adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c

General

Target

adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Size

330KB
MD5

b4c43aac90ebfdff825363d99dd93e7a
SHA1

45dca59dbbf512e66417a44bbfa2ea69b4e34b1b
SHA256

adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c
SHA512

86c20e661fd5192b821e32d5f0cb0bf9fa815009f1ede6bb1143a6ea23e927006e17e0d94ffdc966296471116510ec757372757787eb66b15da2167c166156ea
SSDEEP

3072:WkCaLgjKrY+6JhE58JeJ8DokH68mYkoQ36vdqDVkEmx3nBMFxbwOo25E2VWvQuBh:uaLa1CHqDokH680oFlHZ3nBS02VWDGgV

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CID\{4E007700-7300-5400-4100-500034003200}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CID	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CID\{4E007700-7300-5400-4100-500034003200}\1 = "5rCKdvjrDbkqggPZgJRrEvquaUp44+wkSG812KuZGQOCwd2bsrvMPEhaXTiNUYBfLg+cNogfmVDKL17R1WedAgkeni4CV3iC3reTyetydrl13fS81+9+1qpoY8MqYaMNRbQ6uukxG5vXu+SxOrWs4eDqf/79JaMwqPTKrJTkGGmMg0xlqOYocazadttibRInzQWXFqZiz5QVhBeCCVqQB09Zgmy6aIhfO7g/YmFCfTccXuo2myrQ6jGPnfu8P2g3rYo5H7Ij216XPh5SKCkHUV1TjMChCOY+euGgvFeJ47G908CdQsT/bA2iTQSGsLO1erID3Yzix9ZNu+V9RRMXBh8eiyh7lqY20ywAKdA9SFHwurpeNi6hE+5icBx3QtNUKwjLtrzD9b4rMWNBwRiK7hhFtDO8FzCc9UasgOn43OikejQWGgME+6ozM6BtEqHUKlXBtdQGOXIIN8xrRO1GA4BVorehmV7q3NU/wiBGQ1ljca6GB2FldW/ljEz5eFLc"	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CID\{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CID\{6F003800-3000-7A00-4F00-660043004400}\1 = "Y49BpYyZ/S1VEmwvBgyZMKZweT6IXIRiQJvgsLpMfzZwXiv2ijlRF0Xu0/SAHgrvCMtDCzoAmi6wEQGwGd0WlEqI8XSDItvffOMTbdCsLnHwd+DzaRnoYqEqi/cQ+PkhNOz8TAtsg9+/ygkcNZXfVrQh44GxD9+GnPTZY/Yj1taJEExi6AY0dJvh2ul4aRa2"	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CID\{6F003800-3000-7A00-4F00-660043004400}\1 = "Xf/L7afD8oJuRKO1fcYmya++PZOgOh45lKfBjvi6HvqJXZl0Mtxt3ZRROCT3spbtByyl30Fgd0vbaxI/fvNpGHMu2kBdX+do50+PqNLjXxIlPFB89K/AQwVOG9H+Y5iPzRV0w1qy2cug5Z+i5np6uXID3d7fS+ISKD82iuurU49DNwAfe5dnfDTzTJ5v20xA"	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

NTFS ADS 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp:{4E007700-7300-5400-4100-500034003200}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\Users\Admin\Documents\My Music:{4E007700-7300-5400-4100-500034003200}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\PerfLogs:{4E007700-7300-5400-4100-500034003200}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\Users\Admin\AppData\Local\Temp:{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\Users\Admin\Documents\My Music:{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File created	C:\PerfLogs:{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp:{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
File opened for modification	C:\PerfLogs:{6F003800-3000-7A00-4F00-660043004400}	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4376	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
4376	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe

C:\Users\Admin\AppData\Local\Temp\adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe
"C:\Users\Admin\AppData\Local\Temp\adb45d32e594ac2ec1598b9272d41f13c6f02f3e7b9a246cc93d1d00a53ebc9c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4376-0-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/4376-1-0x0000000000950000-0x00000000009A6000-memory.dmp

Filesize
344KB

Download
memory/4376-2-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/4376-3-0x0000000005280000-0x000000000531C000-memory.dmp

Filesize
624KB

Download
memory/4376-4-0x0000000006360000-0x0000000006978000-memory.dmp

Filesize
6.1MB

Download
memory/4376-5-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/4376-6-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-15-0x0000000006B60000-0x0000000006C2E000-memory.dmp

Filesize
824KB

Download
memory/4376-16-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

Filesize
4KB

Download
memory/4376-17-0x0000000074EF0000-0x00000000756A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing