28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6

General

Target

28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
Size

867KB
MD5

0bccde718d41454b4476821d90f93e30
SHA1

b2de54ec81c32cb01c5768d062c732ebb0ea713e
SHA256

28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6
SHA512

54f93d94aa287d139ca8338bcd47f3617c4076c144cd99fbeab57564a20350afedc0d954487d4112dda064872bcbfa736ac345bc07d3d80aac26f3cc8ea68748
SSDEEP

24576:lVD5evCXSzSpwIQuu5zyLt6tZ6RP3+PAx:UCXSzS6zyLtT+PAx

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe
1540	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1540	1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe	84
PID 1096 wrote to memory of 1540	1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe	84
PID 1096 wrote to memory of 1540	1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe	84
PID 1096 wrote to memory of 1540	1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe	84
PID 1096 wrote to memory of 1540	1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe	84
PID 1096 wrote to memory of 1540	1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe	84
PID 1096 wrote to memory of 1540	1096	28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe	84

C:\Users\Admin\AppData\Local\Temp\28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe
"C:\Users\Admin\AppData\Local\Temp\28093297dcb93c5647ca83e40ca24ab3bbbfae0779f70b70439fc208ea915bf6N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  -i
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\grv\ngais.krz

Filesize
6KB

MD5
e1f77d343f35a854125b882504353b36

SHA1
c87f426a141d0b8bd43d054f2ea93efaa7e73cca

SHA256
59427729a54748ca3cfed079182cfc0fab1cfae776d34e9670c42fcef5c592b6

SHA512
a1ed6bbc509c3bea2d119275b4df098dfc70c3bb4a9d27c1bcc19c8b0310dd91dc4e98abf508d282728969640fb28a43d7eceaa9102049254f7fbf2ab9e3ac08

Download Submit
C:\ProgramData\grv\vbfxcsd.efr

Filesize
850KB

MD5
acb1fc850c502ddf799b3e38bb5accbf

SHA1
65d9a272fe35d08225be5a207fadfc79aff3e89e

SHA256
47357600070fb7f832b5cb91a1da0e653eb5b5722118f258e227e98871e2d360

SHA512
53f55cc5441514e3a581813ba14b37b33e33f7b2f0297d7f5db3ed4ca615bd584eed8dd23d1008485f435ac9f80d2407c067478ae22e99b5acbdbd3de4f7856e

Download Submit
memory/1096-0-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1096-1-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1096-2-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1096-3-0x0000000000401000-0x00000000004D6000-memory.dmp

Filesize
852KB

Download
memory/1096-22-0x0000000000401000-0x00000000004D6000-memory.dmp

Filesize
852KB

Download
memory/1096-21-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1096-20-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1540-13-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-23-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-14-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-12-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-10-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-17-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-18-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-16-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-11-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-15-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-9-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-28-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-27-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-25-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-26-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-29-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-30-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-31-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/1540-32-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing