7011e195c7a03a1cfcc14ba4d9ae4a565bfcd88193986f0bd1e6372730700ac6

General

Target

94cab3a6598155dea44657d97e15eed0N.exe
Size

78KB
MD5

94cab3a6598155dea44657d97e15eed0
SHA1

96f2bdf792c6e636e731e90a41de952550864f77
SHA256

7011e195c7a03a1cfcc14ba4d9ae4a565bfcd88193986f0bd1e6372730700ac6
SHA512

d0b6f1b647664ece11cdb95141397c693a71f0133342a8ee1859f92ab4bf4c85acada59c0f30c7448da72f002fb1c297b883b5adc79b4879ba9944c07f3ca9f1
SSDEEP

1536:nPWV5j7XT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC6O9/wyj1TL:nPWV5j7SyRxvY3md+dWWZym9/HB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	tmpDB7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	tmpDB7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	94cab3a6598155dea44657d97e15eed0N.exe
2356	94cab3a6598155dea44657d97e15eed0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpDB7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94cab3a6598155dea44657d97e15eed0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDB7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	94cab3a6598155dea44657d97e15eed0N.exe
Token: SeDebugPrivilege	2588	tmpDB7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2752	2356	94cab3a6598155dea44657d97e15eed0N.exe	30
PID 2356 wrote to memory of 2752	2356	94cab3a6598155dea44657d97e15eed0N.exe	30
PID 2356 wrote to memory of 2752	2356	94cab3a6598155dea44657d97e15eed0N.exe	30
PID 2356 wrote to memory of 2752	2356	94cab3a6598155dea44657d97e15eed0N.exe	30
PID 2752 wrote to memory of 2684	2752	vbc.exe	32
PID 2752 wrote to memory of 2684	2752	vbc.exe	32
PID 2752 wrote to memory of 2684	2752	vbc.exe	32
PID 2752 wrote to memory of 2684	2752	vbc.exe	32
PID 2356 wrote to memory of 2588	2356	94cab3a6598155dea44657d97e15eed0N.exe	33
PID 2356 wrote to memory of 2588	2356	94cab3a6598155dea44657d97e15eed0N.exe	33
PID 2356 wrote to memory of 2588	2356	94cab3a6598155dea44657d97e15eed0N.exe	33
PID 2356 wrote to memory of 2588	2356	94cab3a6598155dea44657d97e15eed0N.exe	33

C:\Users\Admin\AppData\Local\Temp\94cab3a6598155dea44657d97e15eed0N.exe
"C:\Users\Admin\AppData\Local\Temp\94cab3a6598155dea44657d97e15eed0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vfkc5_ir.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE83.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE82.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmpDB7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDB7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\94cab3a6598155dea44657d97e15eed0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE83.tmp

Filesize
1KB

MD5
0bc595f9302145bd4d0a0dd332b6c230

SHA1
cf75724335dce682ca9363a601d74d55c1a3d0d5

SHA256
d9d18ea3b999831b6e9374c969900b4bc4f1f0cb4670cfae1a103adb6595dfc4

SHA512
d26605a1d8d6f998129021d762483ee9f96a2f5b9af39674877771328850930161037c51b42e6a2b6616677f6e680770f851d7acf52181becc2b119045653888

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB7.tmp.exe

Filesize
78KB

MD5
c33ad3515e9a4fa8d11c0d7b7e8da6ee

SHA1
e1840ed754c7b3927f0fc81884102a0e4f00af18

SHA256
8870c5d849cb2316bd1095d3d66ae7f911bc2e3ea76a83aa710a30fb0a64e651

SHA512
23899f3b235c3066cb6a1eb388cc08e61cfc1303bab1e2dab733d77d7641610f9f4b82daaf4467950a767f81a633fe80d9ceba30f13538046cda0bc649a2d71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE82.tmp

Filesize
660B

MD5
dd768efc3f079bbd93153c2147ccc6d9

SHA1
b991db3cbaf877b5c74cb1ab996f83b0a67e85e9

SHA256
01394a67e551d89a30bf46576a54fadaf904b7ad38cc55276aba0b44aa4cd3e4

SHA512
a182502f80e415d41d4af96f8b9591d5507b56b8cb18cb8973a7b90fc37f6777ac0c10d7d2c2b7bfc21f5848dca73172367f69234a7f56f23553a83e62a2fac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfkc5_ir.0.vb

Filesize
14KB

MD5
2b97738f33b4593ae7180a2b50a35ad3

SHA1
ffa3e28bfed6d99f9a0af9bd9748d1471b9a71a6

SHA256
36b2e07897a3a6bbd871de644972960d2f15fc91375399ff52f6a1cc0d56d1bd

SHA512
88919718e930e42af3b128c5c4a77da100fb0fe9f633b743da6c68c504f4f3f0da209b7ba7ea329eae03f4ef2fc89c75cc0a1534335481e1145998c4891a2f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfkc5_ir.cmdline

Filesize
265B

MD5
e9466623a3e641f2426d0503d536d1c3

SHA1
43eea05bc87d161d7e5dec36c1f803c74eedaf26

SHA256
f1730f1addb1e8bdfda8638589f83aeaac2410fd183adbc2da4af4ff0f7a821e

SHA512
74ac8aebbb8282e588b99cdde65a56808f6e7bc05d3f70e8ed0ea81f690b2dd0715253b7e079979fcb38973b9ba55f10edbf13a45beef12e18fbe598e5717fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2356-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-2-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2356-24-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-8-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-18-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads