4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6

General

Target

4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe
Size

279KB
MD5

55972f7d15273da7566f4f2b1a64200d
SHA1

3747c59123adf4f9cb1225fb2180a77166b13437
SHA256

4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6
SHA512

3b3bd465d8a98205a788ec298a5a3d1c0bb3665b10200534d2e2490ac5a9d0709b0a574cc7afea4a04cbdac111f92f18f68cc0bac42381a251652acd90ced25d
SSDEEP

6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fQ:boSeGUA5YZazpXUmZhZ6o

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	a1punf5t2of.exe

Loads dropped DLL 2 IoCs

pid	Process
1824	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe
2700	a1punf5t2of.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe"	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1punf5t2of.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2700	1824	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe	30
PID 1824 wrote to memory of 2700	1824	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe	30
PID 1824 wrote to memory of 2700	1824	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe	30
PID 1824 wrote to memory of 2700	1824	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe	30
PID 1824 wrote to memory of 2700	1824	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe	30
PID 1824 wrote to memory of 2700	1824	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe	30
PID 1824 wrote to memory of 2700	1824	4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe	30
PID 2700 wrote to memory of 2244	2700	a1punf5t2of.exe	32
PID 2700 wrote to memory of 2244	2700	a1punf5t2of.exe	32
PID 2700 wrote to memory of 2244	2700	a1punf5t2of.exe	32
PID 2700 wrote to memory of 2244	2700	a1punf5t2of.exe	32
PID 2700 wrote to memory of 2244	2700	a1punf5t2of.exe	32
PID 2700 wrote to memory of 2244	2700	a1punf5t2of.exe	32
PID 2700 wrote to memory of 2244	2700	a1punf5t2of.exe	32

C:\Users\Admin\AppData\Local\Temp\4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe
"C:\Users\Admin\AppData\Local\Temp\4ff402a5d41e20740c3bca70bd0cdefa0a02e3e2c59772df79d6c773ab6cd2d6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
  "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
    3⤵
    PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Filesize
279KB

MD5
ceb8945303fb3a723c167d781dcd285c

SHA1
63e85d7c6cfe8c4b3f73c114370fc6be33c78010

SHA256
57272341896ffcf3fa2fbf9aac6ca1481fb190eb622bd4a15d2edf409a1c2042

SHA512
3d434f01127ca2cace3a82f97f8448f95e45c5267e1823b31801f5184d7ca6763194bf9bb7bcf8b6f02e02fa13cb74ac93b1d805507a70c6d7092cfa09235374

Download Submit
memory/1824-3-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-2-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-0-0x0000000074CD1000-0x0000000074CD2000-memory.dmp

Filesize
4KB

Download
memory/1824-4-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-5-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-1-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-14-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-16-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-15-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-17-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-18-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-19-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-21-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads