0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588

General

Target

0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
Size

368KB
MD5

5134a1b30fd65a952f3365ca2b4f1577
SHA1

95341d54aa34697c3e8616996779d2cdd756ede3
SHA256

0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588
SHA512

76eb048462d0ebd2ea14dced7cba758cb68a3f824f54acef0b70fda9d5345275d2a6bb5e2c00a607d74dfe4eed68cdf2e8ea81b0dc02cea1b1aabd3e3f6b9cc4
SSDEEP

3072:t3FhJsebNVlW1NWgxLJOp6iJRejPoQKvHIbuduaqyuhjDxSIVbOfprMIYsMMgC6j:t3F3VoweHW0u8TDB4ty3hunu

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 1696	2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	30

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1696	2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	30
PID 2364 wrote to memory of 1696	2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	30
PID 2364 wrote to memory of 1696	2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	30
PID 2364 wrote to memory of 1696	2364	0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe	30

C:\Users\Admin\AppData\Local\Temp\0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
"C:\Users\Admin\AppData\Local\Temp\0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe
  "C:\Users\Admin\AppData\Local\Temp\0498eaf7f2c1195d859a1c6b71a96c2636059fa2647d7b6afab966574791a588.exe"
  2⤵
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\nas0.exe
    "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\nas0.exe
      "C:\Users\Admin\AppData\Local\Temp\nas0.exe"
      4⤵
      PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nas0.exe

Filesize
99KB

MD5
a612784145fedbbb600ae9867e595cf6

SHA1
021af773c854d7d55d8e0318a32bdf2316547df1

SHA256
fa40ba82c368719458be8deea0f2702871845a1c63c8c8f5348a324f5ffa6122

SHA512
5dc748fce472aa3a6001c41f180f205324cf4132bf43db5a54bc3d58c59494d08122a963b5ce64b7c9cfecebf348849ae962daa42723619b7269c1ac03fac84a

Download Submit
C:\Windows\win.ini

Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
\Users\Admin\AppData\Local\Temp\nas0.exe

Filesize
368KB

MD5
201e1a85d61cf808a89d74f2d2292f9c

SHA1
c32d442eefcb23a7067acde2180586ade908315b

SHA256
72f35bf8677ea65abd2c96d7b717558785baa277f293bbb8f43950e6f399b716

SHA512
339d74980e43db02c1c939b67cbd6d080e6a723b3ebe1a85313ceddb61f5f5b10f797868ce9eb19d9dbdf9a38838ac130e9500ad23ade47b13ccdec25e8595f5

Download Submit
memory/1696-14-0x0000000077600000-0x00000000777A9000-memory.dmp

Filesize
1.7MB

Download
memory/2364-2-0x0000000000510000-0x0000000000515000-memory.dmp

Filesize
20KB

Download
memory/2364-4-0x0000000077601000-0x0000000077702000-memory.dmp

Filesize
1.0MB

Download
memory/2364-5-0x0000000077600000-0x00000000777A9000-memory.dmp

Filesize
1.7MB

Download
memory/2364-13-0x00000000777F0000-0x00000000778C6000-memory.dmp

Filesize
856KB

Download
memory/2364-10-0x0000000000510000-0x0000000000515000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing