83d1cbc1a21867cbe377c1f2cb7cacbab6603bf729b47633f5253093bca56f3d

General

Target

86d557db8f452fab4a25c34073830c90N.exe
Size

78KB
MD5

86d557db8f452fab4a25c34073830c90
SHA1

b027cc815c1fdf844d25fadf2a71402569eb9388
SHA256

83d1cbc1a21867cbe377c1f2cb7cacbab6603bf729b47633f5253093bca56f3d
SHA512

9b6cb8bde62f2eb88dede40657ac9e66c2a816ff53a7f7233d991a7435792bad387d127142115d9550deef08355c04c546567e59cf5deea8c96f4411586a95c7
SSDEEP

1536:X5jSAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6D9/GO1UT:X5jS4SyRxvhTzXPvCbW2UU9/u

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	86d557db8f452fab4a25c34073830c90N.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	tmp45ED.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp45ED.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp45ED.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86d557db8f452fab4a25c34073830c90N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	86d557db8f452fab4a25c34073830c90N.exe
Token: SeDebugPrivilege	2116	tmp45ED.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 4288	2920	86d557db8f452fab4a25c34073830c90N.exe	92
PID 2920 wrote to memory of 4288	2920	86d557db8f452fab4a25c34073830c90N.exe	92
PID 2920 wrote to memory of 4288	2920	86d557db8f452fab4a25c34073830c90N.exe	92
PID 4288 wrote to memory of 4532	4288	vbc.exe	95
PID 4288 wrote to memory of 4532	4288	vbc.exe	95
PID 4288 wrote to memory of 4532	4288	vbc.exe	95
PID 2920 wrote to memory of 2116	2920	86d557db8f452fab4a25c34073830c90N.exe	96
PID 2920 wrote to memory of 2116	2920	86d557db8f452fab4a25c34073830c90N.exe	96
PID 2920 wrote to memory of 2116	2920	86d557db8f452fab4a25c34073830c90N.exe	96

C:\Users\Admin\AppData\Local\Temp\86d557db8f452fab4a25c34073830c90N.exe
"C:\Users\Admin\AppData\Local\Temp\86d557db8f452fab4a25c34073830c90N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q-opmkl6.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4726.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87AAE852709D4ED498D14017976DAAE.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4532
- C:\Users\Admin\AppData\Local\Temp\tmp45ED.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp45ED.tmp.exe" C:\Users\Admin\AppData\Local\Temp\86d557db8f452fab4a25c34073830c90N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4726.tmp

Filesize
1KB

MD5
5384a5179f59d0e98e93cb351fe4fb15

SHA1
0a3e43e7c83a398e9a646be98936d39444f9f527

SHA256
144982b58893c60c6f87463f8d423874ed842b4a86099faf1b2523cf184bee1d

SHA512
f238ccad321c56c31274efabec899a162a4645abccccbe4cc550a843e56902a1eacaec3d5a2955736e64d3a8526b206f1e240eb5fd1c9b50c3b2fcff717d45de

Download Submit
C:\Users\Admin\AppData\Local\Temp\q-opmkl6.0.vb

Filesize
14KB

MD5
c5dbe08867534c4f13e9d7e6650ca3ac

SHA1
fe17e300c443a9ac857dad30109d9647e95baae2

SHA256
3af9211cc0b66e80a64b52cf2a31f483a63fa038f9cecea88b0c863854f7d770

SHA512
ab07df3395d3b4ad8bfba88e2f68eb183a1b204f435bd33e478fb256d01c1ad6348947461be392ecfa3ee80b21b639d4e4d9ce07bb6a615a27a404c49b04d1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\q-opmkl6.cmdline

Filesize
266B

MD5
203c322167e3a875ec5df7bdda96d6f1

SHA1
36033656fab790624aa7a1e6647ef8159b0ae08c

SHA256
c7b4f720357fdb1e1545d22f28b13e75442bf48ab0722f2ffb571ccd2434a64f

SHA512
230cf6e423975d11c5da15d8e3d434737ec23eefec40de15bc18dce0529e5855ba4963cb8b0a2b839acde3ef2a560b710a08135e5fff0b09be1f1b94e37eae37

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp45ED.tmp.exe

Filesize
78KB

MD5
70d6818451f673798ed44946b8e119eb

SHA1
89526000cc4d1e69fddc1baee8b470c0a96dcbee

SHA256
ce6f6dd9743078e7069624978ba87532121611d1aedf9a17e96019db436476f8

SHA512
f2ec24345e82865070377e52cfd94a0c178149ebffc90d52856e32b67c426ebd5034b04bd15216c65a02ac063861ab84e6191a510095f759346b919423a9543f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc87AAE852709D4ED498D14017976DAAE.TMP

Filesize
660B

MD5
2c25c0e3c54cbae985c40ca9da2124cd

SHA1
d029e7b46d4c2f5db8078d0a69586ab9c3ca3d03

SHA256
e2b5d4bb4740d5df8b21d9b87cff7f7209b32e86a4ee3499bd4a60e13c8557a3

SHA512
79660114f3622371c51cba316ec116740155d6e5b2a3039ba24629550829e3430d2694addb026a4e0cafefd93beb9b5ac94694402c4257cb953298a27245767f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2116-23-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2116-24-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2116-26-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2116-27-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2116-28-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2920-2-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2920-0-0x00000000747D2000-0x00000000747D3000-memory.dmp

Filesize
4KB

Download
memory/2920-1-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/2920-22-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4288-18-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4288-9-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads