1c03ee1e4d5665098ca6fa6a1cdff5c155513e7db03f1852392ca772cc416577

General

Target

c2921aaa45b8dca74b9f7de43534dad0N.exe
Size

78KB
MD5

c2921aaa45b8dca74b9f7de43534dad0
SHA1

abac272d02250d010e71398f4378d6f20bc4e0dc
SHA256

1c03ee1e4d5665098ca6fa6a1cdff5c155513e7db03f1852392ca772cc416577
SHA512

ffb175f73d1739a56c9145187fd45afea64ac014f53067b9cd938c7b15db0e31dae1c1a11461419534b785e54dc17c2e50d7247cb86f4cdd4f0f6abec46ab60e
SSDEEP

1536:v5jSMLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti6g9/O1Zc:v5jS6E2EwR4uY41HyvY49/p

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	tmpFE0E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1908	c2921aaa45b8dca74b9f7de43534dad0N.exe
1908	c2921aaa45b8dca74b9f7de43534dad0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpFE0E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2921aaa45b8dca74b9f7de43534dad0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFE0E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	c2921aaa45b8dca74b9f7de43534dad0N.exe
Token: SeDebugPrivilege	2668	tmpFE0E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2376	1908	c2921aaa45b8dca74b9f7de43534dad0N.exe	31
PID 1908 wrote to memory of 2376	1908	c2921aaa45b8dca74b9f7de43534dad0N.exe	31
PID 1908 wrote to memory of 2376	1908	c2921aaa45b8dca74b9f7de43534dad0N.exe	31
PID 1908 wrote to memory of 2376	1908	c2921aaa45b8dca74b9f7de43534dad0N.exe	31
PID 2376 wrote to memory of 2676	2376	vbc.exe	33
PID 2376 wrote to memory of 2676	2376	vbc.exe	33
PID 2376 wrote to memory of 2676	2376	vbc.exe	33
PID 2376 wrote to memory of 2676	2376	vbc.exe	33
PID 1908 wrote to memory of 2668	1908	c2921aaa45b8dca74b9f7de43534dad0N.exe	34
PID 1908 wrote to memory of 2668	1908	c2921aaa45b8dca74b9f7de43534dad0N.exe	34
PID 1908 wrote to memory of 2668	1908	c2921aaa45b8dca74b9f7de43534dad0N.exe	34
PID 1908 wrote to memory of 2668	1908	c2921aaa45b8dca74b9f7de43534dad0N.exe	34

C:\Users\Admin\AppData\Local\Temp\c2921aaa45b8dca74b9f7de43534dad0N.exe
"C:\Users\Admin\AppData\Local\Temp\c2921aaa45b8dca74b9f7de43534dad0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5-ut5_8e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc139.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- C:\Users\Admin\AppData\Local\Temp\tmpFE0E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFE0E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c2921aaa45b8dca74b9f7de43534dad0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5-ut5_8e.0.vb

Filesize
14KB

MD5
38de91f1936d9b34b8c449ea93c2db72

SHA1
bc2b82b560286aba2cd56276c7f6696bde040947

SHA256
8169081b0671ea4c9d628d3e43f943bf1a0279690f5fd5df25f8b00f6adf026f

SHA512
255f0405a719a51517242f79c6acaa105fc5d5ebb145d94f0c193101dde87ee1df79ba3af352be6326304abfa3f57a51bd2ccbb4b3c44726e54a923180bece6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5-ut5_8e.cmdline

Filesize
266B

MD5
5ec9b9e4c17626b50a0f78d5cee7fa0d

SHA1
0a48d93870a374385d65582e89967ae249c4494b

SHA256
bc374c91011e39ac87a1894a719afca17f9608c9bd5d00f6b9b980b6127a221e

SHA512
2cfb7f48348ab8a585a8865c2fcfbe17649e46c78bbb3c32ff686e572beb1bc7f47f5bb34860124e0dec911cbe031d20d684688ed0d72f8847ae4538b98d77cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES13A.tmp

Filesize
1KB

MD5
2166b66aa04cc17fab945219bf8010d7

SHA1
22c0f24966c0cb85eceb02e9c0b5cc403ddce545

SHA256
307d93619e975a583788d73ce9a070dcb1dca0bff2e5c84a8cd9d5f7ae8b97ce

SHA512
bf2aa059bd1453b84f2909d60ea409a286f22bc6b02b6849ee5eb0176a902a3dbeeeb20bb61dd113c9b75586e3f16005429732445ccca6f1f61c3ebf89c8c09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE0E.tmp.exe

Filesize
78KB

MD5
8ce951504b0da132e717f83b11c3d1c1

SHA1
9b113930508902827ce682647a7ab5e8655dae7b

SHA256
e4d6000a16b509e753d006f2c39ffa322b6323bae3f7f13d4370d3991111487c

SHA512
653e5a6fc54d31624e4d5635d53ac0cd7594b02c65302e6f1227cb58fa800cbf2e283f0d6956bceeda5bc3506803cd2a6672efa908b9d0fe468bf2a8faee9993

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc139.tmp

Filesize
660B

MD5
5ab38818de25706b38abf2f7ab6c100a

SHA1
6ab8057888faf1a58233cb53f67cd7e04ff01e8b

SHA256
eaf53867ff378d84f2d631255ab99bf0bb590b871fea70507a9353571209223b

SHA512
06190227ecc6ef82acd6de2599d178ed02f0653c9dc0d6778b9069c4026f0de0727ebb7b933858df38be1900d0c1eabfca754ccbdb54aef05191f36d470928ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1908-0-0x0000000074251000-0x0000000074252000-memory.dmp

Filesize
4KB

Download
memory/1908-1-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-2-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-24-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2376-8-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2376-18-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads