93a8a14bbf42e8a7bee6ab857932894988996d25a3e491b6ef4323914b1e3d9e

General

Target

0cd87830a30b703bdeba484aa1303bc0N.exe
Size

78KB
MD5

0cd87830a30b703bdeba484aa1303bc0
SHA1

3ce059f09cc9478f1dca1a00b01d121c05ccbb03
SHA256

93a8a14bbf42e8a7bee6ab857932894988996d25a3e491b6ef4323914b1e3d9e
SHA512

d152dacf25c9e1a6f92c06f6a108393fdb4d4b164eca9c62a5843143b9ffade5b658fb33e51093ccbfbe481b8b57976a6f7a3b9e148be626893dd600d5dccaf8
SSDEEP

1536:H/V58xAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtP6W9/p1K6:fV58xAtWDDILJLovbicqOq3o+nr9/p

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0cd87830a30b703bdeba484aa1303bc0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	0cd87830a30b703bdeba484aa1303bc0N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp7649.tmp.exe

pid process

5084 tmp7649.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
5084	tmp7649.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp7649.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp7649.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0cd87830a30b703bdeba484aa1303bc0N.exevbc.execvtres.exetmp7649.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cd87830a30b703bdeba484aa1303bc0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7649.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0cd87830a30b703bdeba484aa1303bc0N.exetmp7649.tmp.exe

description pid process

Token: SeDebugPrivilege 1432 0cd87830a30b703bdeba484aa1303bc0N.exe
Token: SeDebugPrivilege 5084 tmp7649.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1432	0cd87830a30b703bdeba484aa1303bc0N.exe
Token: SeDebugPrivilege	5084	tmp7649.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0cd87830a30b703bdeba484aa1303bc0N.exevbc.exe

description	pid	process	target process
PID 1432 wrote to memory of 4720	1432	0cd87830a30b703bdeba484aa1303bc0N.exe	vbc.exe
PID 1432 wrote to memory of 4720	1432	0cd87830a30b703bdeba484aa1303bc0N.exe	vbc.exe
PID 1432 wrote to memory of 4720	1432	0cd87830a30b703bdeba484aa1303bc0N.exe	vbc.exe
PID 4720 wrote to memory of 4484	4720	vbc.exe	cvtres.exe
PID 4720 wrote to memory of 4484	4720	vbc.exe	cvtres.exe
PID 4720 wrote to memory of 4484	4720	vbc.exe	cvtres.exe
PID 1432 wrote to memory of 5084	1432	0cd87830a30b703bdeba484aa1303bc0N.exe	tmp7649.tmp.exe
PID 1432 wrote to memory of 5084	1432	0cd87830a30b703bdeba484aa1303bc0N.exe	tmp7649.tmp.exe
PID 1432 wrote to memory of 5084	1432	0cd87830a30b703bdeba484aa1303bc0N.exe	tmp7649.tmp.exe

C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe
"C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-vqkvimm.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES782D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4524653661F14D46A799F9E817DD2C5.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:4484

C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0cd87830a30b703bdeba484aa1303bc0N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-vqkvimm.0.vb
Filesize
14KB

MD5
85e6fda5aae3d9a8c252130c857b52f7

SHA1
eba8e960bcbea9d6ceded1f13a5c96bf47fb2966

SHA256
e111df07556062b0f24c5a6ad8a450efb83214799bd7492a194420a0c6cd40b9

SHA512
c4d7938d7c8e96aba73eb17d8d2df453c00eb126129927144add89c579ae931e7f638e4fd4ce318747333b8e16ef9c942f92728fef0e22c3fa4e170717ad8124

Download Submit
C:\Users\Admin\AppData\Local\Temp\-vqkvimm.cmdline
Filesize
266B

MD5
4b3a2f46d63a7c81ebc3afbc6f6a0f4a

SHA1
c7d13519c0707efcec4faec921aca325743217ff

SHA256
8b94b8339bfb6ed61c2e8228eac8f983317e644db6717827cef8971596c52bd5

SHA512
93234de73a6c926e6dd1b6886fe218c1b41aa6de0e38e25ec60689117178290a507bbf06491b9d908fea03b94526237f698a8342baa46c4c019a226b362b38c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES782D.tmp
Filesize
1KB

MD5
677ac2e078dbc0a0d5e46b2ae3fe4be2

SHA1
597c97c2fd2b76f6b09889c6f718f842174fcbcc

SHA256
34edc1e4f0bfe7479fe61470a8e32f2d8bac724c62220063bed4906dc850ba11

SHA512
0e6fc1bba58f686af7878e41e4aefd6294fc0f707de5e244c0230c7e7a5535a36a720b6251a767d36d4e2597ce91371c98bf82cc9688665e681ad207865aff27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7649.tmp.exe
Filesize
78KB

MD5
a4e7f57b23beef1431e4218186b6f5c1

SHA1
b978b67cc769bb52a18b7e4539332320cccd1989

SHA256
04b85c1f58e8e4a61a499c9d0939464a320fd77f6cba98df5bd3fb7002c98377

SHA512
11bd760461e0dd53b03956a903a375438b06a3a506f41f7a1f66c39defae795f2ddb7510f58ac4d90e2f4e6e4a9556bf730823c51a1bf35a02f762e60d6da8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4524653661F14D46A799F9E817DD2C5.TMP
Filesize
660B

MD5
505bb13f003b9830245165c4cb66ba58

SHA1
5995e5280453389e98cbaa4a543c1f47f413aa6e

SHA256
3e2c02f6af77e5d8b52c04ef4ac8a40fdf4934aa3ea8714b0379c571b930cf2b

SHA512
02f6dfda1b7729451382787160888962638a1dc12fa2e879ceaea448d7708c4e73ee78c7cff837870c3cecadfc2bd28d957129e7ee2905c98ed98a9729a59286

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1432-1-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/1432-22-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/1432-0-0x0000000074682000-0x0000000074683000-memory.dmp

Filesize
4KB

Download
memory/1432-2-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/4720-18-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/4720-9-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/5084-23-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/5084-24-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/5084-25-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/5084-26-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/5084-27-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download
memory/5084-28-0x0000000074680000-0x0000000074C31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads