaf0bbffdbea8c34236cd6e
SHA1

3c6d590bcd7a1b5b2da2d0ac9f8e4ad392306984
SHA256

ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03
SHA512

b3e5a2709eeb4e542a1faeb4c86a0f6feb271a1cf424f3fbd05a1079dd6eb7060b64fc07b67139403566c24d94d07b82afcb7f9abdbd4dd2490e7c288460cda1
SSDEEP

12288:3Z8nkF9oy1ADvMKdhAS0jjLz7hoo3RpEcvALALdt/xBot/FcEic/3IWVscSfVo8t:3Z8nkF9oySiLz72ooSru/so3V9xmFP9

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2828	service.exe
2856	service.exe

Loads dropped DLL 3 IoCs

pid	Process
2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe
2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe
2828	service.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Service Application = "C:\\Users\\Admin\\AppData\\Local\\Temp\\service.exe"	service.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2340	2324	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	31
PID 2828 set thread context of 2856	2828	service.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	service.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2340	2324	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	31
PID 2324 wrote to memory of 2340	2324	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	31
PID 2324 wrote to memory of 2340	2324	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	31
PID 2324 wrote to memory of 2340	2324	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	31
PID 2324 wrote to memory of 2340	2324	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	31
PID 2324 wrote to memory of 2340	2324	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	31
PID 2324 wrote to memory of 2340	2324	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	31
PID 2324 wrote to memory of 2340	2324	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	31
PID 2340 wrote to memory of 2700	2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	32
PID 2340 wrote to memory of 2700	2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	32
PID 2340 wrote to memory of 2700	2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	32
PID 2340 wrote to memory of 2700	2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	32
PID 2340 wrote to memory of 2828	2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	34
PID 2340 wrote to memory of 2828	2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	34
PID 2340 wrote to memory of 2828	2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	34
PID 2340 wrote to memory of 2828	2340	ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe	34
PID 2828 wrote to memory of 2856	2828	service.exe	35
PID 2828 wrote to memory of 2856	2828	service.exe	35
PID 2828 wrote to memory of 2856	2828	service.exe	35
PID 2828 wrote to memory of 2856	2828	service.exe	35
PID 2828 wrote to memory of 2856	2828	service.exe	35
PID 2828 wrote to memory of 2856	2828	service.exe	35
PID 2828 wrote to memory of 2856	2828	service.exe	35
PID 2828 wrote to memory of 2856	2828	service.exe	35

C:\Users\Admin\AppData\Local\Temp\ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe
"C:\Users\Admin\AppData\Local\Temp\ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe
  "C:\Users\Admin\AppData\Local\Temp\ede5e8eec2465e1c8f1a1a68a7491709326d2c51e77d46196306aa36cc75dc03.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\remove34520.bat" "
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\service.exe
    "C:\Users\Admin\AppData\Local\Temp\service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\service.exe
      "C:\Users\Admin\AppData\Local\Temp\service.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\service.exe

Filesize
673KB

MD5
881526663006add99aed9fc5026bac2e

SHA1
33aa81b3561d8d4397053b5646e752e0308717e4

SHA256
576c03aa8c344904948d299c993323a22dbea3d08d3c75c2a1f301395db9db77

SHA512
adb112529a0a1866e6671f61f2048fca2e5d53956e70abff86425e74c7f64010bef49fa591aeb5091461b680040309706b27d06794cab70be2810daacbd3d2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\shell32.dll

Filesize
51B

MD5
1b14debf5222d4926612073b9e400c34

SHA1
9624eb146bad10e31165c5856b8aa9933524a853

SHA256
e52dc89fa8fbf6c1a4a2c8f9bf490c8b88d2800a9e19e602bcaca6d544dd1774

SHA512
645018818cea119ea5378d2611a366257994008a5d663aea6cbab6c009aff64a89ad398cd0da3f0315ecd50e5e4aff75d68bcab2ecc653fdf16680dbc8b6f5fa

Download Submit
C:\Users\Admin\remove34520.bat

Filesize
267B

MD5
f5562b5d52065c39348606477f983b9b

SHA1
f61f1ada62250ec1edf847d1de07492cd5e3336b

SHA256
bb62ec853309179c304564ce53ffac39467f4dc0d2b4cdbaadb2a0506f613219

SHA512
48881e362e8854918197c80c8f4e7319273c814c3ba81bc22bc582357b9e7b510fcae39dee1cbfdeea4b6207b5e8c0302ec20995a55676edc025f80b41afadd9

Download Submit
memory/2324-9-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2340-4-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2340-2-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2340-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2340-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2340-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2340-6-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2340-40-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2340-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2828-53-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2856-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2856-56-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2856-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2856-58-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads