eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d

General

Target

3bbf562527e29091bb75e829c2992850N.exe
Size

78KB
MD5

3bbf562527e29091bb75e829c2992850
SHA1

c9533421ce13b9b8e167544b0862414502813a95
SHA256

eee6b012e88a2c757fcdadfdc681e5c6ab2f748f84b8b1e8037340b1b8a2104d
SHA512

3d90b6094883356d8e6dda649bab6e553ce5b08cadd8316e390ee343b2e74732531af0e7b685707b7a839da5656f73d7bbf7326299e4d7f8018bce425aa480eb
SSDEEP

1536:5csHY6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt59/a1f5:asHYI3ZAtWDDILJLovbicqOq3o+n59/O

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmpB3D5.tmp.exe

pid process

2708 tmpB3D5.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exe

pid process

2388 3bbf562527e29091bb75e829c2992850N.exe
2388 3bbf562527e29091bb75e829c2992850N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2708	tmpB3D5.tmp.exe

pid	process
2388	3bbf562527e29091bb75e829c2992850N.exe
2388	3bbf562527e29091bb75e829c2992850N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpB3D5.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpB3D5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3bbf562527e29091bb75e829c2992850N.exevbc.execvtres.exetmpB3D5.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bbf562527e29091bb75e829c2992850N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB3D5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exetmpB3D5.tmp.exe

description pid process

Token: SeDebugPrivilege 2388 3bbf562527e29091bb75e829c2992850N.exe
Token: SeDebugPrivilege 2708 tmpB3D5.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2388	3bbf562527e29091bb75e829c2992850N.exe
Token: SeDebugPrivilege	2708	tmpB3D5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3bbf562527e29091bb75e829c2992850N.exevbc.exe

description	pid	process	target process
PID 2388 wrote to memory of 2568	2388	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 2388 wrote to memory of 2568	2388	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 2388 wrote to memory of 2568	2388	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 2388 wrote to memory of 2568	2388	3bbf562527e29091bb75e829c2992850N.exe	vbc.exe
PID 2568 wrote to memory of 2268	2568	vbc.exe	cvtres.exe
PID 2568 wrote to memory of 2268	2568	vbc.exe	cvtres.exe
PID 2568 wrote to memory of 2268	2568	vbc.exe	cvtres.exe
PID 2568 wrote to memory of 2268	2568	vbc.exe	cvtres.exe
PID 2388 wrote to memory of 2708	2388	3bbf562527e29091bb75e829c2992850N.exe	tmpB3D5.tmp.exe
PID 2388 wrote to memory of 2708	2388	3bbf562527e29091bb75e829c2992850N.exe	tmpB3D5.tmp.exe
PID 2388 wrote to memory of 2708	2388	3bbf562527e29091bb75e829c2992850N.exe	tmpB3D5.tmp.exe
PID 2388 wrote to memory of 2708	2388	3bbf562527e29091bb75e829c2992850N.exe	tmpB3D5.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe
"C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d-iqhwla.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB52D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB52C.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2268

C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3bbf562527e29091bb75e829c2992850N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB52D.tmp
Filesize
1KB

MD5
65a6abecd1b8346eac43717cd301ea5c

SHA1
cbe64cdf96faf724716d99ed65b3470e287be67e

SHA256
195f72361e465656c7ac31cd3004cdb269b7784f1b79941ac72eb03f4fb232fd

SHA512
a8090a9970681784ba8bbc8d2fedf2a1db2e715115978308d1556f427c1e47df5a03022f27611532f2b34df677e874b64741e300d93e7419b1c2868b3db43e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d-iqhwla.0.vb
Filesize
15KB

MD5
2ca221524c5d362254c16d34f1392de5

SHA1
d793be5a434b1f4723a8ac1c7747eb28e0834f1e

SHA256
b24910e5a74428983981799dccb61a840c503640de32a23032dd5d7880ac7e74

SHA512
0f94c7802df340c472c7266a4ee030780bc823a30a6c341ab17d8293178cad49d931722c4e0f9c88a4ddfe9896d460c68e986ab61bedbae64b80d67ba092c3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\d-iqhwla.cmdline
Filesize
266B

MD5
4fac59e56f24f89c8b8c52573aaceee1

SHA1
fc32396aaec9f9a5c2e07158879d69af616f3bad

SHA256
7ef4dfc2a6baaef95e3cf2bb6676034a60658ab6631eb7fc00fdd3310d7e5cd8

SHA512
6663911e1f4121ccabd050a57e6fdb4e87c43dc9a14c22de7810a6bf99fd675867ecf00b3c6856eb7d28bf2b93c92104f4e0361b4fc935f129754c44ec506c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3D5.tmp.exe
Filesize
78KB

MD5
cfae413edae2b13da6de59d61bf913cd

SHA1
438dfbaf2ed6558a9310f7ed8e0e430f010c43c9

SHA256
02ad03d11a31b83a00710e05e8768a5bfc4046e563421f0780bf5b6243fa703f

SHA512
12a439061a89dbbc20de19cefdbccbd9420248d09a07f633ef43758f9c724b2fc38503054608e8385902c3a183657984526ffa5aa70dc389185de9cdf27b5bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB52C.tmp
Filesize
660B

MD5
9ae0ab9934ca922a0f032d111ced768a

SHA1
7e5e713164c58ca8d1d350a0f2bb21288afd8b6e

SHA256
94ff0ad631bef69e08b5ff2d9bf6f4a3499b51c26492fc0be763bd429405ca53

SHA512
6bbfdee42986cc4bb67c5ba50267aad2b42d5d064d7b9604dda3d628a0fc9dc5fef49b84e47e180725bc988159ce800280980b019f15934ef37608ceb4465883

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2388-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

Filesize
4KB

Download
memory/2388-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-2-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2388-24-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-8-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-18-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads