7e5ba666475aac3d9c115cd4d791172d5189ebe444c8f4bdbe0575e570d45075

General

Target

Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
Size

1.2MB
MD5

1e956cce584ed3910b0914ed03c5b396
SHA1

c8e5c8f09696b8d5c81ed979a5eba7066eba5305
SHA256

0c79a0b34b24ef2f69bb07586863afa5d3631398f79b895390ec2beddaa4fb78
SHA512

47196bae5faebcb994d690651d7ce91ae35482f24c42ebd290b681dd5f60dda421368c20bd849d81d5f8c6e882ef084d3ed5c3ed118d1f7133a23e3cd7e66b3f
SSDEEP

24576:J6QP6K2CngiZucOaCrYz4jEmW/g+xRri3Md+clMr+b1E43:tPb2CgcyrKmW/PHi3Hrqv

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2708	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	31
PID 2520 wrote to memory of 2708	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	31
PID 2520 wrote to memory of 2708	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	31
PID 2520 wrote to memory of 2708	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	31
PID 2520 wrote to memory of 2756	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	32
PID 2520 wrote to memory of 2756	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	32
PID 2520 wrote to memory of 2756	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	32
PID 2520 wrote to memory of 2756	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	32
PID 2520 wrote to memory of 1776	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	33
PID 2520 wrote to memory of 1776	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	33
PID 2520 wrote to memory of 1776	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	33
PID 2520 wrote to memory of 1776	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	33
PID 2520 wrote to memory of 2524	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	34
PID 2520 wrote to memory of 2524	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	34
PID 2520 wrote to memory of 2524	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	34
PID 2520 wrote to memory of 2524	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	34
PID 2520 wrote to memory of 2684	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	35
PID 2520 wrote to memory of 2684	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	35
PID 2520 wrote to memory of 2684	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	35
PID 2520 wrote to memory of 2684	2520	Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe	35

C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
  "{path}"
  2⤵
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
  "{path}"
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
  "{path}"
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
  "{path}"
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\Purchase order O4500016955EqgcN9Xz7YZKqZ2.exe
  "{path}"
  2⤵
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2520-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x00000000002F0000-0x000000000042E000-memory.dmp

Filesize
1.2MB

Download
memory/2520-2-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2520-3-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2520-4-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2520-5-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2520-6-0x0000000004FE0000-0x0000000005038000-memory.dmp

Filesize
352KB

Download
memory/2520-7-0x0000000004400000-0x0000000004440000-memory.dmp

Filesize
256KB

Download
memory/2520-8-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing