070def2d76946994196689b38aab650d16799ec9632ab44fb9926ce55bc6d2e3

General

Target

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Size

78KB
MD5

0c7da8d5a9cd906b6e7bfa5c6c3e5c40
SHA1

4403b0775b66ad69b326dd5f9abbe736e0ce10c7
SHA256

070def2d76946994196689b38aab650d16799ec9632ab44fb9926ce55bc6d2e3
SHA512

2e05e10e498cfa978aa5865a8de0b7c66ca831f96e2fb170d7b5cec1c2ad39c18e1b18faea13d9be359584d3eaa14d2768619f402006f0826a29f278d9b7a45e
SSDEEP

1536:ImWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtL49/u1D:1WtH/3ZAtWDDILJLovbicqOq3o+nL49E

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe

Deletes itself 1 IoCs

Processes:

tmp8D2C.tmp.exe

pid process

4776 tmp8D2C.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp8D2C.tmp.exe

pid process

4776 tmp8D2C.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4776	tmp8D2C.tmp.exe

pid	process
4776	tmp8D2C.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp8D2C.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp8D2C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exevbc.execvtres.exetmp8D2C.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8D2C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exetmp8D2C.tmp.exe

description pid process

Token: SeDebugPrivilege 4084 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Token: SeDebugPrivilege 4776 tmp8D2C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4084	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Token: SeDebugPrivilege	4776	tmp8D2C.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exevbc.exe

description	pid	process	target process
PID 4084 wrote to memory of 4152	4084	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	vbc.exe
PID 4084 wrote to memory of 4152	4084	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	vbc.exe
PID 4084 wrote to memory of 4152	4084	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	vbc.exe
PID 4152 wrote to memory of 5096	4152	vbc.exe	cvtres.exe
PID 4152 wrote to memory of 5096	4152	vbc.exe	cvtres.exe
PID 4152 wrote to memory of 5096	4152	vbc.exe	cvtres.exe
PID 4084 wrote to memory of 4776	4084	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	tmp8D2C.tmp.exe
PID 4084 wrote to memory of 4776	4084	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	tmp8D2C.tmp.exe
PID 4084 wrote to memory of 4776	4084	0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe	tmp8D2C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
"C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v-uzxpxg.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C08650A27414BB9A52BAB82F1AA29A2.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:5096

C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp
Filesize
1KB

MD5
7b1c47e3a8facce10498b13015b1a323

SHA1
d03ff2434a56f9160535dd20573331b6570179c1

SHA256
9a6796542065af40bc304408defeb799c277b147353b4bb14683a3c1e154a800

SHA512
b8826692807fc80e68722eff7b6a55f46de3e4eba864bb9d959222b52029305c5512b32aada24cebf1a5017915bbd4946e5b5aee3f434635b2d63c706a83cda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe
Filesize
78KB

MD5
708b78eaffe0017469c6b1d24fb3b9fe

SHA1
03801b63066deb0483abab87ca4d62d5ef44d894

SHA256
4ebeca321982693f9460c17db17dd2a00becf7ab5f016d1f7ad0990bf9f42a68

SHA512
1eaf96a61c754889ec43736132fee8fd5925076b4ba6ad2b214bc439e183be0def59fd6256051b32e0cc8646ac3ef489dd1c970e14a96dc997c64024f1b05f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\v-uzxpxg.0.vb
Filesize
15KB

MD5
0eaf5a9a477fbe13fcdc66fe93a578ad

SHA1
0fcb401107bcf4420506f6a075501fcaa5733670

SHA256
d4685460abb10132d4e2c06e4850cb8980933839eb3117caa920f6466367a8fb

SHA512
eb2f940f389e1c8a8953e798e8b1b4bc48a35bf12da9f080f61fa6f6d0a3588f34faffd4da86547cd055ab059a12830d6232555383fdd5e6e61ac5554917f76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v-uzxpxg.cmdline
Filesize
266B

MD5
f11a90b561f2d5bfd5edbae67dac7eea

SHA1
54d7ac5764287ff2e8d1e8fc1adc726a3114c73d

SHA256
295d2355c65b0c01f98757c9cf857f6ccccd3e6248c9d31ea6a1c457c184fbb6

SHA512
c9afbdcae3e4cdc0cade392783a002b15665df824e0b114cba4c70bba5d74d7b0677dcac1e81a5a89c9f1311213f9315f8ede31deeb7a789440faca317c5e628

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C08650A27414BB9A52BAB82F1AA29A2.TMP
Filesize
660B

MD5
a36738fc510ffe5443e9074b23dc34b0

SHA1
ea0f9b766aad1eb5a5db38eb59922b68cd6e7e85

SHA256
aa757f04dcd7e3caf2bf3c1dcd3c534d0d2d614e7d173376fc6bf800e1455746

SHA512
42498a1d1eac3385b77d7f39cdb9716b6e3bb5c70a567042478ac2b02c452e90d79132abe838343c8243d008c85de9b02e6878f158bc6cee37bd084e3c9c1c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/4084-22-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4084-2-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4084-1-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4084-0-0x0000000075472000-0x0000000075473000-memory.dmp

Filesize
4KB

Download
memory/4152-9-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4152-18-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4776-23-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4776-24-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4776-25-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4776-26-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download
memory/4776-27-0x0000000075470000-0x0000000075A21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads