b4a8c8b2a1e0fc7f526d176b18b4f24b9b72a430d7b337f0943bd06afc12710e

General

Target

3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
Size

78KB
MD5

3ccb4c53ebcc6db5b38ff12d401f84b0
SHA1

098f9412b85ea0c6f6391414a36de41ecc2ae4ca
SHA256

b4a8c8b2a1e0fc7f526d176b18b4f24b9b72a430d7b337f0943bd06afc12710e
SHA512

a2a076c3ad0f77d93f053eae5f9df2e0863faa95be41e2f0f3d172221fae5051f6dba4402120ee5d0d5aef50bf102253473de06bc0bf21f15dcee741554e04f4
SSDEEP

1536:XzHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLR9/ga1P:DHYI3ZAtWDDILJLovbicqOq3o+nLR9/J

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3ccb4c53ebcc6db5b38ff12d401f84b0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe

Executes dropped EXE 1 IoCs

Processes:

tmpA98E.tmp.exe

pid process

2172 tmpA98E.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2172	tmpA98E.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpA98E.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpA98E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3ccb4c53ebcc6db5b38ff12d401f84b0N.exetmpA98E.tmp.exe

description pid process

Token: SeDebugPrivilege 1500 3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
Token: SeDebugPrivilege 2172 tmpA98E.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1500	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
Token: SeDebugPrivilege	2172	tmpA98E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3ccb4c53ebcc6db5b38ff12d401f84b0N.exevbc.exe

description	pid	process	target process
PID 1500 wrote to memory of 3236	1500	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	vbc.exe
PID 1500 wrote to memory of 3236	1500	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	vbc.exe
PID 1500 wrote to memory of 3236	1500	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	vbc.exe
PID 3236 wrote to memory of 2536	3236	vbc.exe	cvtres.exe
PID 3236 wrote to memory of 2536	3236	vbc.exe	cvtres.exe
PID 3236 wrote to memory of 2536	3236	vbc.exe	cvtres.exe
PID 1500 wrote to memory of 2172	1500	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	tmpA98E.tmp.exe
PID 1500 wrote to memory of 2172	1500	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	tmpA98E.tmp.exe
PID 1500 wrote to memory of 2172	1500	3ccb4c53ebcc6db5b38ff12d401f84b0N.exe	tmpA98E.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
"C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xd-cunhx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc445A78E14CAF49D6B7EB65EBBDC0AFBB.TMP"
3⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ccb4c53ebcc6db5b38ff12d401f84b0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAA78.tmp
Filesize
1KB

MD5
cd02a4e9754ab6fd9fc1b7acbc017475

SHA1
f4a1f4227d357a6f8372a1d27d1586c880460aa3

SHA256
c40a709ee697181a3f2141f978eebecd8ec5cc3e6bf52050a2e3c610a1e0bbd3

SHA512
9f54124fef81b3d90b21d719eb5724a2612f6a10356b1cade659809f626fee7bcd1b62a24a21a811906d9be46ba9d5bf9747768411a7ad355a9bb22e4931b873

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA98E.tmp.exe
Filesize
78KB

MD5
91532500589d91fb2efa0dd8c9b575e3

SHA1
2f9dcb2abd1be8277952e8081d9be1bcdc2c6c09

SHA256
cd7232b2077eb4a2e473fe41562988b3f0216fe249bdd8fea4711fd88f5854ae

SHA512
861d477820aa00aa01fb1777f29ced1c1d57a9814283b08bb645f8c777c6640b40c542806b91043040900097a3a09cfb21f4201b9a8ce6b2561fa48eef807bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc445A78E14CAF49D6B7EB65EBBDC0AFBB.TMP
Filesize
660B

MD5
0d361ee7a5a6d722b546ce9ce3ea036f

SHA1
ed6afdd5ba1bb4859991caa69a058b16285660e2

SHA256
6c3efb0f0d058801ce1bfa76b71bbd4f15e964addf747a924da1c8792562b0fb

SHA512
db881c656840f9323f72f556c7589814f2fb3adcc4df43039feb3465a30a1a526ce12b68863c5883c04bcac3d5173849d3eef63068d36fb2b4d781948e7d26bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xd-cunhx.0.vb
Filesize
15KB

MD5
b27173e12b1f2b81c61a6f9c5f2de3fe

SHA1
e579b9bd9f57f312ee3bcda47329d0bf0c55f289

SHA256
d5ddeafb91971f440b76d24c407fc7cdc34df084a76335a2522484ba95e755a4

SHA512
e0a21c6608a3baf0a4dc02fc2d4e2af41efcd634912e696f14cc6340c8140551739e73083cf0625c32cba3ba8be4ba3a682062a3e657a4540b18245569b0154b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xd-cunhx.cmdline
Filesize
266B

MD5
e04c6334cf8af9a5b33eeb93e83de5c9

SHA1
a003ddca79c39ea3a85bea37a0b2a0e7e4e8f698

SHA256
439ab0b01c3d58d20053d8453920e2f540d076889e4abd56819abf38404ad180

SHA512
32ca69ead09b76c3d24db4a2dd4a69ccd65643214b78f974b2bd9fbd85c55f0aee71a7f7b08ba68680f61428d30501a4f0e30716836a5e884deed8d4a1a81be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1500-1-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1500-2-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/1500-0-0x0000000075422000-0x0000000075423000-memory.dmp

Filesize
4KB

Download
memory/1500-22-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-24-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-23-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-25-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-26-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-27-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-28-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/3236-9-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download
memory/3236-18-0x0000000075420000-0x00000000759D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads