395fb8930edd7a8fe7d26546d4a6ec6a1b04dc80832751f48e834af97a00bf6f

General

Target

7f743bf03266282eddbe781afd0e49b0.exe
Size

78KB
MD5

7f743bf03266282eddbe781afd0e49b0
SHA1

b875eb4fdde070effa1d6c548690cbf88e11b0df
SHA256

395fb8930edd7a8fe7d26546d4a6ec6a1b04dc80832751f48e834af97a00bf6f
SHA512

3b4f252d6f229e30b68bb2735c3ac57956b7417aba0ac235358ab6e17764f7637ff6825bda126128b1d380b33df34784036d932fb355ea2740e467695f6c570b
SSDEEP

1536:+5tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC679/I112e:+54n7N041Qqhgz9/Ih

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	tmp56D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	7f743bf03266282eddbe781afd0e49b0.exe
2364	7f743bf03266282eddbe781afd0e49b0.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp56D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	7f743bf03266282eddbe781afd0e49b0.exe
Token: SeDebugPrivilege	2808	tmp56D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2228	2364	7f743bf03266282eddbe781afd0e49b0.exe	29
PID 2364 wrote to memory of 2228	2364	7f743bf03266282eddbe781afd0e49b0.exe	29
PID 2364 wrote to memory of 2228	2364	7f743bf03266282eddbe781afd0e49b0.exe	29
PID 2364 wrote to memory of 2228	2364	7f743bf03266282eddbe781afd0e49b0.exe	29
PID 2228 wrote to memory of 1420	2228	vbc.exe	30
PID 2228 wrote to memory of 1420	2228	vbc.exe	30
PID 2228 wrote to memory of 1420	2228	vbc.exe	30
PID 2228 wrote to memory of 1420	2228	vbc.exe	30
PID 2364 wrote to memory of 2808	2364	7f743bf03266282eddbe781afd0e49b0.exe	31
PID 2364 wrote to memory of 2808	2364	7f743bf03266282eddbe781afd0e49b0.exe	31
PID 2364 wrote to memory of 2808	2364	7f743bf03266282eddbe781afd0e49b0.exe	31
PID 2364 wrote to memory of 2808	2364	7f743bf03266282eddbe781afd0e49b0.exe	31

C:\Users\Admin\AppData\Local\Temp\7f743bf03266282eddbe781afd0e49b0.exe
"C:\Users\Admin\AppData\Local\Temp\7f743bf03266282eddbe781afd0e49b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t_gwzmex.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5EA.tmp"
    3⤵
    PID:1420
- C:\Users\Admin\AppData\Local\Temp\tmp56D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp56D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7f743bf03266282eddbe781afd0e49b0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5EB.tmp

Filesize
1KB

MD5
0cb052013659b6bf0f34b38767133e7e

SHA1
dec2559d57c2d82e9b41b1c4978cb8af1bbb42c6

SHA256
8c327e5421d863fbf2aece0389b18ab0a7227550c2ca58cf543713268a3b452a

SHA512
cbe90fe79c946643f04b6cda44d8a4e6a78aebb6f0a7db3d717b51d902c6fc3e208b0404013fa5ad02155d5e25fd24eaf157e2faa9610bb3d6e8bb39c5122394

Download Submit
C:\Users\Admin\AppData\Local\Temp\t_gwzmex.0.vb

Filesize
14KB

MD5
baf871885328ef21f2a3cf02879a3ba1

SHA1
92a34b742be586d97cbedd2f5e066814c06e90e1

SHA256
86df40eef4b37fc647b5dd721cda6cfdbc1182c1e72b4fd9e1e8a031f1fe6026

SHA512
eb788ab9be5af5eac5e22cf1fbc389d76bac7fac3eb9d7bc1679c23b48586a12c2cfdbf11397ca6610304fb3fdfa19b550a15c9e056c6a1d44520909753e3664

Download Submit
C:\Users\Admin\AppData\Local\Temp\t_gwzmex.cmdline

Filesize
265B

MD5
a0d2072494f24c91ece354ae1d3e7b4f

SHA1
ccb351a49035559d43257bf3b3d136b959216b5c

SHA256
57b86a02177d9696917b6186af4e16a20d62622f14188e2b8df98db111f484f2

SHA512
181ca8257c624d06b5976d6756a44b78f716c699ae3274ef91a0cb7c687c41f1ecd35be441df8b356b9dcacf900268b7e22a59a50374cd01203a1f481b6e8b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56D.tmp.exe

Filesize
78KB

MD5
172d3142daa976a0d794fa0b500dd0a9

SHA1
2f1583746c6619e80ea7b36bc245107ccf8b513f

SHA256
e1571d0760b2cf852b8d6edb5bec9f63fdf7c0d073b37ac20ef62553df98d9e3

SHA512
f39f9a301c879f9f1bdc1196020639f24066777c84f602cbf5063a937f2476add33e9a00d9f5d26add59fd85aeabcb66f8f87c3101f490cd42039b734605d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5EA.tmp

Filesize
660B

MD5
9cc7726b9464de67a2391d78c327f87f

SHA1
e75b329e9be7bb9c2976bbb4bc47d964c6d113cd

SHA256
de15ef17769c0d3c2bd0e9c7a783b0f67daea6c157cc859c47e7934823e2dd4e

SHA512
eb557e2284f10ce3e6af521e6437c48a1955d3f62fd420babdb41b02f513094e6f2a9714bc49380816085d8df3d3c46bead553184713ea69f955b986ad8b3d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2364-22-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-0-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-2-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/2364-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-23-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-25-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-24-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/2808-27-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/2808-28-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-29-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/2808-30-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads