317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3c

General

Target

317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe
Size

416KB
MD5

98a5b7aae088d08f55b0a85507368c90
SHA1

55a57c1759e564d09a48b844f4abe2ae5b72ea9f
SHA256

317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3c
SHA512

4ef5f2eba9718efc30e3bb4dd6e2577a4573d1bd579eff28951f60c580d4be0de05690f902df04a2101ee74887ac07e00762abf552bc5f6d3268e544f75d62dc
SSDEEP

6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RU7p:ITNYrnE3bm/CiejewY5vC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	ximo2ubzn1i.exe

Loads dropped DLL 1 IoCs

pid	Process
2240	317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\c5e4gxfvd4v = "C:\\Users\\Admin\\AppData\\Roaming\\c5e4gxfvd4v\\ximo2ubzn1i.exe"	317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ximo2ubzn1i.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2108	2240	317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe	31
PID 2240 wrote to memory of 2108	2240	317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe	31
PID 2240 wrote to memory of 2108	2240	317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe	31
PID 2240 wrote to memory of 2108	2240	317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe	31
PID 2108 wrote to memory of 2872	2108	ximo2ubzn1i.exe	32
PID 2108 wrote to memory of 2872	2108	ximo2ubzn1i.exe	32
PID 2108 wrote to memory of 2872	2108	ximo2ubzn1i.exe	32
PID 2108 wrote to memory of 2872	2108	ximo2ubzn1i.exe	32
PID 2108 wrote to memory of 2872	2108	ximo2ubzn1i.exe	32
PID 2108 wrote to memory of 2872	2108	ximo2ubzn1i.exe	32
PID 2108 wrote to memory of 2872	2108	ximo2ubzn1i.exe	32

C:\Users\Admin\AppData\Local\Temp\317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe
"C:\Users\Admin\AppData\Local\Temp\317c98c6a3bd2983a4802e6694b95964ebebf4692f2b9d136fb46c817bd44e3cN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
  "C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

Filesize
416KB

MD5
acf5ef3d44eeed705aec494e6500c135

SHA1
659f9f8639724db85a17aebf6c2b144671e5936a

SHA256
e4cb2b85eceb9ef062cf95feac453f187c376258d2cfba03198e2519bd1adf32

SHA512
9aa1de2b8355c9e72e5441591fca1cd82df5e2c1ad4234cbc643fa14cb674626fb96f61ea6eb562c3ca7a9b0deeff396468306c7e6ee3e88eb8299ab2223bc37

Download Submit
memory/2108-13-0x00000000009E0000-0x0000000000A4E000-memory.dmp

Filesize
440KB

Download
memory/2108-12-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-15-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-16-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-17-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x0000000000A80000-0x0000000000AEE000-memory.dmp

Filesize
440KB

Download
memory/2240-2-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-3-0x00000000009A0000-0x00000000009DC000-memory.dmp

Filesize
240KB

Download
memory/2240-14-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads