187f53ddf8eb0b429b11b86d74dafebba7ca914a0929e8767cd024f970ae5c1a

General

Target

287304edc5b4586b3648f45d49e8f540N.exe
Size

78KB
MD5

287304edc5b4586b3648f45d49e8f540
SHA1

211b8645c723508466644e808e39092ecb1e7dd4
SHA256

187f53ddf8eb0b429b11b86d74dafebba7ca914a0929e8767cd024f970ae5c1a
SHA512

d8bd0de04a34a72ce027606172d31ab29d07197a4b8ecbfa2b9a6ecb83574eb67093a929dc483b8c493c067dafc20679cbe3dd175e1a3fad55ff986a03f28180
SSDEEP

1536:QHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteN9/G61Vd:QHFonhASyRxvhTzXPvCbW2UeN9/GY

Score

7^/10

discovery

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	287304edc5b4586b3648f45d49e8f540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	287304edc5b4586b3648f45d49e8f540N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3012	2380	287304edc5b4586b3648f45d49e8f540N.exe	31
PID 2380 wrote to memory of 3012	2380	287304edc5b4586b3648f45d49e8f540N.exe	31
PID 2380 wrote to memory of 3012	2380	287304edc5b4586b3648f45d49e8f540N.exe	31
PID 2380 wrote to memory of 3012	2380	287304edc5b4586b3648f45d49e8f540N.exe	31
PID 3012 wrote to memory of 2952	3012	vbc.exe	33
PID 3012 wrote to memory of 2952	3012	vbc.exe	33
PID 3012 wrote to memory of 2952	3012	vbc.exe	33
PID 3012 wrote to memory of 2952	3012	vbc.exe	33
PID 2380 wrote to memory of 1740	2380	287304edc5b4586b3648f45d49e8f540N.exe	34
PID 2380 wrote to memory of 1740	2380	287304edc5b4586b3648f45d49e8f540N.exe	34
PID 2380 wrote to memory of 1740	2380	287304edc5b4586b3648f45d49e8f540N.exe	34
PID 2380 wrote to memory of 1740	2380	287304edc5b4586b3648f45d49e8f540N.exe	34

C:\Users\Admin\AppData\Local\Temp\287304edc5b4586b3648f45d49e8f540N.exe
"C:\Users\Admin\AppData\Local\Temp\287304edc5b4586b3648f45d49e8f540N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-x1t4gqv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA68.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA67.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 516
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-x1t4gqv.0.vb

Filesize
15KB

MD5
40abdb0215699128e9dded3f4fa75994

SHA1
39f75924033539371e4038d0e343d510732c1936

SHA256
30b1c2c7f09d6bb8682b86e5271758dc571a307f15c3467bb6d94712a1f9e287

SHA512
b03900e0565195f5116de9e97906e90ef286c568c90f96aa8d46631144f9f21a1c1f1f1298c8d872315315f0d9bfee94daa9dfe238b05b8d9a043270788f7635

Download Submit
C:\Users\Admin\AppData\Local\Temp\-x1t4gqv.cmdline

Filesize
266B

MD5
390b52faf6aae3185b0592a0c918ac65

SHA1
d6ff6fc6dd07cf7245f5aca1b564aa824ad396bb

SHA256
d38eb1d354956aa83800223903959a5f2bc137f7abdbc04ea1303dd82f7cda84

SHA512
abeab924ee0b4ca5439f8dcc650b092b0228a077fe5244aca230094ea18ae8ca1a78de1f14a747fcb97014dad58e3b21a217989a93635dbdb76fa139e2e89527

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDA68.tmp

Filesize
1KB

MD5
532c2c6cade4fb13d594b3028450f4e7

SHA1
3ec6a607f855d9e50ce88e3e0382dc6581b4a0d3

SHA256
cd04b8f0695e756c6fe3013ae27c2821b160a52ab5fd23746a853c0a972b6398

SHA512
fe133e66a1b64aaf66aa7114b70bf075e5e96c536a47ff6d76134947a14d842885644d60576e788c7a221cc092f525c155dc4a030b8997ce016470aebe94e876

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDA67.tmp

Filesize
660B

MD5
c852afbed6d56f63075420c5dafbcd28

SHA1
45e0d1f111d23f6ce00957e9604b7d7d34c7bdf1

SHA256
90e652b39ae7f2dd7c7e091b176bd5b7f2306efddb28905206446c250c050151

SHA512
f02d32111dfbd36a3131ba6880074bcce2b94e9061855def2be7709e8983124b5f3cb75af96c7c3e0128b94ea87d56f919b2cbe89c428bd6c8bb15180642d43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1740-20-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/1740-22-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2380-0-0x0000000074C11000-0x0000000074C12000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-1-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-21-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/3012-8-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/3012-18-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing