7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3

General

Target

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
Size

78KB
MD5

92147390866e992d61c2e53fa1dbf232
SHA1

98aaa505c71acb3ff181ff0e12614d5d9cf9847b
SHA256

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3
SHA512

125ac3c5aedeb846589e3fdd37a7bebe55a846da5cf3c3d8f6033c752e7d037a343a1260885f54e720c18192a689a709ae8146496f01c91c19bec6f68d5f19c1
SSDEEP

1536:uWV58gdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6P9/J1ol:uWV58vn7N041Qqhg39/M

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe

Deletes itself 1 IoCs

Processes:

tmp5A84.tmp.exe

pid process

4728 tmp5A84.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp5A84.tmp.exe

pid process

4728 tmp5A84.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4728	tmp5A84.tmp.exe

pid	process
4728	tmp5A84.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp5A84.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp5A84.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exevbc.execvtres.exetmp5A84.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5A84.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exetmp5A84.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3988	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
Token: SeDebugPrivilege	4728	tmp5A84.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exevbc.exe

description	pid	process	target process
PID 3988 wrote to memory of 376	3988	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	vbc.exe
PID 3988 wrote to memory of 376	3988	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	vbc.exe
PID 3988 wrote to memory of 376	3988	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	vbc.exe
PID 376 wrote to memory of 1564	376	vbc.exe	cvtres.exe
PID 376 wrote to memory of 1564	376	vbc.exe	cvtres.exe
PID 376 wrote to memory of 1564	376	vbc.exe	cvtres.exe
PID 3988 wrote to memory of 4728	3988	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	tmp5A84.tmp.exe
PID 3988 wrote to memory of 4728	3988	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	tmp5A84.tmp.exe
PID 3988 wrote to memory of 4728	3988	7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe	tmp5A84.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
"C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\of-75pfl.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B8D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32C905F9B81E4E68A3303B2A267EFE7A.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:1564

C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7937748848a04534077dd7c699fa865d1873fb71425b49c3f50b581d1e62b2c3.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5B8D.tmp
Filesize
1KB

MD5
5e349ee72b8e2bff1cb1353d2e5fffd7

SHA1
ada3a92b36290e1966312ac49f202da416639a8b

SHA256
4e8eca45d64aaa533b7aaea43d4c8dfdb44322a0023970866247ec96b8dd459c

SHA512
ba6549e10b514d5e99189ba379e93303b90fed9de65f657f8117ff04b8023ea503bfc8101eb96ca50b0b45617b0a70bb41d6753309322a5b948d37224ea493cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\of-75pfl.0.vb
Filesize
14KB

MD5
b0b53eb89254d18e1679d53e3035f764

SHA1
41c531986e0eba09c6f2a8aa194926aeb17db4cb

SHA256
0be85d9313ed85f492a588f932fbd81e3d7246f81757911f5a06863de1c43b95

SHA512
e2599802ac8329f803289ff46e11cfb61aad90196b2dcee24f001bed8cb5c4fd953a59bc11dff943e826a05a301be32b8bbf322475f7c5f5a9f7523a65845d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\of-75pfl.cmdline
Filesize
266B

MD5
c58fb908e3f5ab9c16e3396959337b4c

SHA1
314056405ae869d77b43076dd305010475ecfe52

SHA256
d50d206c02c1a8bb68b920019b680a1cd772b542427525aa820b9e0de4555b73

SHA512
93b9ee04cc29fa09c632307fbfe4fcece44aad46229b0ea1ad42386506efb6aaf816b8f149d20d3db7a564566c951603f2d38f41ab2c68b1034b4aae01e8656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A84.tmp.exe
Filesize
78KB

MD5
90aa16d0df9ea6ec9395097d34a936ba

SHA1
53674d1856c9a98f527e547d6a2a335698b7284e

SHA256
31141c17f316cbb3a8cdad55e7b538d93714224d6211c508717c734ccba87e60

SHA512
eb048a303ff596cf03270bac2740503a62c5b8a7fe1250163bb24ffc76c999acc321ed84fda25359600df388783bd41904dfca78d873f256ed1aa1695e6152e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc32C905F9B81E4E68A3303B2A267EFE7A.TMP
Filesize
660B

MD5
f006ace099716b21cc1e7957d967c47d

SHA1
115863fb7afef6eb7bd4be3196b169323bfb224d

SHA256
2f61d508982fc4846334ecd9347204900c9e4042d796ac4e4da9387de99829c8

SHA512
14d79fff9d8178887b117086cfaab83713550df430d58f47c29b7b6694558abafff2933e3789528f6fbe6b83ec93d0668dfb481981d370cbbf5c27baf1a25ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/376-9-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/376-18-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/3988-0-0x0000000074B52000-0x0000000074B53000-memory.dmp

Filesize
4KB

Download
memory/3988-2-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/3988-1-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/3988-22-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4728-24-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4728-23-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4728-26-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4728-27-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download
memory/4728-28-0x0000000074B50000-0x0000000075101000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads