e11ca3cdc63aa37e12694d6b36a480f18c6b59aa6ab9267b64770c1d733c96c4

General

Target

100ce161e73da0a9d192ad21735ad239.exe
Size

78KB
MD5

100ce161e73da0a9d192ad21735ad239
SHA1

24bbb610639e6b5d2ae1be0ea64a59459d85e2d4
SHA256

e11ca3cdc63aa37e12694d6b36a480f18c6b59aa6ab9267b64770c1d733c96c4
SHA512

1817c0c2aae3e88822bbd7371432c0737fe83cdfed10ad4299471ee5e6716d00faa7af8a3a669154ae7cab038fa94a810f3907cec0c89285627f96c9b3825778
SSDEEP

1536:a5jS6LT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6n9/3Pp1p/:a5jSkE2EwR4uY41HyvYv9/3F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2568	tmp7DD.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2212	100ce161e73da0a9d192ad21735ad239.exe
2212	100ce161e73da0a9d192ad21735ad239.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp7DD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	100ce161e73da0a9d192ad21735ad239.exe
Token: SeDebugPrivilege	2568	tmp7DD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2808	2212	100ce161e73da0a9d192ad21735ad239.exe	31
PID 2212 wrote to memory of 2808	2212	100ce161e73da0a9d192ad21735ad239.exe	31
PID 2212 wrote to memory of 2808	2212	100ce161e73da0a9d192ad21735ad239.exe	31
PID 2212 wrote to memory of 2808	2212	100ce161e73da0a9d192ad21735ad239.exe	31
PID 2808 wrote to memory of 2964	2808	vbc.exe	29
PID 2808 wrote to memory of 2964	2808	vbc.exe	29
PID 2808 wrote to memory of 2964	2808	vbc.exe	29
PID 2808 wrote to memory of 2964	2808	vbc.exe	29
PID 2212 wrote to memory of 2568	2212	100ce161e73da0a9d192ad21735ad239.exe	28
PID 2212 wrote to memory of 2568	2212	100ce161e73da0a9d192ad21735ad239.exe	28
PID 2212 wrote to memory of 2568	2212	100ce161e73da0a9d192ad21735ad239.exe	28
PID 2212 wrote to memory of 2568	2212	100ce161e73da0a9d192ad21735ad239.exe	28

C:\Users\Admin\AppData\Local\Temp\100ce161e73da0a9d192ad21735ad239.exe
"C:\Users\Admin\AppData\Local\Temp\100ce161e73da0a9d192ad21735ad239.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\tmp7DD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7DD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\100ce161e73da0a9d192ad21735ad239.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x0m2_hhy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85A.tmp"
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc85A.tmp

Filesize
660B

MD5
060ec329c39b4a9f15a016c8bde95d75

SHA1
b647f0bcca8480112ec78e5e9eba40e04f49c9ad

SHA256
ef8131d0318eb3f53090dc11f219f8dbdf075428502618d91b62a96b711c660d

SHA512
5ed158da66a22c6a2f804057f11f19073d22a2ac5e82d90f3b2aa860e5ec0dd7de6444fcfd53bab4a439947bc729ddfb96006ebe49f2d23dceba388b7cd763e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0m2_hhy.0.vb

Filesize
14KB

MD5
bdff03033cae0ed2e7e5b8a1acf4d0ba

SHA1
bf524eda9cad20633db9daf12bd8902994ce48f6

SHA256
706625aecb3657c9df5ddd95801c060e0de8d4c619b3b3bb1e2053e87b09c4db

SHA512
afbf4a8ac345bf8b8d1c346c0321c2dbec4204074df10c795c4c44b7847bce79b95e7541f8e2bbf93a580e120b956017dc586ce3a8af3a2e17c520fbbf276c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0m2_hhy.cmdline

Filesize
265B

MD5
3d3cc82f03a9c7100861476a75fdc557

SHA1
4ba803165ebbb07f9b072a628f6645b9a3338589

SHA256
13f86e655c3ff24ed7e457ed30f529d0762c1c38d0b56a758a07ca5960d5349b

SHA512
e562764f674f626d82c916d7d97261ec545042397ee0ded6cfa6428ae975e40536412e45546d2b03e02633459632eda36de623d375e0f9d974b64f264d0b134a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2212-23-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-0-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-3-0x0000000000830000-0x0000000000870000-memory.dmp

Filesize
256KB

Download
memory/2212-1-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-26-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-24-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-25-0x0000000002150000-0x0000000002190000-memory.dmp

Filesize
256KB

Download
memory/2568-28-0x0000000002150000-0x0000000002190000-memory.dmp

Filesize
256KB

Download
memory/2568-30-0x0000000002150000-0x0000000002190000-memory.dmp

Filesize
256KB

Download
memory/2568-29-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-8-0x0000000002340000-0x0000000002380000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads