85a35530eabc89c14ff95fb1ab1848c9749c4714bde250d3e798e77f211a627a

General

Target

ae210788bd768ba5045a507e693a8163.exe
Size

78KB
MD5

ae210788bd768ba5045a507e693a8163
SHA1

9023d28eee827c8cf87bca3aa68df61c0426a5ca
SHA256

85a35530eabc89c14ff95fb1ab1848c9749c4714bde250d3e798e77f211a627a
SHA512

1296f39c090d2f56ec192dbcb54b3a86ba953dc614dae97a096c70eae3d89b0b7e5d3999f460a3ddf74783ed661325f2dd8834dba1a4a1f11794826b53334d1f
SSDEEP

1536:dPWV58FXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC639/F1j5:dPWV58FSyRxvY3md+dWWZyP9/d

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	ae210788bd768ba5045a507e693a8163.exe

Executes dropped EXE 1 IoCs

pid	Process
4884	tmpA306.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpA306.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3852	ae210788bd768ba5045a507e693a8163.exe
Token: SeDebugPrivilege	4884	tmpA306.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 4028	3852	ae210788bd768ba5045a507e693a8163.exe	90
PID 3852 wrote to memory of 4028	3852	ae210788bd768ba5045a507e693a8163.exe	90
PID 3852 wrote to memory of 4028	3852	ae210788bd768ba5045a507e693a8163.exe	90
PID 4028 wrote to memory of 2612	4028	vbc.exe	92
PID 4028 wrote to memory of 2612	4028	vbc.exe	92
PID 4028 wrote to memory of 2612	4028	vbc.exe	92
PID 3852 wrote to memory of 4884	3852	ae210788bd768ba5045a507e693a8163.exe	93
PID 3852 wrote to memory of 4884	3852	ae210788bd768ba5045a507e693a8163.exe	93
PID 3852 wrote to memory of 4884	3852	ae210788bd768ba5045a507e693a8163.exe	93

C:\Users\Admin\AppData\Local\Temp\ae210788bd768ba5045a507e693a8163.exe
"C:\Users\Admin\AppData\Local\Temp\ae210788bd768ba5045a507e693a8163.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\088m62-1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA4FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc493C8225AA4E4DBE80BAD3C0E68782A.TMP"
    3⤵
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\tmpA306.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA306.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ae210788bd768ba5045a507e693a8163.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\088m62-1.0.vb

Filesize
14KB

MD5
46ae0a8a031aa619acab8eb4a34f8f73

SHA1
2421498bafb9f7aacbbe3bf3439f81cf31ffb186

SHA256
2ebbcccd49198001a6ddfb65de3c4e5448cbcc527bf130dc5da7284ca26f91ed

SHA512
1ebf3a34f7bfa9e4d0754e96df0ba19a1bc8655e23a8d1fcf4e24fa943cbf1984f674f9295481b29fd164bf3c2743c65ca3d39d732e0dbf9c143d8a21f09fa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\088m62-1.cmdline

Filesize
266B

MD5
998abc949715c7107014a5f19278b404

SHA1
3cbdab786cfe0942b589378bb6bd67271304eb53

SHA256
34daf7427e450f1c7a02226bd44bb2535c0288d8c9e528fbdf0ea980e1e057be

SHA512
a8c98342a3aa728a73ea43f840a9e2b084d73a56d2ab68f9e4b41a77ef3942375672d037758f7da8f22f01d9d93e5c35ef1f5b52db6fa69a2f212c1c45c59396

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA4FA.tmp

Filesize
1KB

MD5
69d4fe038ca5b8a02a00e775e3b94636

SHA1
27a88e2ba68557f232b16a20c22a02b6d44cb6ee

SHA256
97fa1530e492f0f6ee714a6612efe319d55d3dc473a3cd60bb59fd6080706194

SHA512
93ac458f86cc92d60ae74b39fc0506e2e4af0c435919ea4cef24c685bd18e0ca62663976aa434aa9041def1d28567001c4cd985abc1c5cb98ddfc84b61e594b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA306.tmp.exe

Filesize
78KB

MD5
85daeda14948d420b54cd05283eefab0

SHA1
d6efc804740dec048515499f029d1feb7af88fd6

SHA256
70ac562e8e4858fca9b6408a42db6a8fa0cdcb5b7ac4044074e92ec1e02742f6

SHA512
5c6a1d9da2805bf3c5b4f844582a96b746978840d3f81f8a42409cd67a81710f81f85919df853220f1bee1d6dae14fc046b3696c375fe3e6f198bde084f89ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc493C8225AA4E4DBE80BAD3C0E68782A.TMP

Filesize
660B

MD5
085d4d4e68b3c2475a5fc3625158dda2

SHA1
4765665d4ac86dd27af221dbfd614c154f36b7ee

SHA256
e47ab22137d201cb1fd06c72f4c6d97ab250f66ee9ed608233e8ed3a2ecf5e12

SHA512
cc996acdb3fcdf64b664a2e626b9d3f67c905e4e01f4af194a0a6a000bac5569bb6a44a305ac138fcf643a17931a526a23268abf9846e2f5b0af176ad305a2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/3852-21-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3852-1-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/3852-2-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/3852-0-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4028-8-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/4884-22-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-23-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/4884-24-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-26-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/4884-27-0x00000000748F0000-0x0000000074EA1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-28-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download
memory/4884-29-0x0000000001650000-0x0000000001660000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads