fbf293b952798dbf3c13ed9571533d70bc35f83af68d4e2647b7de183259228d

General

Target

70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
Size

78KB
MD5

dac24be555c602c80489941360a2810f
SHA1

e4e283e68ace2e3282a1eb87f9692a0c4020a3b9
SHA256

70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093
SHA512

3447c46f54c26c05cd8e3bd0b89a5ed1534430c2bf2466a8355e043abe01747c2bd21ff3eb0a449df29354ba87905848cd89e8e16fcc995a328a68a038282504
SSDEEP

1536:BcuHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtLo9/E5:SuHFoI3ZAtWDDILJLovbicqOq3o+nLoO

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe

Executes dropped EXE 1 IoCs

pid	Process
1500	tmp8983.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp8983.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8983.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
Token: SeDebugPrivilege	1500	tmp8983.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 3796	1088	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	83
PID 1088 wrote to memory of 3796	1088	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	83
PID 1088 wrote to memory of 3796	1088	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	83
PID 3796 wrote to memory of 4644	3796	vbc.exe	87
PID 3796 wrote to memory of 4644	3796	vbc.exe	87
PID 3796 wrote to memory of 4644	3796	vbc.exe	87
PID 1088 wrote to memory of 1500	1088	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	89
PID 1088 wrote to memory of 1500	1088	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	89
PID 1088 wrote to memory of 1500	1088	70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe	89

C:\Users\Admin\AppData\Local\Temp\70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
"C:\Users\Admin\AppData\Local\Temp\70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c-e0arge.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF7AB65A24D8418D84621DB8D9DC869.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4644
- C:\Users\Admin\AppData\Local\Temp\tmp8983.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8983.tmp.exe" C:\Users\Admin\AppData\Local\Temp\70538328a6227ae9f7e2015bf4268961bf8a1b8ad5e70ff9183289d381271093.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8BF4.tmp

Filesize
1KB

MD5
406e7d8c336ee898c0cdb1e1625c4cfd

SHA1
a5bf7e006e00a11517c42bf42a4b90a18a6d6db6

SHA256
b69c19e7bc13668492539764fb9535cc6f416b14f60095eb581e64bccb85279c

SHA512
2dfe978559bed89b9f9c776e362625a815a7190dc80b93c7730c7bb38cc0af2aff698ffd552ea1ead856a46a9c107448e763a7f3d8432c4ddd45736196466886

Download Submit
C:\Users\Admin\AppData\Local\Temp\c-e0arge.0.vb

Filesize
15KB

MD5
fb887f9ecf6af33608a09eee2cb166cf

SHA1
864acb4e2d2ffaee1741f6e8ee45393cfdd67f78

SHA256
f547954020df63e6cf3e4cf8718500cb436464e9c9f6d612b84ec89cac77ea64

SHA512
edfbe2fdf258d54ad7c462932de1df7c58087600a70388cf0760ea8d6016eddfd299e179b5ad1d49816751a37e4b45d65336bc7af2cc0790f1fad456bb64af3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c-e0arge.cmdline

Filesize
266B

MD5
5bc2f7d272ee366e22e2fde45a14820f

SHA1
f18a22136235d7dfc5e6b4a6d99aa92cb5a89053

SHA256
e9247fbbbb2a24d8176c84456c3110d252084f14775243e89b2b353ae3f169ba

SHA512
5631bb42cfed704cdce8dddc89a02e51e766336bc5e71b5a62f7e771dbcc6532b53cd7e42fd534ebbb6b2738da7f8030d4594361cc574f39010825ffb930436e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8983.tmp.exe

Filesize
78KB

MD5
c404a29e31e0693b1ca2ea448dc5dd18

SHA1
73f89cbe487c75599a622f0151d29b0ff5042738

SHA256
c917515968d840a08cc0ffc056309c671917d2cbcef8563758449cbfef1f217f

SHA512
01a31ab036889a4b99f768e8746b6d995c210c330e51830f887915c69202c58bcb23460cbba080749d0b47d6a9b9007bc23243470857721256f379956826390f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAF7AB65A24D8418D84621DB8D9DC869.TMP

Filesize
660B

MD5
d5b96194afcb22a465211fa1b9720350

SHA1
b3372f5ac1c5bd6d8779e3785c9a375e8577f38a

SHA256
f3ccf21f8c3ef1023dd0fc94dc88ae3ce5fda6f16a521f70dc5547bfa3166666

SHA512
90f77d8557f67bd44bc5c5414207626d43f27b1c0b057b9aee003922e94496e88e35e19d0c2f591e2b14dacee7b92425e4acd501f6f234a77028edadf2672598

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1088-1-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1088-2-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1088-0-0x0000000074892000-0x0000000074893000-memory.dmp

Filesize
4KB

Download
memory/1088-22-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1500-24-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1500-23-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1500-25-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1500-26-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1500-27-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/1500-28-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3796-9-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3796-18-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads