b8f64d354e9100cdf85f344baa8419d7b8aa03a6596766098807466b9aa451bd

General

Target

f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
Size

78KB
MD5

f1d01ea6044cb2a122fa7915b1ec8ad0
SHA1

f9fbf2bdd67d452ed788005ac567c4375fc5eec3
SHA256

b8f64d354e9100cdf85f344baa8419d7b8aa03a6596766098807466b9aa451bd
SHA512

f48e6ec3a7324ac7c9ab713f06e0083f2f3061c7a1c6c19abb257990997f73565c3c339ae76cc4dd9f2715d93aebe7e798b0d30e0d76ea66ea5fa412ef8cc813
SSDEEP

1536:AoPWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtZ9/Z1D:nPWtH/3ZAtWDDILJLovbicqOq3o+nZ9v

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmpF45D.tmp.exe

pid process

2116 tmpF45D.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

f1d01ea6044cb2a122fa7915b1ec8ad0N.exe

pid process

2492 f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
2492 f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2116	tmpF45D.tmp.exe

pid	process
2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpF45D.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpF45D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f1d01ea6044cb2a122fa7915b1ec8ad0N.exevbc.execvtres.exetmpF45D.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF45D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f1d01ea6044cb2a122fa7915b1ec8ad0N.exetmpF45D.tmp.exe

description pid process

Token: SeDebugPrivilege 2492 f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
Token: SeDebugPrivilege 2116 tmpF45D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
Token: SeDebugPrivilege	2116	tmpF45D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f1d01ea6044cb2a122fa7915b1ec8ad0N.exevbc.exe

description	pid	process	target process
PID 2492 wrote to memory of 1148	2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe	vbc.exe
PID 2492 wrote to memory of 1148	2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe	vbc.exe
PID 2492 wrote to memory of 1148	2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe	vbc.exe
PID 2492 wrote to memory of 1148	2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe	vbc.exe
PID 1148 wrote to memory of 2124	1148	vbc.exe	cvtres.exe
PID 1148 wrote to memory of 2124	1148	vbc.exe	cvtres.exe
PID 1148 wrote to memory of 2124	1148	vbc.exe	cvtres.exe
PID 1148 wrote to memory of 2124	1148	vbc.exe	cvtres.exe
PID 2492 wrote to memory of 2116	2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe	tmpF45D.tmp.exe
PID 2492 wrote to memory of 2116	2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe	tmpF45D.tmp.exe
PID 2492 wrote to memory of 2116	2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe	tmpF45D.tmp.exe
PID 2492 wrote to memory of 2116	2492	f1d01ea6044cb2a122fa7915b1ec8ad0N.exe	tmpF45D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
"C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pxp4ab-b.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5B4.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2124

C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF5B5.tmp
Filesize
1KB

MD5
ed4f2c5572546f398a66126b7c92d44a

SHA1
b9a0aeb2127a755cb5b2bd875a22a583b21496e8

SHA256
ff1fd7f887849a249b7435c228097061d020eaa5580519b15e51190653774a4d

SHA512
0b87b966aae1b188e37c41898eb522e8c56e3d4d83695dedeb8e44b9f172063b31ac6457199fc811d3ece3e54ba0d67b2d34ad0cc95783b9971ff3568f4bbeea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxp4ab-b.0.vb
Filesize
15KB

MD5
a42c864395a0a1e42cd74e99d884c8d4

SHA1
6525906700777e41a9c7812a93a8fea9975d86ac

SHA256
7d87b165afb67426ce1c7835c31785570cd41c16b176d7939096cdcfb0f1d4f2

SHA512
0b82d6431b9201a3f38320c4e89428df2890c92aa72e8ae73f04c88a51028d8c39b655f35ebab711da6e01ad924ff7c8a279e4273746cd5f26dda3b93fb4adb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxp4ab-b.cmdline
Filesize
266B

MD5
e3d4884fd00e1cb6e38124203a26f74b

SHA1
acd4c462bee1196f3c8c7846f5fa900c123c01a7

SHA256
f035adf17c1eb8b943ab2b327690a9095857a76a63cd008642602a504abe1c9e

SHA512
6b282adf79d683da8fdea9fc055edbf745d98e285176d4d6cc909b6eea805df7605d363f1303ef763c9475040b781b797e7e6faae40e6a723413dc7cbea61fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe
Filesize
78KB

MD5
d6d36022cc972dd706c2b5787301c4ee

SHA1
c2f2c4e11083f57605c556174bfa24c8a9556f5c

SHA256
c44f83eb31458dfcdb825ae9ae95261ec836ee5b35aed28a0acab83b4d4226b4

SHA512
e18bb0608230a0399ec556a28525e0719e253b2371baede6fa8332f94fc857fe664a0f5b7b1c4d57704559e20e2b565726557b326d3acec22bf502b1f9a32c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF5B4.tmp
Filesize
660B

MD5
9288a05682d4e49441547829a4072839

SHA1
869c6a30af3505462c43a9cd9a91f13d240d435f

SHA256
a80c679b9e13e4dc0862706d47e4b7f4ff21638c99e14a513ae3a713aef9b4f2

SHA512
1f21f571da56752f45506e9f145c8f16a192e797987c52851d6ec1b34fc192c5a6d7d3b29b749e3bedcfb48fb484a91baa0559e2133191e4e34dbcdb641772ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1148-8-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/1148-18-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-24-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads