24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7

General

Target

24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe
Size

78KB
MD5

5527c7cae265aa10d46b095b8fdacefd
SHA1

752540b656b0d0dbd79042b0d0b10a538612e89a
SHA256

24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7
SHA512

03db42a5a421ae5e8bb3961e4e548be9612c312e777a9fe1e92fb6f4c6d19748bbb93a49da962a71ff7c93ccbda13c904d5ce93cc6c5de3579f58111a6db7723
SSDEEP

1536:5X4V58WAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6m9/N1n1:h4V58WAtWDDILJLovbicqOq3o+nO9/V

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe

Executes dropped EXE 1 IoCs

pid	Process
1492	tmp6E4A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp6E4A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6E4A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe
Token: SeDebugPrivilege	1492	tmp6E4A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4416	3520	24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe	85
PID 3520 wrote to memory of 4416	3520	24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe	85
PID 3520 wrote to memory of 4416	3520	24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe	85
PID 4416 wrote to memory of 3668	4416	vbc.exe	88
PID 4416 wrote to memory of 3668	4416	vbc.exe	88
PID 4416 wrote to memory of 3668	4416	vbc.exe	88
PID 3520 wrote to memory of 1492	3520	24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe	89
PID 3520 wrote to memory of 1492	3520	24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe	89
PID 3520 wrote to memory of 1492	3520	24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe	89

C:\Users\Admin\AppData\Local\Temp\24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe
"C:\Users\Admin\AppData\Local\Temp\24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t0w_-qrc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc307ABEAE21E74C798CDE893389A437C2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3668
- C:\Users\Admin\AppData\Local\Temp\tmp6E4A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6E4A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\24e9ece5a3b3447b96413b16bfcbb5e5a52bd02cd56ae02310bcbfbba66f77b7.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6FF0.tmp

Filesize
1KB

MD5
632e34bb4ffd5162212d40a1503b253c

SHA1
a16bdafe2065519fa7cd03b8704ce4432e9ec396

SHA256
0ffed7fff8cb6e85a66ab163af0a843ddb5f16af52ed3dc02617abc0bdc11e3d

SHA512
b279ac797348ca6507aa33bdceaf39e5e58124265cf2622ad83db55d04c53e3e1a73756c4bec6aac6953fbd892f27cd8b2484f010fd7ca15e0b57a0d601f0c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\t0w_-qrc.0.vb

Filesize
14KB

MD5
a41bbf92db6b78a692b65fb8f692aa7b

SHA1
65703b2c8bfbb9f3d3e04b1a88f37e68d0dd3fd8

SHA256
45b516b96a9d2d17b235ee573606c5baab678a4cc8af91e7ea0e414c3ee66a93

SHA512
940ee208176d7e55d87dfd71bbf337cb364285a7e9b9c32259d3763262751a301368f4972f7bbf30f66a13758c31632da81db19d6e23270b44f934c84250c0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\t0w_-qrc.cmdline

Filesize
266B

MD5
5b800133dd33828da8174d87d2f47e7d

SHA1
7dbd7dc1f76da44e3486f0ac2a950dbf61f88be1

SHA256
fc300feef59cc241278cb44066a3a3f6bc808d9b18945355a1952714c538d78d

SHA512
beefe4f4fb356257e00c9da7af9394baac307fa477a3f35c7a83e8ee1e155f43e007df7b8b48c20e03538005de9a4447a5e84ec9330a6f4a5429bb0a5f11cef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E4A.tmp.exe

Filesize
78KB

MD5
641fd6c8c3cda77d5aa5a67b972541f2

SHA1
8ad95a948dea7a09e088c06736f4047f0eb172ff

SHA256
434ba958bcd024ac712505077a12ef0192b716bb65563114327e68a0c99ee36e

SHA512
c791eb34314f42de5c68ac3d0495b5361af76c13cb0cf63c2e7499ff73052b0a9592ab2c7d8e0d95d997651148e5d7cf77a5b1b0236892bab9b42464e5835510

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc307ABEAE21E74C798CDE893389A437C2.TMP

Filesize
660B

MD5
ac509f0aab6a6387ae91d91cc1ab50f6

SHA1
9dfe93cbf4be9e927c8ef712aa7e7b75805253d8

SHA256
dc321c1e1bef43c2dc73e26988f8ba4b4802c5baf977b701ff64ea342770f694

SHA512
aac9b2b308a93b1620ae9795496e028e880df79cda8250b04f691095448ba0475bfaf6e89af31a2bf0b81330610176ce1971a055abb89254aaca068de27f01b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1492-23-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1492-24-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1492-25-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1492-26-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1492-27-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/1492-28-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/3520-0-0x00000000752C2000-0x00000000752C3000-memory.dmp

Filesize
4KB

Download
memory/3520-22-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/3520-1-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/3520-2-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/4416-18-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/4416-9-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads