4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03

General

Target

4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe
Size

78KB
MD5

9acaaf2f6dd77a1c9ea762b1226cf1bf
SHA1

e86ea759204033e7b44d6f77f25a197c2a0ed5b9
SHA256

4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03
SHA512

29d487d576118ef3d0b26733ce6ed65f062104f09b2c8c354475a213277c197cda1da6a0febcb277533a0c59aa4ddfd6137ad0a649d68bdedc4162a385e8c952
SSDEEP

1536:J5jJXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtN6f9/91VE:J5j5SyRxvY3md+dWWZy89/C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2244	tmp9F4B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe
2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9F4B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9F4B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe
Token: SeDebugPrivilege	2244	tmp9F4B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2536	2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe	30
PID 2412 wrote to memory of 2536	2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe	30
PID 2412 wrote to memory of 2536	2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe	30
PID 2412 wrote to memory of 2536	2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe	30
PID 2536 wrote to memory of 2688	2536	vbc.exe	32
PID 2536 wrote to memory of 2688	2536	vbc.exe	32
PID 2536 wrote to memory of 2688	2536	vbc.exe	32
PID 2536 wrote to memory of 2688	2536	vbc.exe	32
PID 2412 wrote to memory of 2244	2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe	33
PID 2412 wrote to memory of 2244	2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe	33
PID 2412 wrote to memory of 2244	2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe	33
PID 2412 wrote to memory of 2244	2412	4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe	33

C:\Users\Admin\AppData\Local\Temp\4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe
"C:\Users\Admin\AppData\Local\Temp\4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-fgf2ipe.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0A3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- C:\Users\Admin\AppData\Local\Temp\tmp9F4B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9F4B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f31e170a24517ed898e633b4b2857022d675df3c70e790730e2f392282f1c03.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-fgf2ipe.0.vb

Filesize
14KB

MD5
fd2b1dfd88e7f87584429b34c5343476

SHA1
4b8fe247dcfcf2e4a946b89029e9cd6187be6a33

SHA256
5647f4c7f6479479083f0138965537b2bdd8e591759f6fcb40e823d12dc75fb3

SHA512
66331b75b3e7ca4e0d27a300d5a5b320bd99c5fb0a842a35c69065b21ee921e16fdb9daa285f5819ece3e22085fb0f95001694a25ebaa24b12ee07843f28f6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\-fgf2ipe.cmdline

Filesize
266B

MD5
071fd73c22a2ef2ef590a4ce129e34f4

SHA1
8ce1c59c537a8527c132f33fbd5410f231ac9ca8

SHA256
15218cdf27463d890410d17f178c221227636ed373d132600640eed5c4614c10

SHA512
aa375c0ff711b4152ff2c3aef1c2757a30684c43a6df7f12414d9a0a67f6951a6fc273e9b93de536e69ddf0e5e41a9425f5dfab328d5200eadd9bc0bc069e3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA0A4.tmp

Filesize
1KB

MD5
abf8ef8fdd8864493711bd5a6bd39e5a

SHA1
867f2cd77c034b1cbc9befa9fad013b5ce9414f3

SHA256
c6e2508799504cc50d7b512208c262f90335c1632fa22bb7dacf49171f08ebfd

SHA512
a241ecc761b632684b9d873590fcc0750b75b381acfdabb3c138675b34ea2e97a8881fb863455955d3d8c910a4b18ce8502b61607903927b77b0a9d56fda2a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9F4B.tmp.exe

Filesize
78KB

MD5
7ba52dc27c55b8c20bafab3d8afff6ba

SHA1
d49f9759ace05d54782ca6bd6e6697fff1792a11

SHA256
e83e029f3de9ba58ce8a082b0916b5027aa5db0fdeac194ee348d41230b660c5

SHA512
376a4cdec55d5674b0c9c25385e97d9be7558ec5951ca770df362a74fa437271e5b9567784255398264feb9cab824634ee314a85f09ce02911c75fb554c8d3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA0A3.tmp

Filesize
660B

MD5
c1c55bd0a35cefe72ff037fa271584a8

SHA1
ce78343e2b74d6d916e60bc306655c3bc76f0e8f

SHA256
f77c9c8cae9098e6bab3cfcb610304b73d241ae34be4e4be52be800e729e4574

SHA512
83ccb63af1dda09db36d8f829817a45a67d084264d6f2fa8d1c1f5bb701e8926ce6597b3f8617f5890a848ff75176456e1e5e2d92b4d2a697e070106a23fb7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2412-0-0x0000000074971000-0x0000000074972000-memory.dmp

Filesize
4KB

Download
memory/2412-1-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-2-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2412-24-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-8-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2536-18-0x0000000074970000-0x0000000074F1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads