2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c

General

Target

2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe
Size

78KB
MD5

0661bb64fc786b5d14492b16589eb104
SHA1

338639c60a2519fdb7b0c1c9f1a72bf245bdee40
SHA256

2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c
SHA512

028e7e75970c5e40c6b08908be2b186e5129a9a87740feb45aa1fab3d858737f0b2e8a1aa287e5dc2ae43824b2a77db8a0b44909ea912f72eb4e2e7dc40aba4e
SSDEEP

1536:dPy58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96T9/c1OR:dPy58/SyRxvhTzXPvCbW2UE9/X

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe

Deletes itself 1 IoCs

pid	Process
3780	tmpC11D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	tmpC11D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC11D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC11D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe
Token: SeDebugPrivilege	3780	tmpC11D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 1236	4768	2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe	87
PID 4768 wrote to memory of 1236	4768	2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe	87
PID 4768 wrote to memory of 1236	4768	2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe	87
PID 1236 wrote to memory of 4892	1236	vbc.exe	90
PID 1236 wrote to memory of 4892	1236	vbc.exe	90
PID 1236 wrote to memory of 4892	1236	vbc.exe	90
PID 4768 wrote to memory of 3780	4768	2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe	91
PID 4768 wrote to memory of 3780	4768	2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe	91
PID 4768 wrote to memory of 3780	4768	2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe	91

C:\Users\Admin\AppData\Local\Temp\2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe
"C:\Users\Admin\AppData\Local\Temp\2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gm8yb-_p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC265.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA0A1BCE4A1B949E69611975A73D81CB3.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4892
- C:\Users\Admin\AppData\Local\Temp\tmpC11D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC11D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2fd15b6d48e09c75833248ffe6a443f74c9d97b439bced80981cb0e2eaf7471c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC265.tmp

Filesize
1KB

MD5
de637a0f7e605d9d589b590df6853357

SHA1
2695153790a26af44ea8bd8cf17d7726a86431c4

SHA256
b5d1db3771ebc4590f25d69b5b3cbda7cdf5b8692739c8a4c66cb4b2e9a1fd73

SHA512
9efcbe80da40790e7c95a960575b49828c20899a17e0eca9adb75f9441f505217a675f9008d9c88bff962d6bd032726aa039860ce95c940fd7798b29a7d9bc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gm8yb-_p.0.vb

Filesize
14KB

MD5
9625c9113dc0f6f8c559aa7e034efbd6

SHA1
d552f1a41b08a66ddf4d36d1726ca799d0130a7f

SHA256
7a559cbd19198d1154ba96406fdf99862a6594897eed8c92cbe9e266859b521e

SHA512
d4152cea0f004ac5eee711c04d24e8fe41c09053b6391b0fc5cc2f1484dc9830a0f445ecbe2d34ac157e13223e87e5dfd9d5aeb0943e9944f15a80fe64a07af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gm8yb-_p.cmdline

Filesize
266B

MD5
ee3991be591332fc24d540e8991f68ff

SHA1
336b927a69e13c686d756cedf7e1fd17e559fa66

SHA256
106cf1a1615e02c918a4894e4d700075b8f86a5bcbe3703c1cea2077989ac9c7

SHA512
0ed532d332f5fd072f1f3d8e16b23dd1afed58940f5c9fa796372f18f7f23b967835726e8a7256a6751e1aeb16bfadf356193ed8988c2769db855839723b8481

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC11D.tmp.exe

Filesize
78KB

MD5
c3b26d692e2486d3193c6d7bbb5c793e

SHA1
e79a897a8a680ed96dc6dea9e2e94d862b472e51

SHA256
abbdc8dca28ca4dfe72e4902a18e910bad52f49ab206764b4f2441dd6270badc

SHA512
54795a77ed2c67df9f6175b22aa7f18f9f0933c74b98f80bc77ec286b4650a93d8ee5f827517fdc83cf766f126d1ea4b1e68d0d3ab72c66cf3e115e5bd7a20ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA0A1BCE4A1B949E69611975A73D81CB3.TMP

Filesize
660B

MD5
42cd06801fc85869288192ad8071b62d

SHA1
7de7072ea766d8bebe1d28919f3538c34aeb5826

SHA256
46c9e209657e2f1470d122d8e9be26d33f7d04d9afd3f19ee97f6eeaa0d94928

SHA512
1a8fe444e44940a52ed071e53341c04d7e6ddca757a6a77887caf29c044beb729ccef0d86ebfbfb4d2b76ccee55df52b9a90b9569468edd0cf449a8f796188ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1236-9-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/1236-18-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3780-25-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3780-24-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3780-23-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3780-27-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3780-28-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/3780-29-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4768-0-0x0000000074972000-0x0000000074973000-memory.dmp

Filesize
4KB

Download
memory/4768-22-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4768-2-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download
memory/4768-1-0x0000000074970000-0x0000000074F21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads