26314b36b728a42ec2e81fb14b1ab22f9727abfb27d853ccaed02c3ce1604cf8

General

Target

1f607cfbc795868c356bdeee6b229a10N.exe
Size

78KB
MD5

1f607cfbc795868c356bdeee6b229a10
SHA1

ecf1928c6304d4859baa908bed73fc988a9f2205
SHA256

26314b36b728a42ec2e81fb14b1ab22f9727abfb27d853ccaed02c3ce1604cf8
SHA512

b54e18d4a26dd7b3b25df312c3d8369ef8253a9ba3be7a59c65fa7a94e2d1df97aa83dd13f915d880cc10c42996e0dc2aeb7999bca0b824db85f0cc914975763
SSDEEP

1536:DmWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLC9/21D:SWtH/3ZAtWDDILJLovbicqOq3o+nLC9I

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2840	tmp2626.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	1f607cfbc795868c356bdeee6b229a10N.exe
2208	1f607cfbc795868c356bdeee6b229a10N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp2626.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f607cfbc795868c356bdeee6b229a10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2626.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	1f607cfbc795868c356bdeee6b229a10N.exe
Token: SeDebugPrivilege	2840	tmp2626.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2852	2208	1f607cfbc795868c356bdeee6b229a10N.exe	30
PID 2208 wrote to memory of 2852	2208	1f607cfbc795868c356bdeee6b229a10N.exe	30
PID 2208 wrote to memory of 2852	2208	1f607cfbc795868c356bdeee6b229a10N.exe	30
PID 2208 wrote to memory of 2852	2208	1f607cfbc795868c356bdeee6b229a10N.exe	30
PID 2852 wrote to memory of 2704	2852	vbc.exe	32
PID 2852 wrote to memory of 2704	2852	vbc.exe	32
PID 2852 wrote to memory of 2704	2852	vbc.exe	32
PID 2852 wrote to memory of 2704	2852	vbc.exe	32
PID 2208 wrote to memory of 2840	2208	1f607cfbc795868c356bdeee6b229a10N.exe	33
PID 2208 wrote to memory of 2840	2208	1f607cfbc795868c356bdeee6b229a10N.exe	33
PID 2208 wrote to memory of 2840	2208	1f607cfbc795868c356bdeee6b229a10N.exe	33
PID 2208 wrote to memory of 2840	2208	1f607cfbc795868c356bdeee6b229a10N.exe	33

C:\Users\Admin\AppData\Local\Temp\1f607cfbc795868c356bdeee6b229a10N.exe
"C:\Users\Admin\AppData\Local\Temp\1f607cfbc795868c356bdeee6b229a10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-o5hcy-d.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2711.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2710.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\tmp2626.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2626.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1f607cfbc795868c356bdeee6b229a10N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-o5hcy-d.0.vb

Filesize
15KB

MD5
8cdbbf155aed48a79ea6cdd57d574c7e

SHA1
fbc49bbc5bf03106d3d9cb4b746739838ca5adbe

SHA256
39153fea8caece8d1fa2517abeb4a636b81098ba69557635be501ca94bb4d563

SHA512
9c691403ec11e3288ed878d2f561b80409a8cfd9928524f83c85784fda9e04deabea2f3cf0c78a29feea56aefecdbb09e2b3ee970eb02705d9d3b010be6a803d

Download Submit
C:\Users\Admin\AppData\Local\Temp\-o5hcy-d.cmdline

Filesize
266B

MD5
7ba645bd52f1e14fc7b959357447d006

SHA1
4373310d9a8a61f9d83ae59d915afdb784f4b3da

SHA256
9a2191f9b59e8702ab7e6324dd8b1ef0d782696b252f7da17687f4c9ac6da90a

SHA512
a0338c665f24c0b7c704cae3b93b87e3767397ef65dff1f8ee9a8b6e4ef003ddb30da3c0d6d011915cbd3b4d1a37e5f1788357dce3bfe0a47ff18d25aa0fa523

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2711.tmp

Filesize
1KB

MD5
22bf4b46ac37132790f4976098889a7f

SHA1
1408f1b43dabba8d67aa66a8880d95b653364a29

SHA256
5abb43a07a223ba35effc8d907fa4d8dfb62aca8d9d01613293d7674ab096608

SHA512
18230fd6e9b6e00f410d41f60b5e58acc6cff14ae40ca202157b8f88111adeeb449c847f595e171de05f28080e7b117e4b947e6a651b887d5b881e5114c7a413

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2626.tmp.exe

Filesize
78KB

MD5
6bb330ddbcd15687e1618b80dea9e730

SHA1
34ff93d8e2c58048f3fd8343d4a6e57cdb39d982

SHA256
aea62a36765de2269032c7dea14c34efdc0e65fdcb6af7adb3a978e2fadf4596

SHA512
2e1a2c2e1aab458d3fe43a9e74c727426e1e87082514441162183ff87b2b9534145c62480f4d4d0331bb2d8692d66ebee122ebc2aa8c2f01ded960b84d932e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2710.tmp

Filesize
660B

MD5
5e505aa0af3d97f6deb43addaa91409a

SHA1
00c697c458baf4ed3be5c8d12e14320ac014b640

SHA256
428b1f68e321f7fd0d8647213a82595071f3344a0ff50ed025a0d5e5d11c8c2f

SHA512
627daa479674458375a3ea7e3021f478e6ee2588db1e01debb8cfb135dea0e18f5968cf9f41673e7d2be5dd684cca808e1590b235bebd9ccf4cf83290a875a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2208-0-0x0000000074501000-0x0000000074502000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-2-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2208-24-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2852-8-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2852-18-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads