796f96cf5a48f8cb210ca695c2d0c23d3aaa4174f982c65764b93179707012df

General

Target

39c687ffdd0194688191eaeaa6f75bf0N.exe
Size

78KB
MD5

39c687ffdd0194688191eaeaa6f75bf0
SHA1

55dc969fc9bfcfcd0b218bba6fd2ec3116084d9d
SHA256

796f96cf5a48f8cb210ca695c2d0c23d3aaa4174f982c65764b93179707012df
SHA512

0f89d35d2e39f9f967c790f3793404bc43ede4af4b4c56c56cd9824f140785d56f48569c23ff03b9d092a5724be70953144470e0940ff833d3f53db53e8aed42
SSDEEP

1536:/WtHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtE9//1qS:/WtHF8hASyRxvhTzXPvCbW2UE9/P

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	tmp209B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	tmp209B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	39c687ffdd0194688191eaeaa6f75bf0N.exe
2160	39c687ffdd0194688191eaeaa6f75bf0N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp209B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39c687ffdd0194688191eaeaa6f75bf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp209B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	39c687ffdd0194688191eaeaa6f75bf0N.exe
Token: SeDebugPrivilege	2816	tmp209B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2860	2160	39c687ffdd0194688191eaeaa6f75bf0N.exe	30
PID 2160 wrote to memory of 2860	2160	39c687ffdd0194688191eaeaa6f75bf0N.exe	30
PID 2160 wrote to memory of 2860	2160	39c687ffdd0194688191eaeaa6f75bf0N.exe	30
PID 2160 wrote to memory of 2860	2160	39c687ffdd0194688191eaeaa6f75bf0N.exe	30
PID 2860 wrote to memory of 2408	2860	vbc.exe	32
PID 2860 wrote to memory of 2408	2860	vbc.exe	32
PID 2860 wrote to memory of 2408	2860	vbc.exe	32
PID 2860 wrote to memory of 2408	2860	vbc.exe	32
PID 2160 wrote to memory of 2816	2160	39c687ffdd0194688191eaeaa6f75bf0N.exe	33
PID 2160 wrote to memory of 2816	2160	39c687ffdd0194688191eaeaa6f75bf0N.exe	33
PID 2160 wrote to memory of 2816	2160	39c687ffdd0194688191eaeaa6f75bf0N.exe	33
PID 2160 wrote to memory of 2816	2160	39c687ffdd0194688191eaeaa6f75bf0N.exe	33

C:\Users\Admin\AppData\Local\Temp\39c687ffdd0194688191eaeaa6f75bf0N.exe
"C:\Users\Admin\AppData\Local\Temp\39c687ffdd0194688191eaeaa6f75bf0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vbvp6-pv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21E3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc21E2.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- C:\Users\Admin\AppData\Local\Temp\tmp209B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp209B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\39c687ffdd0194688191eaeaa6f75bf0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES21E3.tmp

Filesize
1KB

MD5
b42a3c37973bbba75c0de25b228cd814

SHA1
04d3a4817898ea9bbaa933d2135922031030751f

SHA256
a9e8b8750187a35d9d8bcaf9f307f35c5eca22cdbf0a76df0000aff050b3d182

SHA512
a3172aba96ff7c359b5bd2655f64ba6753b248acadd753488e8cd6f09e3c641a75803ed941476ba9f9f9dddb989c3fc58b565a47040e849bd3d131857e63bb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp209B.tmp.exe

Filesize
78KB

MD5
804c3a8069c63343af589ebd68d9fea8

SHA1
95c38a2b4cc47c4292bfba46b2b70ef80a6740b5

SHA256
870511d24643cd1da62aac13a2f62eac6454e6274b05d3893ffa023fe7a3fbc7

SHA512
41d035a45d99c6d2a2b0fcd257b176adc45f42d22459d711a08142adc07345f365b054b4249202e5875dfe25e4246c9e5233d3da38a9d4a4d69cac4dc675c959

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc21E2.tmp

Filesize
660B

MD5
b4b0079cb4f9e2174910f00b318b698a

SHA1
203d2cdff4c6f2a4938c4f234d70049391e6557a

SHA256
e133cf97f7d19ab320d82564899d89fcff1fc7146e4a3df8457997b5a3938a8d

SHA512
fc35ddbf99d62371c054784fe09858c66f2cc73458d97033a9e1f8c62433d9c45f578f0d49471f6b089b7735595c3ff8e7d527bdac3e4de904a604ff0583b2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbvp6-pv.0.vb

Filesize
15KB

MD5
e214a872aebdf3a283e7186755f13819

SHA1
cf6f6aadc0a1d4dd1ab3c4c8708ca7365fb6338d

SHA256
f0564b922a8dc415b57de6f9d9b501bebc640b6c3e38976f5a33c1926d050361

SHA512
4315325637323be73b110d9686a50039266f5aa0c378389f0d146475c21e7ff7e2df36cf168d6516aad605ca12b454e47c41219188c8017e245696d931ba89d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbvp6-pv.cmdline

Filesize
266B

MD5
2a5b53d9b8f44a1a76aaa21b418bb787

SHA1
fa858806660f661a45daa641d3c6b0e2cd6755da

SHA256
ea2d3cbbd969b7dab5ad0704feddb9bb7a5d02fd4cba5092ff06d319db83000c

SHA512
aa506182469794795b8694c0fea2a1d9c42a97dcca7827fb35bec6df7cbe1c192778d7d39fce9df24b00ffcd63ad00ef6b1762d160dbd6aad5ba70c82f7e0ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2160-0-0x0000000074DA1000-0x0000000074DA2000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-2-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2160-24-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-8-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-18-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads