9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380

General

Target

9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe
Size

416KB
MD5

f5f61aa2182eb8707744095a1e65aaeb
SHA1

68d375f660ebd5c0204a77e237fb05410f511980
SHA256

9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380
SHA512

634653742cfff7a03bbdb637b4158570630824386d6501376151e45c2cf55b9f13f5afef1cf200a2329cfecfdb546c65b79ee8030a6536daa435a5134e98093f
SSDEEP

6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUwg:ITNYrnE3bm/CiejewY5v0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	ximo2ubzn1i.exe

Loads dropped DLL 1 IoCs

pid	Process
2472	9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\c5e4gxfvd4v = "C:\\Users\\Admin\\AppData\\Roaming\\c5e4gxfvd4v\\ximo2ubzn1i.exe"	9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ximo2ubzn1i.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2744	2472	9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe	30
PID 2472 wrote to memory of 2744	2472	9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe	30
PID 2472 wrote to memory of 2744	2472	9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe	30
PID 2472 wrote to memory of 2744	2472	9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe	30
PID 2744 wrote to memory of 2960	2744	ximo2ubzn1i.exe	31
PID 2744 wrote to memory of 2960	2744	ximo2ubzn1i.exe	31
PID 2744 wrote to memory of 2960	2744	ximo2ubzn1i.exe	31
PID 2744 wrote to memory of 2960	2744	ximo2ubzn1i.exe	31
PID 2744 wrote to memory of 2960	2744	ximo2ubzn1i.exe	31
PID 2744 wrote to memory of 2960	2744	ximo2ubzn1i.exe	31
PID 2744 wrote to memory of 2960	2744	ximo2ubzn1i.exe	31

C:\Users\Admin\AppData\Local\Temp\9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe
"C:\Users\Admin\AppData\Local\Temp\9522d75f57fb10033030a30ae704d30865f54817cd5bd0e26be69ffcee061380.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
  "C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

Filesize
416KB

MD5
eb49ab63bece9ef38d05f13bab004389

SHA1
9696b8b4b79c90c2e0e17142cad208bd1c2be182

SHA256
f3f4a329a19e12f4a52cb151f98d6eecaa9fde67c9568824a43f805f5ce66299

SHA512
c3036fe7874d17ecd4a2c00ac77c2c064bb465d1c2a7cdcea46a27ea7c3e372d02dbaba4efec976ebf4844a56937fc8cead207761f21b8a5dffa1bb944a8b787

Download Submit
memory/2472-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/2472-1-0x0000000000A30000-0x0000000000A9E000-memory.dmp

Filesize
440KB

Download
memory/2472-2-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-3-0x00000000005E0000-0x000000000061C000-memory.dmp

Filesize
240KB

Download
memory/2472-14-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-12-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-13-0x0000000000E00000-0x0000000000E6E000-memory.dmp

Filesize
440KB

Download
memory/2744-15-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-16-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-17-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads