c420039639d20ed199f2250f5a8131bfff9f2b2fa44af8cd8472b325b48f40f2

General

Target

c420039639d20ed199f2250f5a8131bfff9f2b2fa44af8cd8472b325b48f40f2.exe
Size

4.0MB
MD5

30aec56f64242ad6ed72f1f6a89bb627
SHA1

b29dcd847655ceaa1e81aec7de599233e342c30c
SHA256

c420039639d20ed199f2250f5a8131bfff9f2b2fa44af8cd8472b325b48f40f2
SHA512

2aa1030f5759945a58cf433d6d9d4e55ec8357167bd49d95049b5395a6075a21c385e4c59a63660ba75ae03626b726045ec7b2eef05be235c691c2adb8aa1cc5
SSDEEP

98304:jd6L0SvtWKyeH9P3gh9vgAfJyqzZb+PH18VEZHP2x7e:x6L0Svt4EP3gh9vgigqzZbHVmHc7e

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1732	is-BB5UB.tmp
3592	VResource.exe
1852	VResource.exe

Loads dropped DLL 3 IoCs

pid	Process
1732	is-BB5UB.tmp
1732	is-BB5UB.tmp
1732	is-BB5UB.tmp

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	217.23.6.51
Destination IP	217.23.9.168
Destination IP	51.159.66.125
Destination IP	37.187.122.227
Destination IP	151.80.38.159

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VResource\Lang\is-V0UOM.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Plugins\is-4QIKM.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\is-ABAVD.tmp	is-BB5UB.tmp
File opened for modification	C:\Program Files (x86)\VResource\VResource.exe	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-EHO9B.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Online\is-9CK12.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Plugins\is-7QDI2.tmp	is-BB5UB.tmp
File opened for modification	C:\Program Files (x86)\VResource\unins000.dat	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\unins000.dat	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-38SA7.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-MJTLP.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Plugins\is-HL84Q.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-QQ9AT.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-DHBNE.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-LQ2UU.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-S1O3L.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-AE7C9.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Plugins\is-J2SK6.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-1M5KO.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-B1N9K.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-LRPS7.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\is-O5627.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-5NSL0.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-KCR1J.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-LNNOQ.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-QMFHS.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Online\is-KSJ7H.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Help\is-RURN2.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-FC3LP.tmp	is-BB5UB.tmp
File created	C:\Program Files (x86)\VResource\Lang\is-CIR76.tmp	is-BB5UB.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 1732	4436	c420039639d20ed199f2250f5a8131bfff9f2b2fa44af8cd8472b325b48f40f2.exe	90
PID 4436 wrote to memory of 1732	4436	c420039639d20ed199f2250f5a8131bfff9f2b2fa44af8cd8472b325b48f40f2.exe	90
PID 4436 wrote to memory of 1732	4436	c420039639d20ed199f2250f5a8131bfff9f2b2fa44af8cd8472b325b48f40f2.exe	90
PID 1732 wrote to memory of 3328	1732	is-BB5UB.tmp	92
PID 1732 wrote to memory of 3328	1732	is-BB5UB.tmp	92
PID 1732 wrote to memory of 3328	1732	is-BB5UB.tmp	92
PID 1732 wrote to memory of 3592	1732	is-BB5UB.tmp	94
PID 1732 wrote to memory of 3592	1732	is-BB5UB.tmp	94
PID 1732 wrote to memory of 3592	1732	is-BB5UB.tmp	94
PID 3328 wrote to memory of 3380	3328	net.exe	95
PID 3328 wrote to memory of 3380	3328	net.exe	95
PID 3328 wrote to memory of 3380	3328	net.exe	95
PID 1732 wrote to memory of 1852	1732	is-BB5UB.tmp	96
PID 1732 wrote to memory of 1852	1732	is-BB5UB.tmp	96
PID 1732 wrote to memory of 1852	1732	is-BB5UB.tmp	96

C:\Users\Admin\AppData\Local\Temp\c420039639d20ed199f2250f5a8131bfff9f2b2fa44af8cd8472b325b48f40f2.exe
"C:\Users\Admin\AppData\Local\Temp\c420039639d20ed199f2250f5a8131bfff9f2b2fa44af8cd8472b325b48f40f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Users\Admin\AppData\Local\Temp\is-37QIU.tmp\is-BB5UB.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-37QIU.tmp\is-BB5UB.tmp" /SL4 $90090 "C:\Users\Admin\AppData\Local\Temp\c420039639d20ed199f2250f5a8131bfff9f2b2fa44af8cd8472b325b48f40f2.exe" 3846675 146432
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 6
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 6
      4⤵
      PID:3380
- - C:\Program Files (x86)\VResource\VResource.exe
    "C:\Program Files (x86)\VResource\VResource.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3592
- - C:\Program Files (x86)\VResource\VResource.exe
    "C:\Program Files (x86)\VResource\VResource.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VResource\VResource.exe

Filesize
2.0MB

MD5
6897be111971ca604343fdd030e1af87

SHA1
eb55a7d0afb543961bfb27147d0969bbcf8cb80a

SHA256
0c5960241693e0f5e10a189db324ca89c1555eaae8e3f1ba8297b787354fc10d

SHA512
b32a370dec0473d9a70c754609a526673ce9de1d43f513f92ef8351bd2324caae31b187bed5777b8037c11cdc44cc6e46803b5b4877275b5563ea0f4067ea28b

Download Submit
C:\Program Files (x86)\VResource\VResource.exe

Filesize
2.0MB

MD5
6897be111971ca604343fdd030e1af87

SHA1
eb55a7d0afb543961bfb27147d0969bbcf8cb80a

SHA256
0c5960241693e0f5e10a189db324ca89c1555eaae8e3f1ba8297b787354fc10d

SHA512
b32a370dec0473d9a70c754609a526673ce9de1d43f513f92ef8351bd2324caae31b187bed5777b8037c11cdc44cc6e46803b5b4877275b5563ea0f4067ea28b

Download Submit
C:\Program Files (x86)\VResource\VResource.exe

Filesize
2.0MB

MD5
6897be111971ca604343fdd030e1af87

SHA1
eb55a7d0afb543961bfb27147d0969bbcf8cb80a

SHA256
0c5960241693e0f5e10a189db324ca89c1555eaae8e3f1ba8297b787354fc10d

SHA512
b32a370dec0473d9a70c754609a526673ce9de1d43f513f92ef8351bd2324caae31b187bed5777b8037c11cdc44cc6e46803b5b4877275b5563ea0f4067ea28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-37QIU.tmp\is-BB5UB.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-37QIU.tmp\is-BB5UB.tmp

Filesize
643KB

MD5
a991510c12f20ccf8a5231a32a7958c3

SHA1
122724d1a4fdea39af3aa427e4941158d7e91dfa

SHA256
0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

SHA512
8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRRD5.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRRD5.tmp\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BRRD5.tmp\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
memory/1732-93-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1732-7-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1732-91-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1852-98-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-122-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-137-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-87-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-89-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-134-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-131-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-107-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-94-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-95-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-125-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-101-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-110-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-128-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-104-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-111-0x0000000000710000-0x00000000007BA000-memory.dmp

Filesize
680KB

Download
memory/1852-115-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/1852-116-0x0000000000710000-0x00000000007BA000-memory.dmp

Filesize
680KB

Download
memory/1852-119-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/3592-84-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/3592-80-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/3592-82-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/3592-85-0x0000000000400000-0x00000000005FA000-memory.dmp

Filesize
2.0MB

Download
memory/4436-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4436-90-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing