44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b

General

Target

file.exe
Size

6.5MB
MD5

bfc5ea31b4aeefec1508e8f5b458e574
SHA1

976fe53a467068719f70a856dca3bb7b65a9d6dc
SHA256

44997a5aa2709c2cef26ea501d4f01140d34b59f0fd182282354598eef4b224b
SHA512

146ef0163df8be2c8e5a834c27d731c817e0540a30d4e4746109fd564c33d2d7f00560017f0d5b9ade9eea05611ed440f64022f97e30949e5bb58041452f590e
SSDEEP

98304:vi0rHj8I5IxALsFFyTFaYTXMHyAw8aMAKa392mAYYqUSoYTk0KGjp2kizn:vi0rDyraTFNKyLUAKw2B7qUShTkQjDir

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1196	Mp3tag.exe
2140	Mp3tag.exe

Loads dropped DLL 4 IoCs

pid	Process
2420	file.exe
1196	Mp3tag.exe
1196	Mp3tag.exe
2140	Mp3tag.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2752	2140	Mp3tag.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1196	Mp3tag.exe
2140	Mp3tag.exe
2140	Mp3tag.exe
2752	cmd.exe
2752	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2140	Mp3tag.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1196	2420	file.exe	30
PID 2420 wrote to memory of 1196	2420	file.exe	30
PID 2420 wrote to memory of 1196	2420	file.exe	30
PID 1196 wrote to memory of 2140	1196	Mp3tag.exe	31
PID 1196 wrote to memory of 2140	1196	Mp3tag.exe	31
PID 1196 wrote to memory of 2140	1196	Mp3tag.exe	31
PID 2140 wrote to memory of 2752	2140	Mp3tag.exe	32
PID 2140 wrote to memory of 2752	2140	Mp3tag.exe	32
PID 2140 wrote to memory of 2752	2140	Mp3tag.exe	32
PID 2140 wrote to memory of 2752	2140	Mp3tag.exe	32
PID 2140 wrote to memory of 2752	2140	Mp3tag.exe	32

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\Bijouterie\Mp3tag.exe
  "C:\Users\Admin\AppData\Local\Temp\Bijouterie\Mp3tag.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Roaming\Downloadplugin\Mp3tag.exe
    C:\Users\Admin\AppData\Roaming\Downloadplugin\Mp3tag.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9c996d45

Filesize
1.4MB

MD5
d29a43098ad888289e52abecdc2a6c6b

SHA1
30dae7ba0c6b6de231eb5950ade99c9688cb687e

SHA256
1bbf4c96e5e5b05127b0e7c3a7b10b1779f4af3055200a4c6271cb606cf6da2c

SHA512
14bc0e6e027bd72e910741bd8166c3a5b1a7a9bca7b4efa726319f40dc429e0221f2aea0d755579b1fae54aa6875c47b59a42c37db62463a7c38f27516777c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\Mp3tag.exe

Filesize
12.0MB

MD5
a7118dffeac3772076f1a39a364d608d

SHA1
6b984d9446f23579e154ec47437b9cf820fd6b67

SHA256
f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0

SHA512
f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\fgq

Filesize
1.2MB

MD5
f6461ccd814a2ead19beeba2125b5368

SHA1
449ede26eeb5234f02a9d4b5a19fa7b6ffc4a1df

SHA256
8fb4e6d589830f39db50877b542b11281e56762caaa2742719b2ac042dd6cbd1

SHA512
fa8c7368597d79451fc47447ea1ac9e831b2b7835c6542a161bd74b0084da66fff4ac0555dce0eea64630887a2d953674125b1e2e9295a37b7bac678dc606fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bijouterie\ymv

Filesize
14KB

MD5
c40639e251f6f49d3f4c140cd1fc3d9c

SHA1
7f531f2ad30f3bf2f637cea7087f3e432cc54adf

SHA256
2481d67eeef5025767464e90969c913f198eaa8171f8ebb8e61cd92ca880293f

SHA512
d327399a1fb31203fd1b8aa991369da907a4538bd77f69b0fc6568221cc3099300437d8e5f3f959c501ffcef2e728971f33e2fcf0d453e96a84458a23abb9480

Download Submit
\Users\Admin\AppData\Local\Temp\Bijouterie\tak_deco_lib.dll

Filesize
315KB

MD5
ee7f11beaf317ef7185b0cec9a8ccff4

SHA1
274ebb8d1adfa6d49e1d3fc85cf942357c8a7653

SHA256
6c2d0a8831e82fc3889e94ef3e986660e38175ae406fea5a66e3d1f5c014ee97

SHA512
cdeec3fbd4eff63f64aad6559c36654416afae5e7314df1a756580dc52b6024c52f0f3803356b85d2095dfc136de9234271a14ec843af3cf3836b67bb30362b1

Download Submit
memory/1196-17-0x000007FEF5B10000-0x000007FEF5C68000-memory.dmp

Filesize
1.3MB

Download
memory/1196-25-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2140-29-0x00000000001D0000-0x000000000022E000-memory.dmp

Filesize
376KB

Download
memory/2140-32-0x000007FEF6520000-0x000007FEF6678000-memory.dmp

Filesize
1.3MB

Download
memory/2140-33-0x000007FEF6520000-0x000007FEF6678000-memory.dmp

Filesize
1.3MB

Download
memory/2140-35-0x00000000001D0000-0x000000000022E000-memory.dmp

Filesize
376KB

Download
memory/2752-37-0x0000000076E50000-0x0000000076FF9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing