7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a

General

Target

7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe
Size

78KB
MD5

0c8b2cd1bb80142c9d071078fe476919
SHA1

d70d60a43620815265dbd40bb4f308130c764c90
SHA256

7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a
SHA512

e901e8507699a5a3343789a1b9a592e7b36ced3d3ac5b307ca3315f9326e77200f55014f25dd8f521ebe94f907934407849d204c0a1078af9fc79fb4e5a559de
SSDEEP

1536:05jSVdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6X9/c1sw:05jSAn7N041Qqhgf9/Q

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2600	tmp7CBE.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe
3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp7CBE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe
Token: SeDebugPrivilege	2600	tmp7CBE.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2528	3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe	28
PID 3048 wrote to memory of 2528	3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe	28
PID 3048 wrote to memory of 2528	3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe	28
PID 3048 wrote to memory of 2528	3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe	28
PID 2528 wrote to memory of 2756	2528	vbc.exe	30
PID 2528 wrote to memory of 2756	2528	vbc.exe	30
PID 2528 wrote to memory of 2756	2528	vbc.exe	30
PID 2528 wrote to memory of 2756	2528	vbc.exe	30
PID 3048 wrote to memory of 2600	3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe	31
PID 3048 wrote to memory of 2600	3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe	31
PID 3048 wrote to memory of 2600	3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe	31
PID 3048 wrote to memory of 2600	3048	7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe	31

C:\Users\Admin\AppData\Local\Temp\7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe
"C:\Users\Admin\AppData\Local\Temp\7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rt-76cdb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EB2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EB1.tmp"
    3⤵
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\tmp7CBE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7CBE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7c5fcdc2c289b7938b8276a9cb0acef7376c2fde212744147f294fbea4126d0a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7EB2.tmp

Filesize
1KB

MD5
d2f473f798bc993f8c9261d071a1342b

SHA1
37408a598d831737ebcbb522068c81506f1db505

SHA256
7b690ae1cb158fdc91fca81ee43bdb73cf0fcdee87d7e2c034ffdfbb0758b89a

SHA512
1f2250085c4e0538de82f76213676c282c5c59fd7ac35378c58eab51852db7ebd34de7d8bc8a9c015b0e9785d63146a0ff383826d3260b5ff7e7b2281d06defc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rt-76cdb.0.vb

Filesize
14KB

MD5
29074cf40fb65222e1400d26a669b1b2

SHA1
17fb16d897a60432a45ff4925ad3ee85099af5e6

SHA256
d5393d12260c48180f861abfafec23cd7df094c2927196d495d614d523148a60

SHA512
1a718eeaac17a379cf3aff0bf1255a85b868311f307c3c350141f8bd81b7c57d86b104ff1d629ad08c8ac02e57374387f1a8552e095997a64d7e619c138288d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rt-76cdb.cmdline

Filesize
266B

MD5
bab3563c649a24af73bd3945f373f927

SHA1
f529f6aa73c203d017f56e4bba8e0ddaebf6a399

SHA256
95d36d9a21cb8eda603a3119776fa6c50686050be9677b095c9efd085f7f23b7

SHA512
7a685d8569b6a0d94bf61e90241f1ce1712d48f84e0c5b4977c5609aa9441a3159c438176bfa07f6aaf8f2b861a6f0337bfc31979c2ab9d9831a4fb8af58723b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CBE.tmp.exe

Filesize
78KB

MD5
f2db560c77b05b70a834edddae1bf9d8

SHA1
4620939a12e2c34bf0075dee8a385fe0aa7d4ebf

SHA256
a733c12bd06ff8fd57dfe1ffad10961211669eafbb1f82d8ec5e1820bcb006d3

SHA512
150adc2d91a1ade3654e8797775719dc12d302b6cf44ace36bb535b091d652d8255278e56325a4be62aaa1132461646ee21b0ab2a44d7e367091b5844de09a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7EB1.tmp

Filesize
660B

MD5
b8d388fb05cb647dced94e99fb131aca

SHA1
f4ce7479a6e48d360c4c39f4d53c29ee5b5c31c1

SHA256
e6f37e8054bcfa2d9867a3fb224df20e14a30625117264bc72496ea47c27e189

SHA512
f06e842b6cba83ae3f1b9cd0a5a90ce15959a9e613e3413d9a7b8ed4cf42b54e9057e18fb06c571c483eab0f6642f437db7fa357a72b445e6f3cb7e9cb5e04aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2528-8-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2600-25-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/2600-24-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-26-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-28-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/2600-30-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/2600-29-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-31-0x00000000001A0000-0x00000000001E0000-memory.dmp

Filesize
256KB

Download
memory/3048-0-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-1-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-2-0x0000000000A30000-0x0000000000A70000-memory.dmp

Filesize
256KB

Download
memory/3048-23-0x0000000074CD0000-0x000000007527B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads