3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74ab

General

Target

3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe
Size

116KB
MD5

edcd41158c2aa45ceb27f4ae2133efe0
SHA1

3668b96f737d8d4236bd90235b1618db695c5db2
SHA256

3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74ab
SHA512

5dfd9a68d52402f9e020b6948fa1985ab20baf9b17cc55b69940fd74dc41c09c82a6b01c8e6bfcfd29062575e67cd01b9ef0bad7ee66dca71db483ccc136539c
SSDEEP

3072:LoMRmT05NCp/yTeOXIahuID203N7X9yV9GboM9:LoMRmT050/qeqJuI605NyV0

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1868 set thread context of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe
1784	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1784	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe
2848	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1868 wrote to memory of 1784	1868	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	30
PID 1784 wrote to memory of 2848	1784	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	31
PID 1784 wrote to memory of 2848	1784	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	31
PID 1784 wrote to memory of 2848	1784	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	31
PID 1784 wrote to memory of 2848	1784	3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe	31
PID 2848 wrote to memory of 2536	2848	explorer.exe	32
PID 2848 wrote to memory of 2536	2848	explorer.exe	32
PID 2848 wrote to memory of 2536	2848	explorer.exe	32
PID 2848 wrote to memory of 2536	2848	explorer.exe	32
PID 2848 wrote to memory of 2228	2848	explorer.exe	33
PID 2848 wrote to memory of 2228	2848	explorer.exe	33
PID 2848 wrote to memory of 2228	2848	explorer.exe	33
PID 2848 wrote to memory of 2228	2848	explorer.exe	33

C:\Users\Admin\AppData\Local\Temp\3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe
"C:\Users\Admin\AppData\Local\Temp\3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe
  C:\Users\Admin\AppData\Local\Temp\3cb1f15cb48c1c929d50487870f3bc5e84b06f306b2ed315fca8a96a5b8c74abN.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" %1
      4⤵
      PID:2536
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-7-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/1784-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1784-3-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/1784-18-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/1784-17-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1784-16-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/1784-9-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/1784-6-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/1784-0-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1784-11-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/1784-15-0x0000000000400000-0x0000000000658000-memory.dmp

Filesize
2.3MB

Download
memory/1868-1-0x0000000000300000-0x0000000000305000-memory.dmp

Filesize
20KB

Download
memory/2228-22-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2228-24-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2228-23-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2848-21-0x0000000000820000-0x0000000000AA1000-memory.dmp

Filesize
2.5MB

Download
memory/2848-20-0x0000000000820000-0x0000000000AA1000-memory.dmp

Filesize
2.5MB

Download
memory/2848-19-0x0000000000820000-0x0000000000AA1000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing