4c21c4d48f38514250f9ab644a968431894c36098a3ae8f04199b24b1bf6b4a5

General

Target

0e7d09487bc7f85b0684d1ed730314ee.exe
Size

78KB
MD5

0e7d09487bc7f85b0684d1ed730314ee
SHA1

520f6d6981d4733a25501be9a5b70de84058ebfe
SHA256

4c21c4d48f38514250f9ab644a968431894c36098a3ae8f04199b24b1bf6b4a5
SHA512

1922f2efbd35a9a3c566222fb6d3d6fd21e1912e05a5e81e5a83e66dd31bae11e78d06b16b05455995a089758877e498fd296a3663cda32a4facd560be1f2cee
SSDEEP

1536:5e58LLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6U9/TG14e:5e583E2EwR4uY41HyvYM9/T4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2100	tmp54E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	0e7d09487bc7f85b0684d1ed730314ee.exe
2208	0e7d09487bc7f85b0684d1ed730314ee.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp54E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	0e7d09487bc7f85b0684d1ed730314ee.exe
Token: SeDebugPrivilege	2100	tmp54E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2988	2208	0e7d09487bc7f85b0684d1ed730314ee.exe	28
PID 2208 wrote to memory of 2988	2208	0e7d09487bc7f85b0684d1ed730314ee.exe	28
PID 2208 wrote to memory of 2988	2208	0e7d09487bc7f85b0684d1ed730314ee.exe	28
PID 2208 wrote to memory of 2988	2208	0e7d09487bc7f85b0684d1ed730314ee.exe	28
PID 2988 wrote to memory of 772	2988	vbc.exe	30
PID 2988 wrote to memory of 772	2988	vbc.exe	30
PID 2988 wrote to memory of 772	2988	vbc.exe	30
PID 2988 wrote to memory of 772	2988	vbc.exe	30
PID 2208 wrote to memory of 2100	2208	0e7d09487bc7f85b0684d1ed730314ee.exe	31
PID 2208 wrote to memory of 2100	2208	0e7d09487bc7f85b0684d1ed730314ee.exe	31
PID 2208 wrote to memory of 2100	2208	0e7d09487bc7f85b0684d1ed730314ee.exe	31
PID 2208 wrote to memory of 2100	2208	0e7d09487bc7f85b0684d1ed730314ee.exe	31

C:\Users\Admin\AppData\Local\Temp\0e7d09487bc7f85b0684d1ed730314ee.exe
"C:\Users\Admin\AppData\Local\Temp\0e7d09487bc7f85b0684d1ed730314ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oxn_19xs.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CB.tmp"
    3⤵
    PID:772
- C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0e7d09487bc7f85b0684d1ed730314ee.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5CC.tmp

Filesize
1KB

MD5
7d286fe036b566d3cd01111f64303366

SHA1
10ace7fec319b5fcf9fcc797d7510c209fdd8aed

SHA256
fb698f1e9a1da33ab4b59ee62d2b09b9d3c83138ffc6c90472e76e73fc829017

SHA512
db8147d5ae3bb09b313da12103c3108a7b469c2b06c4fa21ea4a8d32a7c072873bbb0ead3546074b6aa0c7c286a97eaaf0512ead4f314cd2f3f259a62dd9ac19

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxn_19xs.0.vb

Filesize
14KB

MD5
ba0646a00c1b0ce5d6d3ce69f87f22f2

SHA1
04142d7793312e4bb10059890ad25f668998e243

SHA256
b5e869d72ffb62ca32dd6bd66c901ac6243e059446e437153e0c74008c904018

SHA512
5ec8ad77b691b212fc73380660139f6fb8fe3d2cb3f4dfaa41e8a0a5322b455083e75481d9624004c20c44890836212f2d465a25192c7bf2dd2a44ee52773eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxn_19xs.cmdline

Filesize
265B

MD5
e3473aef97b0697189ac4f99f4c5e43c

SHA1
98efe1220146d605e7d2c55e66bab1dec91ed2dd

SHA256
db28ef1068a2c38ad738391bc7c28e187ae9200244a2e144921b4eadd703478e

SHA512
40d349f1037dafd046cdec79935a4d78cb33017a7f84c983c8c3ea012f81fc2e468ab5e26b744a6ff7b1dc68738b1270d6fc9b623ca1291eb8ac3b4c3d6b7b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe

Filesize
78KB

MD5
88c04dbf4d2ef8b47fc32ad1d8f2e840

SHA1
9b816bc9c067385e4cc05a9273a94930934f39e8

SHA256
67b27979f77b529f4c3bd17d7fb8ac3184caa3ca56523755778776d5ede1da84

SHA512
5d6f9f3210ac05f05ed248a57fd498a76b8b63a151bb7ecc7d12bffc31ae0f99722270d33d2439fb2f97a9796d90c23f5080db14c6fb7a2b7088423ceb428967

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5CB.tmp

Filesize
660B

MD5
e7a91f98d4e6da0a16a4b9261e29cb91

SHA1
3337d3035764d0c0672db988ea9e84fd15aee403

SHA256
218ff786e6fb112e560af6761feeecece7b3bc90a4dca250e3efacb6476c9f0b

SHA512
bf7bbd1ba02111ba332597d5be1fc5012ed85fa8b17c8af71378b826b918172e76b4c280617a4188eb01eef77b0489878d09493ca932a5a8d2a2632151819de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2100-27-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2100-25-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2100-24-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2100-23-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2100-28-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2100-29-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2100-30-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/2208-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-0-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-22-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-2-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads