880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281

General

Target

680e30ae058c79641e54499ed6505440N.exe
Size

78KB
MD5

680e30ae058c79641e54499ed6505440
SHA1

407fb54325ea3fb7cdab1210c8d59c8f5dcdfae0
SHA256

880681cff5494f89bde63d793823bd1a707bbe14a404cb436dd4230c46e8e281
SHA512

487d26528382f6ca19da9293ce02e13b46f6ba7b0e605aeae08b718bd4e5b9a3491cd3301d575bdd0ce51eb561236bf08d3a9f6e7e10a2871d995cebfa01cc42
SSDEEP

1536:xFHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt29/n1kb:bHFoI3ZAtWDDILJLovbicqOq3o+n29/w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2768	tmpFDA0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2476	680e30ae058c79641e54499ed6505440N.exe
2476	680e30ae058c79641e54499ed6505440N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpFDA0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFDA0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	680e30ae058c79641e54499ed6505440N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	680e30ae058c79641e54499ed6505440N.exe
Token: SeDebugPrivilege	2768	tmpFDA0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2448	2476	680e30ae058c79641e54499ed6505440N.exe	31
PID 2476 wrote to memory of 2448	2476	680e30ae058c79641e54499ed6505440N.exe	31
PID 2476 wrote to memory of 2448	2476	680e30ae058c79641e54499ed6505440N.exe	31
PID 2476 wrote to memory of 2448	2476	680e30ae058c79641e54499ed6505440N.exe	31
PID 2448 wrote to memory of 3044	2448	vbc.exe	33
PID 2448 wrote to memory of 3044	2448	vbc.exe	33
PID 2448 wrote to memory of 3044	2448	vbc.exe	33
PID 2448 wrote to memory of 3044	2448	vbc.exe	33
PID 2476 wrote to memory of 2768	2476	680e30ae058c79641e54499ed6505440N.exe	34
PID 2476 wrote to memory of 2768	2476	680e30ae058c79641e54499ed6505440N.exe	34
PID 2476 wrote to memory of 2768	2476	680e30ae058c79641e54499ed6505440N.exe	34
PID 2476 wrote to memory of 2768	2476	680e30ae058c79641e54499ed6505440N.exe	34

C:\Users\Admin\AppData\Local\Temp\680e30ae058c79641e54499ed6505440N.exe
"C:\Users\Admin\AppData\Local\Temp\680e30ae058c79641e54499ed6505440N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5h9yhuwr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
- C:\Users\Admin\AppData\Local\Temp\tmpFDA0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFDA0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\680e30ae058c79641e54499ed6505440N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5h9yhuwr.0.vb

Filesize
15KB

MD5
94b3a4fd515e2f37ef8fa750f518be76

SHA1
38b5352981d202e0ac84e6d3bfeec20648590a81

SHA256
06278f86e5be7d4f0152e314c4235483fd58d764b0718963a3b12ee317584175

SHA512
0f7ff02e24b7c003bf6f7c18e140f60359f55ecd422d31e4c6fc8ff5f0dc3eb99141b308dec4b1ae666d35b7d9a6f0294a7905f03e0224b802048449e9554b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\5h9yhuwr.cmdline

Filesize
266B

MD5
2adfec966a6809ceb2d4a39573a3a624

SHA1
cac6aeedde3c41ff4761b14f7204a401567f5b49

SHA256
8a5ebd3319eb746518347911eab2a727d18429de3b86286edc9fa4984cd4ea3e

SHA512
db437d9112f4e0ad59995e6f49ecd770a159bf07dec1024012214ef25876f9a3219e85f8ea0d3d2954d7ec14992c0fb190ddebe856346b83d2a4e7788699639e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E.tmp

Filesize
1KB

MD5
372607c00db43c8586a3b2b817bdf9b1

SHA1
f48cac556e052ee25e25e35a51d812925f791aec

SHA256
b113dc91f65af613f6153ceb3c1eb446ec7eeabfc8c738d041d1dbdc28509ed7

SHA512
eb09e574329f498ab392d6a2d204218d90ea76dc94ed31a4d51d658837d3952962e52e3808d59640afea78a3255c78c0f05aeeafc025b9250bdc6e6e37e0db3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFDA0.tmp.exe

Filesize
78KB

MD5
c3675653a4745cd331859242e598f62c

SHA1
e48925e58b198ce22da8300074adb7cd691ad214

SHA256
24f53a82eed41f88392043e3d6564164159e705ea5671609a9a1aeb4ae54fa39

SHA512
cee3d143554f8fce2ced16fc9d2bf3b14318eb1759677a5260936b7c9c9bc028e0b24963b26846604f4ec32cec6070e41220c2a31db572b85c76e66b422dfa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8D.tmp

Filesize
660B

MD5
463b59508284399085c809787d4ace16

SHA1
35dd6ee6279e62062ab54ba2907ee369725a7b94

SHA256
5aab0698dc18b1158d37aa31cc220621087d42fc2f926954186c3a9693048972

SHA512
bd415e5b8c7f0fe178bb0a8c295306aba78a6d9d0fa50807b619ab0498f64b31c9c921db6177575118012b6c9f7b0c435bdbc5b01b89f70b22f35bf887d3d11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2448-8-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2448-18-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-0-0x0000000074251000-0x0000000074252000-memory.dmp

Filesize
4KB

Download
memory/2476-1-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-2-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download
memory/2476-24-0x0000000074250000-0x00000000747FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads