da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c

General

Target

875aa8aeeb28f3646c22208934098420N.exe
Size

78KB
MD5

875aa8aeeb28f3646c22208934098420
SHA1

7d8851d051042a454e26c1f31e540b21b8fc250c
SHA256

da8bcbbbf398154b18c1f9d8a4c2799af67aff835ee82c8f65365376d236b74c
SHA512

a577e9215c42f166e0c441792825412d9586d4edc7c3392c18942a108c40251ae77f4650e7444a031f64a620f3cd4a33014ca408a697db163481a8420e5f0e9a
SSDEEP

1536:xBWV5jSuAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6o9/I1Td:rWV5jSuAtWDDILJLovbicqOq3o+nA9/4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp163F.tmp.exe

pid process

2984 tmp163F.tmp.exe
Loads dropped DLL 2 IoCs

Processes:

875aa8aeeb28f3646c22208934098420N.exe

pid process

2220 875aa8aeeb28f3646c22208934098420N.exe
2220 875aa8aeeb28f3646c22208934098420N.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2984	tmp163F.tmp.exe

pid	process
2220	875aa8aeeb28f3646c22208934098420N.exe
2220	875aa8aeeb28f3646c22208934098420N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp163F.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp163F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.execvtres.exetmp163F.tmp.exe875aa8aeeb28f3646c22208934098420N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp163F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	875aa8aeeb28f3646c22208934098420N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

875aa8aeeb28f3646c22208934098420N.exetmp163F.tmp.exe

description pid process

Token: SeDebugPrivilege 2220 875aa8aeeb28f3646c22208934098420N.exe
Token: SeDebugPrivilege 2984 tmp163F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2220	875aa8aeeb28f3646c22208934098420N.exe
Token: SeDebugPrivilege	2984	tmp163F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

875aa8aeeb28f3646c22208934098420N.exevbc.exe

description	pid	process	target process
PID 2220 wrote to memory of 2680	2220	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 2220 wrote to memory of 2680	2220	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 2220 wrote to memory of 2680	2220	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 2220 wrote to memory of 2680	2220	875aa8aeeb28f3646c22208934098420N.exe	vbc.exe
PID 2680 wrote to memory of 2708	2680	vbc.exe	cvtres.exe
PID 2680 wrote to memory of 2708	2680	vbc.exe	cvtres.exe
PID 2680 wrote to memory of 2708	2680	vbc.exe	cvtres.exe
PID 2680 wrote to memory of 2708	2680	vbc.exe	cvtres.exe
PID 2220 wrote to memory of 2984	2220	875aa8aeeb28f3646c22208934098420N.exe	tmp163F.tmp.exe
PID 2220 wrote to memory of 2984	2220	875aa8aeeb28f3646c22208934098420N.exe	tmp163F.tmp.exe
PID 2220 wrote to memory of 2984	2220	875aa8aeeb28f3646c22208934098420N.exe	tmp163F.tmp.exe
PID 2220 wrote to memory of 2984	2220	875aa8aeeb28f3646c22208934098420N.exe	tmp163F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe
"C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8g-drgne.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1768.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1767.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2708

C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\875aa8aeeb28f3646c22208934098420N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8g-drgne.0.vb
Filesize
14KB

MD5
2b38ffbe47d3ecf204c3a42d5a63227e

SHA1
a0f9e80d85a636811d4ec176bee919bf94855325

SHA256
fb978605e56b2307760f150e7ae53b22dfa3b6f1544e9dc46b1be0653fb18356

SHA512
093578b1a08737dfef3f6dd42adc8b68066da88a1e16838d9af0ab08a03d958884e2c0dfae21a2dc42c2b4da7537740dc72f37b0076259d25a0c23ff13cee1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8g-drgne.cmdline
Filesize
266B

MD5
7c4a94743b6c7b2870fd70e85e8cc7bf

SHA1
de5e274f57f57f1938e4b06356204900b4dd6f1c

SHA256
ca0a33390b8776c9cd1295c771eaa3ebe46a009648f1f6ed016174abb990b49d

SHA512
a9dd485cc17466c88f0cbae4a243fe660e460715061b956f8e2b5d905f7f1aff3cc589a98fbda0980f104cc9b83d4764526e2ac62402e61f1df64b3c0bc36484

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1768.tmp
Filesize
1KB

MD5
0bb955a0b27e189a755ad3ed727a7dcb

SHA1
3f232ffed822bb6e4bacaea983aeef67f96bf994

SHA256
43e0597424b0734558443e927bd5562d4fcd1b95de36a18e30b2bf0218535644

SHA512
f9a9a25c0d99a345635df0df1a379a23c519f75d6b3ee62dc6c3dacf5bc052f4feb5fd336f7a1d23a3fe4ab8271538c37f6dc6f243b3d13c879af8d074b397dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp163F.tmp.exe
Filesize
78KB

MD5
beda92c87242a7f2d2e66f8abcd2d844

SHA1
e653f8822a6092fcf09463daff54f0570631d086

SHA256
8ac16189b4560bd68c6981d6d9b255a17da29dd488fb31296b9754d1f03198e4

SHA512
aae5d35f6c76405e3f2cd158658b4be0f9164f5534e09bab33437211f7f1cdba48f5fe221fa0dffbd13842ae2815902ac52ede96c5100c89da84feff920c32b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1767.tmp
Filesize
660B

MD5
d0c28f627ef99cdbd7858fce053cbb4a

SHA1
a3547a179b2b74e9c5052b47922367dd6eda3c41

SHA256
6bc5a9759ca3ea3c4ba800be8968a996238baa1a1c80b6bc45451090b65b8a2d

SHA512
57128bcc2bf3649dc653bd301416d7f4a7d87ab4c219338db1df139d2a5562ba525dcec0f5ee045b5bbd80250626d871c36851dd503dd0f72d66ffca8a14df8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2220-0-0x0000000074D71000-0x0000000074D72000-memory.dmp

Filesize
4KB

Download
memory/2220-1-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-2-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-24-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-8-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-18-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads