bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67

General

Target

bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe
Size

255KB
MD5

656ab127d78519e09dc5c5ac3fcfca60
SHA1

ae74b886a414c0168f637b48a762822e6029270f
SHA256

bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67
SHA512

f97fd196a0cdf34359f53dbb4efa9c89bd6f595df4a46cbc978a05d75f84b1cbe06a10c9961709573f2eb90d28c4c50fb60582ce22991a824a0b949d53dc8999
SSDEEP

6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQS4q:EeGUA5YZazpXUmZh94q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2820	a1punf5t2of.exe

Loads dropped DLL 2 IoCs

pid	Process
1520	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe
2820	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2820	1520	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe	30
PID 1520 wrote to memory of 2820	1520	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe	30
PID 1520 wrote to memory of 2820	1520	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe	30
PID 1520 wrote to memory of 2820	1520	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe	30
PID 1520 wrote to memory of 2820	1520	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe	30
PID 1520 wrote to memory of 2820	1520	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe	30
PID 1520 wrote to memory of 2820	1520	bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe	30
PID 2820 wrote to memory of 2476	2820	a1punf5t2of.exe	31
PID 2820 wrote to memory of 2476	2820	a1punf5t2of.exe	31
PID 2820 wrote to memory of 2476	2820	a1punf5t2of.exe	31
PID 2820 wrote to memory of 2476	2820	a1punf5t2of.exe	31
PID 2820 wrote to memory of 2476	2820	a1punf5t2of.exe	31
PID 2820 wrote to memory of 2476	2820	a1punf5t2of.exe	31
PID 2820 wrote to memory of 2476	2820	a1punf5t2of.exe	31

C:\Users\Admin\AppData\Local\Temp\bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe
"C:\Users\Admin\AppData\Local\Temp\bd15554bea2ace2d3758ce88c991d0833850ae996e91e6a8774afc1ad5a4be67N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
255KB

MD5
107f6f98b56b5426d6c6a462c353a437

SHA1
8de42f3386db324181da1c2dd01dc2b96457c34d

SHA256
bf1104970cd0ea6140eb3aca6b721559814e9fd5107a071d0bdfed32c5b72aba

SHA512
e5e67e035f895805f0ce085b688c2f0a0fe071ac6d7041cb3d0803f7cffa9209d9ed16e3e2bf1c82a42e762879bfae0632328d1de62d83517285aa3fa52d234a

Download Submit
memory/1520-15-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-1-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-3-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-4-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-5-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-6-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-2-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-0-0x0000000074491000-0x0000000074492000-memory.dmp

Filesize
4KB

Download
memory/2820-17-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-16-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-18-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-19-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-20-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-21-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-23-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads