93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07

General

Target

93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe
Size

1.8MB
MD5

8d6963f97d8dcb8db331f6f977aa5aab
SHA1

86be0ba076ff151ee56d2e914ef3961f3389ddd4
SHA256

93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07
SHA512

0b8c17be6315987e9f38ae28da8c960782733374dfbf7e06773e2c71c17276f93187f0084389624e0454e97593aa6b352563e17f3fdcbc8d656073f31d7dbfd6
SSDEEP

24576:HawwKusHwEwSDMn6pGqKjWidUSeMITCqgcfyr4Py6K22i+i8rtVs1ZY7jQY71Y:XwREDDMZjdHeMxWrP+beY7UY71Y

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2412	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.tmp

Loads dropped DLL 2 IoCs

pid	Process
2120	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe
2412	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2412	2120	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe	30
PID 2120 wrote to memory of 2412	2120	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe	30
PID 2120 wrote to memory of 2412	2120	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe	30
PID 2120 wrote to memory of 2412	2120	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe	30
PID 2120 wrote to memory of 2412	2120	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe	30
PID 2120 wrote to memory of 2412	2120	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe	30
PID 2120 wrote to memory of 2412	2120	93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe	30

C:\Users\Admin\AppData\Local\Temp\93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe
"C:\Users\Admin\AppData\Local\Temp\93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\is-BRLJ0.tmp\93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BRLJ0.tmp\93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.tmp" /SL5="$400EC,935482,845824,C:\Users\Admin\AppData\Local\Temp\93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BRLJ0.tmp\93ad4a14b2aab3499c81ea79ab7ad840ba59fe7746e0484b6ae01367e9ecda07.tmp

Filesize
3.2MB

MD5
5dae2656392207a3c3c64d7e426b94bf

SHA1
2241348b1cefd787c6dc408aa8ccacc31f24e2b4

SHA256
c6831b423ff035f87c92b6f8a013836153a7f1c789cd65ff59235d6981e0ff8d

SHA512
48f6f0d80270f2d8661e5da5fd7e5dae99b053d9681342a97e726c9aade906b53a7ad463fe9431c9a212e4bd451b9e65bf6160bc9a5204fc89bdd62debb90a6d

Download Submit
\Users\Admin\AppData\Local\Temp\is-2H5BL.tmp\idp.dll

Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/2120-14-0x0000000001020000-0x00000000010FC000-memory.dmp

Filesize
880KB

Download
memory/2120-2-0x0000000001021000-0x00000000010C9000-memory.dmp

Filesize
672KB

Download
memory/2120-0-0x0000000001020000-0x00000000010FC000-memory.dmp

Filesize
880KB

Download
memory/2412-18-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-16-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2412-15-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-8-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2412-20-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-22-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-24-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-26-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-28-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-30-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-32-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-34-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download
memory/2412-36-0x00000000009D0000-0x0000000000D13000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing