a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313c

General

Target

a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe
Size

416KB
MD5

8a7e3af869e419b7120aad8086528180
SHA1

43b86e2dbc462e3a0d4f9e21f9accd504ea65650
SHA256

a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313c
SHA512

c46436ee506a6ee98350a543d6fa6c98bfb7e3910f16a85bfe102f21aacd17d1184372a958297d47baedb39a84ace6e562518123f6d414c212cbbfea08665eb1
SSDEEP

6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUM:ITNYrnE3bm/CiejewY5vR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2940	ximo2ubzn1i.exe

Loads dropped DLL 1 IoCs

pid	Process
2160	a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\c5e4gxfvd4v = "C:\\Users\\Admin\\AppData\\Roaming\\c5e4gxfvd4v\\ximo2ubzn1i.exe"	a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ximo2ubzn1i.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2940	2160	a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe	30
PID 2160 wrote to memory of 2940	2160	a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe	30
PID 2160 wrote to memory of 2940	2160	a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe	30
PID 2160 wrote to memory of 2940	2160	a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe	30
PID 2940 wrote to memory of 2904	2940	ximo2ubzn1i.exe	31
PID 2940 wrote to memory of 2904	2940	ximo2ubzn1i.exe	31
PID 2940 wrote to memory of 2904	2940	ximo2ubzn1i.exe	31
PID 2940 wrote to memory of 2904	2940	ximo2ubzn1i.exe	31
PID 2940 wrote to memory of 2904	2940	ximo2ubzn1i.exe	31
PID 2940 wrote to memory of 2904	2940	ximo2ubzn1i.exe	31
PID 2940 wrote to memory of 2904	2940	ximo2ubzn1i.exe	31

C:\Users\Admin\AppData\Local\Temp\a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe
"C:\Users\Admin\AppData\Local\Temp\a4103128ccddadfc620eaf9d6c7454c590ef0cded61e46ae2bcdfd8ffc2e313cN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
  "C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

Filesize
416KB

MD5
0b128f4e128f1cddd1609fec8cd915a2

SHA1
e53c1be036935dbf4660d54be111839f50be67c8

SHA256
106ffb0f6335764da744b5706ed6f6899f0e8c206bb3d88b390cd91c810f14be

SHA512
2734790cfd94e53d23119104053ca19de400fe5f902286a55e3705c9bed19d8a442058ceaed1a76429b9c18620794a67cb84fe248b4a61fc3a1a5f1b24f36e68

Download Submit
memory/2160-0-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x00000000002A0000-0x000000000030E000-memory.dmp

Filesize
440KB

Download
memory/2160-2-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2160-3-0x0000000000650000-0x000000000068C000-memory.dmp

Filesize
240KB

Download
memory/2160-12-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-14-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-13-0x0000000000300000-0x000000000036E000-memory.dmp

Filesize
440KB

Download
memory/2940-15-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-16-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-17-0x0000000074190000-0x000000007487E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads