87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58

General

Target

87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
Size

988KB
MD5

18df057d5952c7f5366335ff201849b5
SHA1

6c421f13a590822d583689221569ceff31f2dbae
SHA256

87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58
SHA512

4533b5078683c46e727dd2462745c5893ad9231fa85165595af4242ff7d849af29b3bf8ec2c7f91f3e03acded594bdc7561545cbaf87edf4fc3ab37e349725de
SSDEEP

24576:UL3gqH9oc5KKhWIpBwxgCeg+5LxcvFEgOX9BMN4h7A0:UL3gK9d5KKMIp9CT+5WagODRBd

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe

pid	Process
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe

description	pid	Process
Token: SeDebugPrivilege	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe

description	pid	Process	procid_target
PID 2236 wrote to memory of 2832	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	31
PID 2236 wrote to memory of 2832	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	31
PID 2236 wrote to memory of 2832	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	31
PID 2236 wrote to memory of 2832	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	31
PID 2236 wrote to memory of 2868	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	32
PID 2236 wrote to memory of 2868	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	32
PID 2236 wrote to memory of 2868	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	32
PID 2236 wrote to memory of 2868	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	32
PID 2236 wrote to memory of 2896	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	33
PID 2236 wrote to memory of 2896	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	33
PID 2236 wrote to memory of 2896	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	33
PID 2236 wrote to memory of 2896	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	33
PID 2236 wrote to memory of 2816	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	34
PID 2236 wrote to memory of 2816	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	34
PID 2236 wrote to memory of 2816	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	34
PID 2236 wrote to memory of 2816	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	34
PID 2236 wrote to memory of 2772	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	35
PID 2236 wrote to memory of 2772	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	35
PID 2236 wrote to memory of 2772	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	35
PID 2236 wrote to memory of 2772	2236	87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe	35

C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
"C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
  "C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe"
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
  "C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe"
  2⤵
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
  "C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe"
  2⤵
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
  "C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe
  "C:\Users\Admin\AppData\Local\Temp\87fca3267ca394e5bc414194c7c6dec142ae132921efaa2763c6d15f430d6c58.exe"
  2⤵
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2236-0-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000000340000-0x000000000043E000-memory.dmp

Filesize
1016KB

Download
memory/2236-2-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-3-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/2236-4-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-5-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/2236-6-0x0000000005E20000-0x0000000005EE0000-memory.dmp

Filesize
768KB

Download
memory/2236-7-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads