adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c

General

Target

adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Size

330KB
MD5

b4c43aac90ebfdff825363d99dd93e7a
SHA1

45dca59dbbf512e66417a44bbfa2ea69b4e34b1b
SHA256

adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c
SHA512

86c20e661fd5192b821e32d5f0cb0bf9fa815009f1ede6bb1143a6ea23e927006e17e0d94ffdc966296471116510ec757372757787eb66b15da2167c166156ea
SSDEEP

3072:WkCaLgjKrY+6JhE58JeJ8DokH68mYkoQ36vdqDVkEmx3nBMFxbwOo25E2VWvQuBh:uaLa1CHqDokH680oFlHZ3nBS02VWDGgV

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CID\{4E007700-7300-5400-4100-500034003200}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CID	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CID\{4E007700-7300-5400-4100-500034003200}\1 = "5rCKdvjrDbkqggPZgJRrEvquaUp44+wkSG812KuZGQOCwd2bsrvMPEhaXTiNUYBfLg+cNogfmVDKL17R1WedAgkeni4CV3iC3reTyetydrl13fS81+9+1qpoY8MqYaMNRbQ6uukxG5vXu+SxOrWs4eDqf/79JaMwqPTKrJTkGGkkPZ/MfUA56mUxT/M2SQ4833XzoxVYZO9f1O7zL6KTQFl7+MrgalqzT7REPeHyzQLPDdpGwuz+U5c8nNJNTFKr4LaU3XM6RcreBa643sakUnQtWtJWRklS+yxbLoJm48OxsyPSHUSWXBQYdnyCYm61mbWJm/lsz53OPQDEqJqWYMvhL8qgy7E5kO6SF+QB2ux0k7EDhj2e4eQMjq2uP7IdWLxSgsUpx8QGJMiCZDVqPKNkt6WcVC9WxnKIyTTnLIVacCzs8EdY6SU5UDNBRug0LBmTG7CdNVXC9YwwYOaXfw=="	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CID\{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CID\{6F003800-3000-7A00-4F00-660043004400}\1 = "Y49BpYyZ/S1VEmwvBgyZMKZweT6IXIRiQJvgsLpMfzZwXiv2ijlRF0Xu0/SAHgrvCMtDCzoAmi6wEQGwGd0WlEqI8XSDItvffOMTbdCsLnHwd+DzaRnoYqEqi/cQ+PkhNOz8TAtsg9+/ygkcNZXfVrQh44GxD9+GnPTZY/Yj1taJEExi6AY0dJvh2ul4aRa2"	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CID\{6F003800-3000-7A00-4F00-660043004400}\1 = "Xf/L7afD8oJuRKO1fcYmya++PZOgOh45lKfBjvi6HvqJXZl0Mtxt3ZRROCT3spbtByyl30Fgd0vbaxI/fvNpGHMu2kBdX+do50+PqNLjXxIlPFB89K/AQwVOG9H+Y5iPzRV0w1qy2cug5Z+i5np6uXID3d7fS+ISKD82iuurU49DNwAfe5dnfDTzTJ5v20xA"	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

NTFS ADS 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\My Music:{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\MSOCache:{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp:{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\Users\Admin\AppData\Local\Temp:{4E007700-7300-5400-4100-500034003200}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\Users\Admin\Documents\My Music:{4E007700-7300-5400-4100-500034003200}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\MSOCache:{4E007700-7300-5400-4100-500034003200}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\Users\Admin\AppData\Local\Temp:{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2644	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
2644	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

C:\Users\Admin\AppData\Local\Temp\adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
"C:\Users\Admin\AppData\Local\Temp\adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2644-0-0x00000000741CE000-0x00000000741CF000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000001130000-0x0000000001186000-memory.dmp

Filesize
344KB

Download
memory/2644-7-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download
memory/2644-8-0x00000000741CE000-0x00000000741CF000-memory.dmp

Filesize
4KB

Download
memory/2644-9-0x00000000741C0000-0x00000000748AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing