4fd10fb5a263b5173a4564997ea2bfc8809d55dc48428285df5c6185d75c9233

General

Target

b47a657e255ad46a538867218bf63820N.exe
Size

78KB
MD5

b47a657e255ad46a538867218bf63820
SHA1

8a045dacc1ff2dab0e45859f7845e4e1f6b9fcbb
SHA256

4fd10fb5a263b5173a4564997ea2bfc8809d55dc48428285df5c6185d75c9233
SHA512

3a53a7efb5fedafa31c4ce55ddcb8582e7826780cc757b1707e60b447ffa5dec5004ebb259c20cf881cf61a3f34d04414b12b051eb660f1a86701ed2533883bb
SSDEEP

1536:ePWtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN9/iA1LYj:ePWtHYnhASyRxvhTzXPvCbW2UN9/in

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	tmp2684.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	b47a657e255ad46a538867218bf63820N.exe
2328	b47a657e255ad46a538867218bf63820N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp2684.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b47a657e255ad46a538867218bf63820N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2684.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	b47a657e255ad46a538867218bf63820N.exe
Token: SeDebugPrivilege	2700	tmp2684.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2740	2328	b47a657e255ad46a538867218bf63820N.exe	30
PID 2328 wrote to memory of 2740	2328	b47a657e255ad46a538867218bf63820N.exe	30
PID 2328 wrote to memory of 2740	2328	b47a657e255ad46a538867218bf63820N.exe	30
PID 2328 wrote to memory of 2740	2328	b47a657e255ad46a538867218bf63820N.exe	30
PID 2740 wrote to memory of 2668	2740	vbc.exe	32
PID 2740 wrote to memory of 2668	2740	vbc.exe	32
PID 2740 wrote to memory of 2668	2740	vbc.exe	32
PID 2740 wrote to memory of 2668	2740	vbc.exe	32
PID 2328 wrote to memory of 2700	2328	b47a657e255ad46a538867218bf63820N.exe	33
PID 2328 wrote to memory of 2700	2328	b47a657e255ad46a538867218bf63820N.exe	33
PID 2328 wrote to memory of 2700	2328	b47a657e255ad46a538867218bf63820N.exe	33
PID 2328 wrote to memory of 2700	2328	b47a657e255ad46a538867218bf63820N.exe	33

C:\Users\Admin\AppData\Local\Temp\b47a657e255ad46a538867218bf63820N.exe
"C:\Users\Admin\AppData\Local\Temp\b47a657e255ad46a538867218bf63820N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tem-nt1m.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2721.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2720.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b47a657e255ad46a538867218bf63820N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2721.tmp

Filesize
1KB

MD5
cd9bc212b07d31fe7dac4fd16e7993bb

SHA1
2f0b611820119114b59325abc2fce872c2ae39d5

SHA256
233ca9c3c0ea267d1a9d15036d90d17b3b52f450003f22f0c52f158580b2c34a

SHA512
8f7f5f199c9349341052f28106ce37a9b61832b3fadf52826c5cc4141c97628d9df4fc8e31094e7f46a5f9d307eb70bc67b6af937a796a2d5d77c99ef3bf415e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem-nt1m.0.vb

Filesize
15KB

MD5
4a2cee4d87001de7fabe416c00f91365

SHA1
da592e7429ca21b55db978ebc65e847ddfb80959

SHA256
62f659746256dca9bc5e1749abd7bb760ee89aab2f389db47e4fc67e4afbc771

SHA512
b2abb785a3a0b877429c129277c1679e578ea18d1b6a8e9a77457d40314976fa7e4a30b487c78848e568be7c8e0e988ecbcadf9480b87ad595f642c5f93f9631

Download Submit
C:\Users\Admin\AppData\Local\Temp\tem-nt1m.cmdline

Filesize
266B

MD5
d54b7d027ffd65cec25442a01f753af8

SHA1
861ea97d5c6afbb237a55880914a46804bb0229f

SHA256
bd28a31dffdd200f320983c132cb55c99e1f0d723e35f9ccd129fd581206c03c

SHA512
906faab14ead32358777b0afb84fed806a63a647c6f889ccae1d2dce3e4a91b13980ed812cc3ceda62a6a78aa4a2383f822bb18ec5093227512eeb767fe16616

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2684.tmp.exe

Filesize
78KB

MD5
83fb41c9f1ecac987f5f1342557a2ae5

SHA1
37cf0e2e6ac9a827977e59e3c5a54a46ac8197d2

SHA256
a0219b820e9c008b98701e1703c60ad4f935269aa65bb1020a11eda542592d72

SHA512
db65fd3e0ba91d6325d8409b00056985254787482a7ebc0f908a9efc440b5eaaae4dbb0656bd28acd5d45895d99dae3c9e37229dd16a1376bc60f04f97ca0640

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2720.tmp

Filesize
660B

MD5
5515fab6c292cae84a580d0d9c05e2df

SHA1
88b6865514e2668f02503a0fa05164aeaee88179

SHA256
ae2b9558f6e6dd9639d78994322f9ddf0c9e60921ca6988f270f06ff7559c269

SHA512
d039e122f342f53f82fc561a1c8f144e52d7eba176904582d1d2bf1be351d7b31da2533e823753e0b91482e21631a431a3bcad63d63a73c5b3391bacec3d3012

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2328-0-0x0000000074091000-0x0000000074092000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-5-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-24-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-8-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-18-0x0000000074090000-0x000000007463B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads