40d37906b8782bc84a4d77e2b590e7c02e36a4d96a008ba5a5c00394f9ccfc25

General

Target

7df5205b0ecf24202a81a382894c317a.exe
Size

78KB
MD5

7df5205b0ecf24202a81a382894c317a
SHA1

ed65848baa28435dd4cd6ea5d0795ddbfc0e1598
SHA256

40d37906b8782bc84a4d77e2b590e7c02e36a4d96a008ba5a5c00394f9ccfc25
SHA512

4a962fb6c8ce462d069191ebe1fd06bca8a542dded4cb004388bcc71592277b85eb8c61f4b4a0e36ac39f6af49e3c07db33e1d8a658dc0caf72d22e6f6ac743d
SSDEEP

1536:UV5Sdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt96s9/s1Kg:UV5Nn7N041Qqhg79/y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2148	tmpA7C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2212	7df5205b0ecf24202a81a382894c317a.exe
2212	7df5205b0ecf24202a81a382894c317a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpA7C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	7df5205b0ecf24202a81a382894c317a.exe
Token: SeDebugPrivilege	2148	tmpA7C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1976	2212	7df5205b0ecf24202a81a382894c317a.exe	19
PID 2212 wrote to memory of 1976	2212	7df5205b0ecf24202a81a382894c317a.exe	19
PID 2212 wrote to memory of 1976	2212	7df5205b0ecf24202a81a382894c317a.exe	19
PID 2212 wrote to memory of 1976	2212	7df5205b0ecf24202a81a382894c317a.exe	19
PID 1976 wrote to memory of 2772	1976	vbc.exe	23
PID 1976 wrote to memory of 2772	1976	vbc.exe	23
PID 1976 wrote to memory of 2772	1976	vbc.exe	23
PID 1976 wrote to memory of 2772	1976	vbc.exe	23
PID 2212 wrote to memory of 2148	2212	7df5205b0ecf24202a81a382894c317a.exe	24
PID 2212 wrote to memory of 2148	2212	7df5205b0ecf24202a81a382894c317a.exe	24
PID 2212 wrote to memory of 2148	2212	7df5205b0ecf24202a81a382894c317a.exe	24
PID 2212 wrote to memory of 2148	2212	7df5205b0ecf24202a81a382894c317a.exe	24

C:\Users\Admin\AppData\Local\Temp\7df5205b0ecf24202a81a382894c317a.exe
"C:\Users\Admin\AppData\Local\Temp\7df5205b0ecf24202a81a382894c317a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yiu-zxxo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAE9.tmp"
    3⤵
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\tmpA7C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA7C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7df5205b0ecf24202a81a382894c317a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAEA.tmp

Filesize
1KB

MD5
086e39841584ce276e367187e8512b8b

SHA1
33ec7a51c9918702e555ec5fbff5ebd8a3c69e78

SHA256
bf41cc7590645de242aa2bba898b7f21fc557f69d7fd28003db9a73b34d22041

SHA512
1dfb8c20c37d45852a12261da91d1ad237b793ac81d9327c4747041867814b667b7b5ce8df867d2d90a1f50651ec16484e8f0661777abe503ae51b49eb37d3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7C.tmp.exe

Filesize
78KB

MD5
cfac43089bb287ec9f79bf073edcda98

SHA1
fad2bd43c4ff2dd33bb94837326f60aacaa2b9f6

SHA256
3823419f35d5358bac9549241cb0aaeb88ff8cf0d6bd5f485e266f096747e9b6

SHA512
873cf7d73d37a0f59f8ac48be935be44a17cf5f6824dd4c38269abc9ae66aedf6884ddf3a90178cf2683be48766334ac9bd6b469e6df2cb6d269e637cda19f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAE9.tmp

Filesize
660B

MD5
f0cc121ad3747c4905926ac3b407df45

SHA1
6e84a84dbfa37afd61f3a0b5b50a3a47fa0c0c58

SHA256
e0db93ce3f0d01de6568fbfd3a7d38559b02d6e0d03856ac8a947c97e8ea7e05

SHA512
e69951ef774e7377dadb220eaebec5452497ee65bad6445ffec804d3c2bcbf9b3a9aea2edf16ee1f8904dc36c8b7b6c17a99848bdd3b50f3368b00e86ca30aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiu-zxxo.0.vb

Filesize
14KB

MD5
4e48589637fc51c40aa73031e618183c

SHA1
88525377ae26de1370733f26516888a79b45985a

SHA256
086549904486ffde534edbcd3f8eacfa8d8eeb305da1f19f8a61ed1e2d9bf6d7

SHA512
3cfe2ec6faf19f09d2c8d1e347d181d2550a8c067bb45a6b1c0776094391f9c2a0445d6cbae6b00bc141861d2e0db3c19f3f45e7ac3275c3b29fe202f5a50532

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiu-zxxo.cmdline

Filesize
265B

MD5
14b5d407723cc86ed056e77432554a54

SHA1
60901539e166699c11beca31cf591f5ebfad9d5d

SHA256
98237a1307105314838cf2947ac6256d9f55978984aeea9b9d94029f0a1655e1

SHA512
1dc41462e594c8532fbf4f82dbd346b008f5d4f7b40d1f1b7da76b55218214fababdaa5c4af1a8089ccf393dc17ee0b7c62208a2ab939958b62cea80084f9822

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1976-8-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/2148-26-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2148-25-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2148-24-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2148-28-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2148-30-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2148-29-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2148-31-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2212-1-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2212-23-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-0-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-2-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads