170b5f7340d0fd7b6377fe333e0a0abe95cff3ad14fd192a2159664f53ff2785

General

Target

42153228868d7e181eba1f65682f8e30N.exe
Size

78KB
MD5

42153228868d7e181eba1f65682f8e30
SHA1

5d88cb94379e824723a40d06b2fc98d16a9f349f
SHA256

170b5f7340d0fd7b6377fe333e0a0abe95cff3ad14fd192a2159664f53ff2785
SHA512

a0d0b97e0e976c2dde1fa5ff14efa775a4c6d85b87c28362f0aaf8d95effcd1dc038df9582ff79f2ed7232c0743792454c822263dcebd100eff63efb4ea8dccb
SSDEEP

1536:i5jSBXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6739/81Cp:i5jSBSyRxvhTzXPvCbW2Uj39/P

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

42153228868d7e181eba1f65682f8e30N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	42153228868d7e181eba1f65682f8e30N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp3D3.tmp.exe

pid process

3748 tmp3D3.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3748	tmp3D3.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp3D3.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp3D3.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

42153228868d7e181eba1f65682f8e30N.exevbc.execvtres.exetmp3D3.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42153228868d7e181eba1f65682f8e30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3D3.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

42153228868d7e181eba1f65682f8e30N.exetmp3D3.tmp.exe

description pid process

Token: SeDebugPrivilege 1508 42153228868d7e181eba1f65682f8e30N.exe
Token: SeDebugPrivilege 3748 tmp3D3.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1508	42153228868d7e181eba1f65682f8e30N.exe
Token: SeDebugPrivilege	3748	tmp3D3.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

42153228868d7e181eba1f65682f8e30N.exevbc.exe

description	pid	process	target process
PID 1508 wrote to memory of 2296	1508	42153228868d7e181eba1f65682f8e30N.exe	vbc.exe
PID 1508 wrote to memory of 2296	1508	42153228868d7e181eba1f65682f8e30N.exe	vbc.exe
PID 1508 wrote to memory of 2296	1508	42153228868d7e181eba1f65682f8e30N.exe	vbc.exe
PID 2296 wrote to memory of 396	2296	vbc.exe	cvtres.exe
PID 2296 wrote to memory of 396	2296	vbc.exe	cvtres.exe
PID 2296 wrote to memory of 396	2296	vbc.exe	cvtres.exe
PID 1508 wrote to memory of 3748	1508	42153228868d7e181eba1f65682f8e30N.exe	tmp3D3.tmp.exe
PID 1508 wrote to memory of 3748	1508	42153228868d7e181eba1f65682f8e30N.exe	tmp3D3.tmp.exe
PID 1508 wrote to memory of 3748	1508	42153228868d7e181eba1f65682f8e30N.exe	tmp3D3.tmp.exe

C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe
"C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rqialxrg.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB07.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc728B210760F41629FC04B171079A111.TMP"
3⤵
- System Location Discovery: System Language Discovery
PID:396

C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\42153228868d7e181eba1f65682f8e30N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB07.tmp
Filesize
1KB

MD5
d8175fd26a3ba9e988b746af0aa41354

SHA1
20e9bba06c2bdb6bb4bdd387c4d5c2315b6f7705

SHA256
09da702ed4822fe42e55ed9560682f6aa278cba02e40b2e0d86817e910f18abd

SHA512
806e05713e1f20eea038d74feb1be72aa2da2dfce4def0358912ac5cc737a0a515d32d702f8ffd47956d68dd408eb83f3df9322d7d5c462a731ec94bcc2c0652

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqialxrg.0.vb
Filesize
14KB

MD5
874ecd73baa48efdb493db45b5e53a03

SHA1
be2ae3a1c992b7d9a2b8c3bfac86f853ae878af7

SHA256
54f3ca3c8d64a53102969537c2b4da70425485f2f33c42a6caebd9769ac26dcc

SHA512
c28aa8c0acbe4d65d0f8c3196988745167c71f798772aaa67af4a2d5efbd528922729dabc826af5958dee4d77929ca947acda1270551e3aad31d5a4062df545b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqialxrg.cmdline
Filesize
265B

MD5
80ecaac7d2fb557bcb5766bf0a0435ad

SHA1
96aa294345212195d5a7c53b4a8c03802e2275d4

SHA256
ec01af856db970ad166e80df0eb2783a1f31f44414ab9d953b152f4d58bc95da

SHA512
38d3b59d934dfa1c2ac0f8b0bd4555b5c727afcc63fec0c70c6606a2536e282f6325ea3e35948507fe39b58f8fcbe8d88dff6248fa16d6d5536f560224eb0a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3D3.tmp.exe
Filesize
78KB

MD5
4be9bead5c4cfc2b2234acf982c9ebef

SHA1
1ed8c39351366a2418feebee4cc73cd07ba0fe2c

SHA256
cbd48778fe6911bad41079e16cd856ddc58e91021c1229b4459eef7eca1bfe5d

SHA512
ccdd9bb8e207e2e274449e174f22ef70b215292f033f4a2c0bc63547338448adb37c4020f028d7555fa19f6484c57f4749331919fc47ddeb48ae260c5e9c2335

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc728B210760F41629FC04B171079A111.TMP
Filesize
660B

MD5
69f8b5ed7e9277cc543440cbdb2dbec5

SHA1
eec6e53aab7b4e9750a32e7ddb8f951a90291811

SHA256
9151fe9c24a1f9c8f8983559af6b006345a9ac1743b1231ae3de418840d52dc1

SHA512
9b2d7bd1507620a8eb3bf84b22ed844c8da8d221897019a43c8bf7443055cf86bab9d5e5ee60efb6ae15be4443d7c84b68cd1577244786f479a7e75b2221e830

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1508-1-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1508-2-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/1508-0-0x0000000075452000-0x0000000075453000-memory.dmp

Filesize
4KB

Download
memory/1508-23-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2296-8-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/2296-18-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3748-22-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3748-24-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3748-25-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3748-27-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3748-28-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3748-29-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download
memory/3748-30-0x0000000075450000-0x0000000075A01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads