b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1b

General

Target

b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe
Size

256KB
MD5

a260686fa8cb39e3100ffddb086c2ee0
SHA1

5237ea9f3bbc71b52de72816c01332b1d3d48e0c
SHA256

b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1b
SHA512

789cb135dc2877e438803ed4102f52b257e9274fabaacd00ca5d4fe074cfadb5abe60bb1a85e5b0b4473d2ea5204be0ba46dca077a70545d93b410d102666153
SSDEEP

6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ4l:EeGUA5YZazpXUmZhPl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2872	a1punf5t2of.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe
2872	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2872	2260	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe	30
PID 2260 wrote to memory of 2872	2260	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe	30
PID 2260 wrote to memory of 2872	2260	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe	30
PID 2260 wrote to memory of 2872	2260	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe	30
PID 2260 wrote to memory of 2872	2260	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe	30
PID 2260 wrote to memory of 2872	2260	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe	30
PID 2260 wrote to memory of 2872	2260	b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe	30
PID 2872 wrote to memory of 1232	2872	a1punf5t2of.exe	31
PID 2872 wrote to memory of 1232	2872	a1punf5t2of.exe	31
PID 2872 wrote to memory of 1232	2872	a1punf5t2of.exe	31
PID 2872 wrote to memory of 1232	2872	a1punf5t2of.exe	31
PID 2872 wrote to memory of 1232	2872	a1punf5t2of.exe	31
PID 2872 wrote to memory of 1232	2872	a1punf5t2of.exe	31
PID 2872 wrote to memory of 1232	2872	a1punf5t2of.exe	31

C:\Users\Admin\AppData\Local\Temp\b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe
"C:\Users\Admin\AppData\Local\Temp\b4a1471bd00c97659be8d2c5a52605ff27b398043e0cb779394e4bec5b8c5b1bN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
256KB

MD5
ca46ff4cf5dcf7d078ec19bd5f949a18

SHA1
b24655a82ac213d54e7b5e2fdc250b2a0f8c5686

SHA256
13846983d37bef53b552b19513841845eb7a1f6b28c0e66d4b4efbac241d8ece

SHA512
741174a109782f60245452a917c51acbd455930e7b883b76caa13a8c3a9ba4db8851755b78c3ad4829d7853b8d169cc7a1855c87ccd0fef5f43ad6eeaf901e11

Download Submit
memory/2260-3-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2260-2-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2260-0-0x0000000074C41000-0x0000000074C42000-memory.dmp

Filesize
4KB

Download
memory/2260-4-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2260-5-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2260-1-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2260-13-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-15-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-17-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-16-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-18-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-19-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-20-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download
memory/2872-22-0x0000000074C40000-0x00000000751EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads