f9c80082fbf214dd44ef0577fc1d08ba64b8248daca56966561fd09345cb95aa

General

Target

17476bf322467a2315505fc104781270N.exe
Size

78KB
MD5

17476bf322467a2315505fc104781270
SHA1

712f9be5b57aa50618eb87fb1ed0768707666eb9
SHA256

f9c80082fbf214dd44ef0577fc1d08ba64b8248daca56966561fd09345cb95aa
SHA512

4dc9fab650f6b863d2551e5ec2030e559af0185debd2d3282e3bd171ad201c119610e00fc22c2b9ad911374cf4f341d26d7a81906c2d185047dc96170af37899
SSDEEP

1536:fRWV5jiLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6Y9/m91lW:fRWV5jsE2EwR4uY41HyvYg9/mY

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp69BB.tmp.exe

pid process

2588 tmp69BB.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

17476bf322467a2315505fc104781270N.exe

pid process

2824 17476bf322467a2315505fc104781270N.exe
2824 17476bf322467a2315505fc104781270N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2588	tmp69BB.tmp.exe

pid	process
2824	17476bf322467a2315505fc104781270N.exe
2824	17476bf322467a2315505fc104781270N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp69BB.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp69BB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

17476bf322467a2315505fc104781270N.exevbc.execvtres.exetmp69BB.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17476bf322467a2315505fc104781270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp69BB.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

17476bf322467a2315505fc104781270N.exetmp69BB.tmp.exe

description pid process

Token: SeDebugPrivilege 2824 17476bf322467a2315505fc104781270N.exe
Token: SeDebugPrivilege 2588 tmp69BB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2824	17476bf322467a2315505fc104781270N.exe
Token: SeDebugPrivilege	2588	tmp69BB.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

17476bf322467a2315505fc104781270N.exevbc.exe

description	pid	process	target process
PID 2824 wrote to memory of 2176	2824	17476bf322467a2315505fc104781270N.exe	vbc.exe
PID 2824 wrote to memory of 2176	2824	17476bf322467a2315505fc104781270N.exe	vbc.exe
PID 2824 wrote to memory of 2176	2824	17476bf322467a2315505fc104781270N.exe	vbc.exe
PID 2824 wrote to memory of 2176	2824	17476bf322467a2315505fc104781270N.exe	vbc.exe
PID 2176 wrote to memory of 2220	2176	vbc.exe	cvtres.exe
PID 2176 wrote to memory of 2220	2176	vbc.exe	cvtres.exe
PID 2176 wrote to memory of 2220	2176	vbc.exe	cvtres.exe
PID 2176 wrote to memory of 2220	2176	vbc.exe	cvtres.exe
PID 2824 wrote to memory of 2588	2824	17476bf322467a2315505fc104781270N.exe	tmp69BB.tmp.exe
PID 2824 wrote to memory of 2588	2824	17476bf322467a2315505fc104781270N.exe	tmp69BB.tmp.exe
PID 2824 wrote to memory of 2588	2824	17476bf322467a2315505fc104781270N.exe	tmp69BB.tmp.exe
PID 2824 wrote to memory of 2588	2824	17476bf322467a2315505fc104781270N.exe	tmp69BB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe
"C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y5nmzoi-.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B80.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B7F.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2220

C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\17476bf322467a2315505fc104781270N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6B80.tmp
Filesize
1KB

MD5
ed6980a3348d9ddcbfa1dadc72c0d5aa

SHA1
92c3630f4fb5246809d6d38a16a87c0349f91c3c

SHA256
8e1da166858e7982c76fec4b94c2a7355c1b13eebc626ce8227ca27f9f987bfa

SHA512
11b5c4a2fbc3bfb68d97f30c2ccab0443ad73908ee5e87d578257840a9e0391724482b88500beaae43e141aa9e7cf7baa54223f642ab8022bfedb7025d77b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp69BB.tmp.exe
Filesize
78KB

MD5
096e3ca4d00abbed9aaf049c91d7ceb0

SHA1
658f6bdbd8919c19aed754df2660e0851570fac9

SHA256
ba8834a8e28faf2c9a114682cf86fef11073ce21513e27fe85ca35ec5cc323b1

SHA512
5fbef2ed1ca8d1b088e313d923ca95f9c2066ac3d76d4421cf1839b406460bf81f17263fa2e8159d2acd1b66b8b73267e8f2650cb7c397d21cd76e8cc9ba1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6B7F.tmp
Filesize
660B

MD5
4ca94ff9c6ba86d43be190a2b8f837f2

SHA1
0d74dcb859251f313a40896ae046cd465c708503

SHA256
40786640f4a525248caed621c7795546c6901e6e8c9e27ba6419ab8b8f596b48

SHA512
af0a5a3bae4ff67c1b3ba6731b6602e8125f8eba7b91a73acee57906a2fcadef09cab7ae8fde9f59b70fc9b32a1ede465394b6618a26f8f65958fb9d529d3b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\y5nmzoi-.0.vb
Filesize
14KB

MD5
8fa02b04697716ee6c098dbd5b7fba33

SHA1
6f257077bfca3250abfa7db9e51a53bcca076cb5

SHA256
2446386976f37cb2d1157d959253447f06624b470901ce92537411d530a1fe40

SHA512
95f55eac637472dfed800e7ded129bdfb3806048d78196c9d1a4cd931adbe775efad99d247898261dc7b8a9160f6a425f2c929d23bf6f2561253669f7036d0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\y5nmzoi-.cmdline
Filesize
266B

MD5
5a0ad7b1cfbcad51a3399fbc40db9baa

SHA1
4d9eac089ca4de8651bfd16826c47c6a275a41ba

SHA256
6c05c22667f040f8bdf49390e2d7e15120dd8147e919abd4ea7be2d3efd60eeb

SHA512
e24bb780d1f135eeb079e3c264bb49fe10d799ccddab129aba102cc0bce071d09b5115355843ec9e4bdcf736818148c679c4f94a49274226bbbe8860761fb30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2176-8-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2176-18-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-0-0x0000000074681000-0x0000000074682000-memory.dmp

Filesize
4KB

Download
memory/2824-1-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-2-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2824-24-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads