dfadb1a98835ff8b2f88c84c544d7e1a944b37ea2ff085b56c44ba0337185394

General

Target

7eb691f7e305078328210e594ec87900N.exe
Size

78KB
MD5

7eb691f7e305078328210e594ec87900
SHA1

f04b8a2ed0080f712290d3cd5651daebd44a5613
SHA256

dfadb1a98835ff8b2f88c84c544d7e1a944b37ea2ff085b56c44ba0337185394
SHA512

a2c8e5a4c3d4eec02ddcb7ce7bbaae9501474b8c916455c1dd21b3040e1a7a6b090e5866888493cb95b42d7b2fdbef04e39c1c4ac16e4c1adeb0538a6bea2f25
SSDEEP

1536:7RCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteW9/J1Ab:7RCHFq3Ln7N041QqhgeW9/W

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmpF93D.tmp.exe

pid process

1732 tmpF93D.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

7eb691f7e305078328210e594ec87900N.exe

pid process

3044 7eb691f7e305078328210e594ec87900N.exe
3044 7eb691f7e305078328210e594ec87900N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1732	tmpF93D.tmp.exe

pid	process
3044	7eb691f7e305078328210e594ec87900N.exe
3044	7eb691f7e305078328210e594ec87900N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpF93D.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpF93D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7eb691f7e305078328210e594ec87900N.exevbc.execvtres.exetmpF93D.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7eb691f7e305078328210e594ec87900N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF93D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

7eb691f7e305078328210e594ec87900N.exetmpF93D.tmp.exe

description pid process

Token: SeDebugPrivilege 3044 7eb691f7e305078328210e594ec87900N.exe
Token: SeDebugPrivilege 1732 tmpF93D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3044	7eb691f7e305078328210e594ec87900N.exe
Token: SeDebugPrivilege	1732	tmpF93D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7eb691f7e305078328210e594ec87900N.exevbc.exe

description	pid	process	target process
PID 3044 wrote to memory of 2028	3044	7eb691f7e305078328210e594ec87900N.exe	vbc.exe
PID 3044 wrote to memory of 2028	3044	7eb691f7e305078328210e594ec87900N.exe	vbc.exe
PID 3044 wrote to memory of 2028	3044	7eb691f7e305078328210e594ec87900N.exe	vbc.exe
PID 3044 wrote to memory of 2028	3044	7eb691f7e305078328210e594ec87900N.exe	vbc.exe
PID 2028 wrote to memory of 2216	2028	vbc.exe	cvtres.exe
PID 2028 wrote to memory of 2216	2028	vbc.exe	cvtres.exe
PID 2028 wrote to memory of 2216	2028	vbc.exe	cvtres.exe
PID 2028 wrote to memory of 2216	2028	vbc.exe	cvtres.exe
PID 3044 wrote to memory of 1732	3044	7eb691f7e305078328210e594ec87900N.exe	tmpF93D.tmp.exe
PID 3044 wrote to memory of 1732	3044	7eb691f7e305078328210e594ec87900N.exe	tmpF93D.tmp.exe
PID 3044 wrote to memory of 1732	3044	7eb691f7e305078328210e594ec87900N.exe	tmpF93D.tmp.exe
PID 3044 wrote to memory of 1732	3044	7eb691f7e305078328210e594ec87900N.exe	tmpF93D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe
"C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0c-ppye2.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA18.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2216

C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7eb691f7e305078328210e594ec87900N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c-ppye2.0.vb
Filesize
15KB

MD5
6e6c2932cc81ec3d5e7685e4aefc4b4c

SHA1
1eb5ab9a3be0ea45a1ca676cd2009811138ba39d

SHA256
ede75327262b842851e730153af0f9209937ddf179612ddc9d55e9d0e979c27b

SHA512
69bcbf8c96b32f23cad253fe43e26422b22de142caeec71de58d0d127e077728a0624ee08da8858ad603362b845b661d0486443e597f52ff8e8a818e475f131e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c-ppye2.cmdline
Filesize
266B

MD5
84a02c95d0af25e9cc84454bf22a8464

SHA1
b8513b5f0db4a8957baec31e6cc7d37da42fde42

SHA256
666730a2b7ff68dd963b989045479cd9510646487f009954987ac54f04737c6e

SHA512
199d973384703012e34da415808287c6c1494792d7fc1b910e94532f3ba3f6840b2079bdbfc422c35d4051b4450282c07dcf7712195217f72ccdf196e1f777e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA19.tmp
Filesize
1KB

MD5
4fb267e597865291acfb97dcc53efc3a

SHA1
06c6194d75a7c27b7aa37d365c99a0e50951558a

SHA256
e15eddaf97b64f2678a2e8d8af026dd6f1cf9f1d4060fc6bec174b6dcf6494ce

SHA512
de39d5dff8d1867f328b6bbd610883b77cdbdf2167cddedbb4b03b60a128157437095908039ca358c499fbf77b061ba7a5a315b659520ba1bd0d877d4f8315d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF93D.tmp.exe
Filesize
78KB

MD5
23e6eb205098fbd9fc69e88466ac8de7

SHA1
f75c60656915c5e9088693d6757f228d89cfef4e

SHA256
09ccf1f15609c916d94b67da95864ea130c2166ce1894fdec687f532de999417

SHA512
fe0ce144c62a89d92669625e21957a72c642e6660a7b17ed2b3e92d3c1acb676c2343a67e4a8c0ceb7c7d3de072e4c2f2c95677e15b745ce06da89f1daa6f3bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFA18.tmp
Filesize
660B

MD5
6f2e78081a46db2a2a72a948ff5734d0

SHA1
16414615fd6339613f6aa30e763f8ca1375e3f21

SHA256
89e8a03c1acce4d3885837625a5502574905973c62858913127749a23dee4bf7

SHA512
c439d12e4f6d418adcbd659d0438e1d46919a649f970f15624522649062543dc4dec7a6ce4cf5fcd583e74f4ae1b11d0c48611e721a4f1733399537396c2c8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2028-8-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-18-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/3044-0-0x0000000074001000-0x0000000074002000-memory.dmp

Filesize
4KB

Download
memory/3044-1-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/3044-2-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/3044-24-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads