eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbc

General

Target

eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Size

330KB
MD5

a609a93922ca6438097106c1d71602f0
SHA1

061cafa8aad40b665f78001d1fe11861800b19a3
SHA256

eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbc
SHA512

c7f578f898cea208ed91a28bac144ffe929933349d5e111b45f08933436e1287b6de5e0133bc3ce5d1dc6202c15b2e102626c09058226ae4daf3e42b498ce662
SSDEEP

3072:WkCaLgjKrY+6JhE58JeJ8DokH68mYkoQ36vdqDVkEmx3nBMFxbwOo25E2VWvQuB7:uaLa1CHqDokH680oFlHZ3nBS02VWDGg

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CID	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CID\{4E007700-7300-5400-4100-500034003200}\1 = "5rCKdvjrDbkqggPZgJRrEvquaUp44+wkSG812KuZGQOCwd2bsrvMPEhaXTiNUYBfJBR8sq9iEXhCJeiz5SjG146KcyE2KdkiywuZMtXH/5+Z7vCshLYRuMx8Jj4WJ/QfPNfdHXeE/1SHPfHZOkKQwQHUAPUDE7fpGFHdAEZnUf1Apjuk18c+GmQLmx7FLhkNCMbhJg+TkKug8eG4cv6LnQljwShvmLB7BU0ymymreETX7uCgllhq9W1sgTbPZff6TuMBMV+Hp+Oj/WyTLKY6XHYSmh8S0Erq+id5jY0FzIWE+OnCRdvfjxOg/VkikYglTIMYMnkmKIIYOax03aKJNgjkA6Lmp0OxO3LPON9JjJjoELFeT5uWe6iAZM0UzEAcTz6mTMOK1CP5EQskgI5sEY2Zxxh8bAPm9OLjoIGKztD20aObHVu/h/6IAYeKjhX00VBVNrYpvbMtjIOQsO/1wMoVhC+a3/Cq5JpGuJo5mqxs/mtgIr/zI7h1KMKRmLpc"	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CID\{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CID\{6F003800-3000-7A00-4F00-660043004400}\1 = "Y49BpYyZ/S1VEmwvBgyZMKZweT6IXIRiQJvgsLpMfzZwXiv2ijlRF0Xu0/SAHgrvdo5xhlMc1E3roSbxX6Yet8hyo/IryM+zrR5yzo2SDEiN/+W90JdXSk1mgIgVgV9bdou5ifWAFieDFa9Pe4rgPDXq8KgtXytEjndbty8Uy3Ut8anIADu+TxjO4dHa/+/M"	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CID\{6F003800-3000-7A00-4F00-660043004400}\1 = "Xf/L7afD8oJuRKO1fcYmya++PZOgOh45lKfBjvi6HvqJXZl0Mtxt3ZRROCT3spbt7KFGjZt37ow3vnbE/QiYlX9T8NYujBIQfif7FgPRoqRlW4/8zPBeJUh5vxGUUnibrGjgiLWGuKskOt7XRcps8+Yk6o5QAMz5oFGyHZeJbRh8gbnHcFuijouAIjKXu7s7"	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CID\{4E007700-7300-5400-4100-500034003200}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

NTFS ADS 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\My Music:{4E007700-7300-5400-4100-500034003200}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\PerfLogs:{4E007700-7300-5400-4100-500034003200}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\Users\Admin\AppData\Local\Temp:{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\Users\Admin\Documents\My Music:{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\PerfLogs:{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp:{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File opened for modification	C:\PerfLogs:{6F003800-3000-7A00-4F00-660043004400}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
File created	C:\Users\Admin\AppData\Local\Temp:{4E007700-7300-5400-4100-500034003200}	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1516	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
1516	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe

C:\Users\Admin\AppData\Local\Temp\eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe
"C:\Users\Admin\AppData\Local\Temp\eb5b10a9f429ad6b96e6a1438f21120abe791c8b150f547a36c948dcbf38dcbcN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1516-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/1516-1-0x0000000000D00000-0x0000000000D56000-memory.dmp

Filesize
344KB

Download
memory/1516-2-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/1516-3-0x0000000005740000-0x00000000057DC000-memory.dmp

Filesize
624KB

Download
memory/1516-4-0x00000000069B0000-0x0000000006FC8000-memory.dmp

Filesize
6.1MB

Download
memory/1516-5-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/1516-6-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1516-15-0x00000000070A0000-0x000000000716E000-memory.dmp

Filesize
824KB

Download
memory/1516-16-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/1516-17-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing