cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873

General

Target

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
Size

78KB
MD5

94e0cfa0f06092a53df124587a75f869
SHA1

3883232d684ad6ecbba631367a9afcc02f6ae814
SHA256

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873
SHA512

eb620cc884eceb228f623d3c85b79b4b86b668666b4733505ec827e76916d707feab4667c4a5af16508fe0226c06616e47afb99400eb530e5da5a9c7c6811d51
SSDEEP

1536:S4tHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt1d9/I1+o:S4tHY53Ln7N041Qqhg1d9/u

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmpCEC.tmp.exe

pid process

2772 tmpCEC.tmp.exe

pid	process
2772	tmpCEC.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe

pid	process
2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpCEC.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpCEC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exevbc.execvtres.exetmpCEC.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCEC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exetmpCEC.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
Token: SeDebugPrivilege	2772	tmpCEC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exevbc.exe

description	pid	process	target process
PID 2796 wrote to memory of 2208	2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	vbc.exe
PID 2796 wrote to memory of 2208	2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	vbc.exe
PID 2796 wrote to memory of 2208	2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	vbc.exe
PID 2796 wrote to memory of 2208	2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	vbc.exe
PID 2208 wrote to memory of 2752	2208	vbc.exe	cvtres.exe
PID 2208 wrote to memory of 2752	2208	vbc.exe	cvtres.exe
PID 2208 wrote to memory of 2752	2208	vbc.exe	cvtres.exe
PID 2208 wrote to memory of 2752	2208	vbc.exe	cvtres.exe
PID 2796 wrote to memory of 2772	2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	tmpCEC.tmp.exe
PID 2796 wrote to memory of 2772	2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	tmpCEC.tmp.exe
PID 2796 wrote to memory of 2772	2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	tmpCEC.tmp.exe
PID 2796 wrote to memory of 2772	2796	cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe	tmpCEC.tmp.exe

C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
"C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zvdo3gdb.cmdline"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1018.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1008.tmp"
3⤵
- System Location Discovery: System Language Discovery
PID:2752

C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1018.tmp
Filesize
1KB

MD5
9e2b6e83261a92dc8823f14f6870ec30

SHA1
19b164017136a22c8de603e0ec829a818347e5c5

SHA256
4a62cc29662540d68b486ba11dc19f17dd3893c91c28c328e0dc7b26bad95237

SHA512
df3f9aa6ccc556698ed66a28524d0da3f608aecbad14f229d59852eb4870c4000a1ac4dc886f144a084a70eb9a57f70b50c8655b4e86b9ea7ac3041040f1c85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe
Filesize
78KB

MD5
4ce72d69af00daaf7740a5401f8fab59

SHA1
7901b33ccc63a1f5d08296019fb535cbaaddc445

SHA256
460d1ac042cd15522c638101ab41f3aaf090a11b541f20b6f9a70314b37672e0

SHA512
d23b588937c61bf970205bd6a69fde2ddece0972d4350b22a63b3dd3af9cd905842b1579f309a6265226909ee54aebc0142508b98029d2c7c2cec46f568f32f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1008.tmp
Filesize
660B

MD5
042227c8cc415c5f5f48d6eb6b2185c9

SHA1
dc4945a3ce1691d3cc60042cfdf352955c93dbda

SHA256
0ebdc42d9878ec5f89d40604cc9fc7cf2443b98c8e9d68699f5c5e3333133f37

SHA512
a0d6a9dce2ba024325f63fd9cc22b1300e732496ad19b99f544300563981c53e15d412f15d62ff8c0614fb2fde859cfc0e0e58c72f97691ab26f287598d76483

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvdo3gdb.0.vb
Filesize
15KB

MD5
66e2fc97f5c97d3000d708d79986abc6

SHA1
a87ea075f938d295a49e1de5e741c7b0fad55298

SHA256
e67e88bbf59d595158a7b2e1ac05cd10b04290532f4b32c3feaec94666edfc54

SHA512
0435d5860ab2a58fed8af2e8eb023c610048ec8291ec1cf119d5a7babb3be7e0a041982222d60789fa1497f0f5bcb70f21e56b52da8d9cbb763ef3fab6817b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvdo3gdb.cmdline
Filesize
265B

MD5
85ee33509da986e2ed3403cafa2a9944

SHA1
6d0d8baaf22d6db98b537205cadb72e042b6d7a8

SHA256
1f7507a26d886794f173fa49aea4ee5ab169fb8a3bc40490c0f4b34988706dea

SHA512
d464d976e6a88bf521e5a78293eb9eeb6db647d9dcc9f66a9040f50ad5cc8cce673a094bd5462f8b6ffad18ed88f1347f0e1dc09efc20f3d5e8f2d76eeb947f2

Download Submit
memory/2208-8-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-18-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-0-0x00000000740B1000-0x00000000740B2000-memory.dmp

Filesize
4KB

Download
memory/2796-1-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-2-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-24-0x00000000740B0000-0x000000007465B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads