cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bba

General

Target

cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Size

193KB
MD5

cf7016c7901134c2660dc0880df500a0
SHA1

3d86e8fe7ff95be5c705b4e63a7c8d1bc0b95579
SHA256

cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bba
SHA512

64b8d3613a9075c0166148006a74865111f6729f00153474f7801fd20614057923924b2480ade357232d54d39f6de9d942f7f7452e56f6d2e7d58b208c90dfbd
SSDEEP

3072:sC5pS4ZmlxGHFdrKkojinHCo63Q77NPcO8I012sk/U6bOPQKZCl7dRz:HpS44lk7ojin0Q7JPA2Np6Pba

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: 33	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
Token: SeIncBasePriorityPrivilege	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2928	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	30
PID 2296 wrote to memory of 2928	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	30
PID 2296 wrote to memory of 2928	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	30
PID 2296 wrote to memory of 2928	2296	cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe	30
PID 2928 wrote to memory of 580	2928	csc.exe	32
PID 2928 wrote to memory of 580	2928	csc.exe	32
PID 2928 wrote to memory of 580	2928	csc.exe	32
PID 2928 wrote to memory of 580	2928	csc.exe	32

C:\Users\Admin\AppData\Local\Temp\cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe
"C:\Users\Admin\AppData\Local\Temp\cf9ca254893c12e43d5d7059f58a55d7d6c68880eaf688fe21b9de4813142bbaN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rb5c4gqn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE37D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE37C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IsolatedStorage\njqbubuf.sfz\4yxdd5n1.tq4\Url.vtncc2fscj0out3vrm4ob5ux5xw4n45f\AssemFiles\D1E02126\D\UGxhdGZvcm0gT1MgQml0bmVzczogNjQ=.bin

Filesize
8B

MD5
33cdeccccebe80329f1fdbee7f5874cb

SHA1
3da89ee273be13437e7ecf760f3fbd4dc0e8d1fe

SHA256
7c9fa136d4413fa6173637e883b6998d32e1d675f88cddff9dcbcf331820f4b8

SHA512
991294f43425a5b80f8a5907ca7cdbb611401282585a58bb415077005428e3b4c0f661fc07ba5c45f627bd8bdcb172389ce2fda461c029b837abc70f0abbea20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE37D.tmp

Filesize
1KB

MD5
959d2767ce0a1ec7bf7b91ddd6f7eb9f

SHA1
edc80e546691fef67d1ad6487888372a09716dad

SHA256
92d12038bdfbedd324d0119bbfd09f396c0f154eefd75093f54676b20ac2f591

SHA512
5b311d27697f072cd30c390da5e1ff578809990c8ae3589a5c8b8c6085c6851eb3f75feafcd77f78b2f2b7318152dda709349371baa1ea462abd7d3880a82fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rb5c4gqn.dll

Filesize
8KB

MD5
09c3956519c771a3c6cfcabe320cc364

SHA1
8702722844cc8ed378cc8b913031b98daaad9172

SHA256
1a50f40467e1594250b6b918bfed9ba1ea547fd25bbec8c511dee97603617908

SHA512
374a3ac15f2438b71b063640a9f9210ef1bd8bf7be9ccda4c95cc6514ada9b57fff8df48a0b112d4728f2ca7dd1b93e2400c58d368ed4af5b79d2926a776969d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE37C.tmp

Filesize
652B

MD5
8524b30842474a7159652b4fdb80fd47

SHA1
2610a14cf0a0c3556d492150eceddb155f95d625

SHA256
718c6ed042554062e0cd08d583026f873fea8931a85065d9d3ba00e6f8f67e5a

SHA512
da20b17ef6933abc34ad8e4d22dea9cce1c9197ede81c344f09540e1a7d6f0afbaa8a3ff0d7bd4ce6453cae4bae1f0d9abaa58781c25e3502f1fdcdc9198828e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rb5c4gqn.0.cs

Filesize
10KB

MD5
d2d7e4693e3a527e3e490ab95191a3c2

SHA1
a2c76d1cdc6368ec51dec206e5c69c9db17c4841

SHA256
659ca8074c55b3167fff69c3eda03a5a732b7f661601f67630aac967d1830b92

SHA512
be84a53402b1f0d561141f3c9e0ce9f312382ba43d7af9982855cfd065e2bc44f031e4ea2ffa4d31ee627c132d0feb1d3771e03fd2b968c8216027f399abd247

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rb5c4gqn.cmdline

Filesize
638B

MD5
19710a4020750fadcf662f2e89c68984

SHA1
bdcda06a0c3d1a5be4f650f0419bca6aaf1d7904

SHA256
71d464fb695efbaef7865fb6fc1e2bb6e91ac5bdd761fbb4d8fa76cf2010e392

SHA512
3f33c8f47906195d7aecf508e9a4c9746e41804f604a5b9080597c9e089c9861e8c048eb8216d242802c8aae27b3f7fcf2ebc6ab7a2aef49ad352f96d1d58b79

Download Submit
memory/2296-10-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-23-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-11-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-0-0x00000000742A1000-0x00000000742A2000-memory.dmp

Filesize
4KB

Download
memory/2296-2-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-1-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-34-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-35-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-36-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-24-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2928-31-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing