e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1

General

Target

e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe
Size

78KB
MD5

80160fd6da186b73a898629e22c2d10c
SHA1

69f2939c2d21226d2c64f82bfd7d15ba3df43246
SHA256

e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1
SHA512

e9518cbf8efc9bb949ca1a5368444cfa8cb4ff22399cda15abd55b41d85a8bf084df366d42e7a06140cf0e5e9c65b9d5f6e201bd9c69b622f1303bd04d343800
SSDEEP

1536:BStHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQte39/f1gB:BStHshASyRxvhTzXPvCbW2Ue39/2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2764	tmp52F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	tmp52F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe
1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp52F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp52F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe
Token: SeDebugPrivilege	2764	tmp52F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2296	1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe	29
PID 1308 wrote to memory of 2296	1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe	29
PID 1308 wrote to memory of 2296	1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe	29
PID 1308 wrote to memory of 2296	1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe	29
PID 2296 wrote to memory of 2856	2296	vbc.exe	31
PID 2296 wrote to memory of 2856	2296	vbc.exe	31
PID 2296 wrote to memory of 2856	2296	vbc.exe	31
PID 2296 wrote to memory of 2856	2296	vbc.exe	31
PID 1308 wrote to memory of 2764	1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe	32
PID 1308 wrote to memory of 2764	1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe	32
PID 1308 wrote to memory of 2764	1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe	32
PID 1308 wrote to memory of 2764	1308	e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe	32

C:\Users\Admin\AppData\Local\Temp\e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe
"C:\Users\Admin\AppData\Local\Temp\e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\virn3nk_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5DA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Users\Admin\AppData\Local\Temp\tmp52F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp52F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e3b0bb89cedcc9ccbf3c652bfa3f92d7e25cb48ca1edc3369cfed17f7080fcf1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5DB.tmp

Filesize
1KB

MD5
9ad541fb946cb7b1631ff1eb085dd60b

SHA1
a7ccc1f3f6ddca3699fe737a3815ee4485df3ceb

SHA256
3bd3e7d17860c1df00f82997e71dfe69a45f0b24712497bea6092babcfd40874

SHA512
1878c87088fed554866cf683713853edeb51004df0abea9d9a81d2b61a1ab6dff93847354aa6c04011fc4c90e491dced299fcad0b75ebc02a24edaaf0ed5661d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52F.tmp.exe

Filesize
78KB

MD5
247454cd39ec29725cc8f41f10b1d808

SHA1
b3d55d5f421213a26c3afa46626ff6addcfb2e8d

SHA256
a9993b81ca0027c182c0756271f4b54a6a7d8d56cc1e3169f77ae5887969f884

SHA512
3d8f97d73747f7b2ee9e4c8c7f4b90ab287a12e732bee6e95433c34921dd8dc663659fd2ed6df243f2f63f8e79767d4b03c759fd3d2da9ef156d5a5da64c385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5DA.tmp

Filesize
660B

MD5
d5ac12e2448ba5fe9bff7b9671e72563

SHA1
ab288df716d758704042e1294465ab43530fdd81

SHA256
0532dc4c5bb9116e2f08eff88dcc0646c87b91ce093e319e9796600c565b72dd

SHA512
2c56c54115fbf2d48668ac3b3fa9ed527445db2089851af0b1df7385165c636029b0b51e135a6dd5d48610e0bae1196e6c7a8d256025e214a7e490ed1047d2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\virn3nk_.0.vb

Filesize
15KB

MD5
c47e079bb6d9852e45e7f581e7676754

SHA1
43d7501104cef3161ea3e26c11b1c2bb579de651

SHA256
65cdf92447a4da8564a975c3bcdc4a2f7a68f3b01a3c949e560ace6ac5c5f42d

SHA512
baf6ad7b6a8c77a70f0e4cd096d16c80575730adb5cb6950164026f6cb448ce78064284addb03cdd90f009b40de20cf91ca8ed1b4d799f13c8fd877684b4cb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\virn3nk_.cmdline

Filesize
265B

MD5
c33c51e38955f6de2c18e1015526d2b6

SHA1
bd5aed482adc2706de87f282f15ac9cf29a46c5c

SHA256
bae593df30f281b935a9bcc9e5cdcbbe15d4f8093d7c6f3de1314e1d025aed88

SHA512
2709ff7a563bcaf15760240c39e5660782cf444e4bde088f2b2d4193d51d8b1e0711c57d7efd791f30b9d41ac401575f010b09b2a1ece46fd07722fece65ecfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1308-0-0x0000000074581000-0x0000000074582000-memory.dmp

Filesize
4KB

Download
memory/1308-1-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-2-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-24-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-9-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-18-0x0000000074580000-0x0000000074B2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads