eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbc

General

Target

eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Size

330KB
MD5

a609a93922ca6438097106c1d71602f0
SHA1

061cafa8aad40b665f78001d1fe11861800b19a3
SHA256

eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbc
SHA512

c7f578f898cea208ed91a28bac144ffe929933349d5e111b45f08933436e1287b6de5e0133bc3ce5d1dc6202c15b2e102626c09058226ae4daf3e42b498ce662
SSDEEP

3072:WkCaLgjKrY+6JhE58JeJ8DokH68mYkoQ36vdqDVkEmx3nBMFxbwOo25E2VWvQuB7:uaLa1CHqDokH680oFlHZ3nBS02VWDGg

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CID\{4E007700-7300-5400-4100-500034003200}\1 = "5rCKdvjrDbkqggPZgJRrEvquaUp44+wkSG812KuZGQOCwd2bsrvMPEhaXTiNUYBfJBR8sq9iEXhCJeiz5SjG146KcyE2KdkiywuZMtXH/5+Z7vCshLYRuMx8Jj4WJ/QfPNfdHXeE/1SHPfHZOkKQwQHUAPUDE7fpGFHdAEZnUf2pts4jneCtniLvLnKmxelA7VOhsKY6RguwV5JkjYa7h6rudFiw8tAFhu1/UHGemJyDrhsKOGhgK9c1/q0wl4mUxM84q1YrJ7vfh7e7yhUwQtXkU7SESzvx+9YJVBkIraK8Pcjhy95Y9hc4VrfX1nK4TOKZG7D2JE+DY+Buu+qqhNrLEoIgGDMeHmX2deLRNUz0BwecYYi0ZZb3wx5bW4RzBoxCicpu3V7DvqUjMEOOhhS9v9ege3y6TfX3nAnHoCkthqWaQQZXGozfGguN3HAaHPAWGJByg6uVxkqA7nzZDCXh1NqGxJLwUYYaMkcl2zT8IELlgP5pFX3KKWlb1EN/"	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CID\{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CID\{6F003800-3000-7A00-4F00-660043004400}\1 = "Y49BpYyZ/S1VEmwvBgyZMKZweT6IXIRiQJvgsLpMfzZwXiv2ijlRF0Xu0/SAHgrvdo5xhlMc1E3roSbxX6Yet8hyo/IryM+zrR5yzo2SDEiN/+W90JdXSk1mgIgVgV9bdou5ifWAFieDFa9Pe4rgPDXq8KgtXytEjndbty8Uy3Ut8anIADu+TxjO4dHa/+/M"	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CID\{6F003800-3000-7A00-4F00-660043004400}\1 = "Xf/L7afD8oJuRKO1fcYmya++PZOgOh45lKfBjvi6HvqJXZl0Mtxt3ZRROCT3spbt7KFGjZt37ow3vnbE/QiYlX9T8NYujBIQfif7FgPRoqRlW4/8zPBeJUh5vxGUUnibrGjgiLWGuKskOt7XRcps8+Yk6o5QAMz5oFGyHZeJbRh8gbnHcFuijouAIjKXu7s7"	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CID\{4E007700-7300-5400-4100-500034003200}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CID	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

NTFS ADS 7 IoCs

description	ioc	Process
File created	C:\MSOCache:{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp:{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\Users\Admin\AppData\Local\Temp:{4E007700-7300-5400-4100-500034003200}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\Users\Admin\Documents\My Music:{4E007700-7300-5400-4100-500034003200}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\MSOCache:{4E007700-7300-5400-4100-500034003200}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\Users\Admin\AppData\Local\Temp:{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\Users\Admin\Documents\My Music:{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1680	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
1680	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

C:\Users\Admin\AppData\Local\Temp\eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
"C:\Users\Admin\AppData\Local\Temp\eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/1680-1-0x0000000000D50000-0x0000000000DA6000-memory.dmp

Filesize
344KB

Download
memory/1680-7-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/1680-8-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/1680-9-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing