97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a

General

Target

97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Size

576KB
MD5

474cb2f66478f9fbcc9265aa1b1e688e
SHA1

89c8bc9f3e577e4e2c491624c9d464a7fa17e549
SHA256

97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a
SHA512

311b71f672fbb2bf37a08b1b4b2da14311ce0e6a3e564d19c99ce85f8a65ab61df3307f459a34c077289bba23fdfb08e12aec06ede100a51084b2abbfff9f253
SSDEEP

12288:3R+lB7X/h6XFRbf0ez0npM4dl0v5Jdm5IpXt1U:36Ph6XFRbf0ezEM4dmv5BJtO

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Loads dropped DLL 1 IoCs

pid	Process
1552	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1552	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2720	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2720	1552	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe	30
PID 1552 wrote to memory of 2720	1552	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe	30
PID 1552 wrote to memory of 2720	1552	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe	30
PID 1552 wrote to memory of 2720	1552	97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe	30

C:\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
"C:\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
  C:\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\97a47d233eb45151f4bad8172f2c905e12a9ac7f8c5e0d2e968e584e0a5c0a1a.exe

Filesize
576KB

MD5
f2e535b4fe1a411235282e2c700a92fb

SHA1
40d6381bdbdc9f82b190a715f5d4a29a20a0ec2a

SHA256
87e77439085f231d3f25b1a29fea884ff9a040b1bc6a7653df6b41e4877bd259

SHA512
0fb0d1f9aff87d1383f28fc87583a7392dbb7644c7bf1ef849a6c0fcb6b08c59b2c00d7610b9262b840ac60645bb1f7bc2254b4f82e11f402a55f57de9a0414f

Download Submit
memory/1552-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1552-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-11-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2720-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2720-17-0x0000000005E60000-0x0000000005E62000-memory.dmp

Filesize
8KB

Download
memory/2720-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing