8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1a

General

Target

8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe
Size

78KB
MD5

e2979c4c2b3e7c1035a2161052d9bc50
SHA1

c55b932857c6e78702bd5e01638ec48e1349905c
SHA256

8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1a
SHA512

1b584fc91c10bb604eb79d86374b6091a914b6f0eeb9412c69de9ae9206f6b97096e3f9d0a28f5f89360a97b52dd9600fcc6c61f5308b58eeb12b79c972d00e8
SSDEEP

1536:eHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRH9/g10t:eHFonhASyRxvhTzXPvCbW2URH9/1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3004	tmpFEF8.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe
3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpFEF8.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFEF8.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe
Token: SeDebugPrivilege	3004	tmpFEF8.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2836	3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe	29
PID 3056 wrote to memory of 2836	3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe	29
PID 3056 wrote to memory of 2836	3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe	29
PID 3056 wrote to memory of 2836	3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe	29
PID 2836 wrote to memory of 2756	2836	vbc.exe	31
PID 2836 wrote to memory of 2756	2836	vbc.exe	31
PID 2836 wrote to memory of 2756	2836	vbc.exe	31
PID 2836 wrote to memory of 2756	2836	vbc.exe	31
PID 3056 wrote to memory of 3004	3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe	32
PID 3056 wrote to memory of 3004	3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe	32
PID 3056 wrote to memory of 3004	3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe	32
PID 3056 wrote to memory of 3004	3056	8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe	32

C:\Users\Admin\AppData\Local\Temp\8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe
"C:\Users\Admin\AppData\Local\Temp\8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1tvrzsbu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Users\Admin\AppData\Local\Temp\tmpFEF8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFEF8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b4293300d07b8d98286171703a109be5bdb665dee347645605063ce4628ed1aN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1tvrzsbu.0.vb

Filesize
15KB

MD5
65b051e04c502f3c0e1619f10bfdd075

SHA1
db60a2268ceb8da175672d5859ad9d7f8db8bee5

SHA256
3219f8d258e15eceb671b3b960e44750bf9d1bb6b69dbb00cf0373e8c0d65409

SHA512
b71bfef03bfbdc000fd367a2f75b64a92eda00793bc7ee210db00d52e896ff63e5ae76fa3368e446dc470a577bc1199a91beefae6399be8a826dca4e30a7f00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tvrzsbu.cmdline

Filesize
266B

MD5
0095dfb7f80c788cc25761aac15109e0

SHA1
ffcaea4f47b1a0123f6bf309ca8587ce9dc622cf

SHA256
8ac8b4c4338ea4f1b5a8df4b56e5bdb325614b0609b4d0b243483bb0077837f3

SHA512
3af20ccfc301f2f9d2909247956c53b2678319698bfc60635935c9579e3b2bf8ce13813541ade3467640a1bf35affb9d1cb83a654ba160aba6670e052c5e1f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES10B.tmp

Filesize
1KB

MD5
1b687af0d3f772770b5e642f1d84fada

SHA1
7f961616c30df08443e609236ad7559258308662

SHA256
b5656e3dbcc6c7404af787ed5fa219818cc009eb1b2feeb630cb3083eb79705a

SHA512
0eb00fa82842b6f609a26ca87c7eb79dc404e8e49ec8c3dbd74fed0e9c7303d5222db9dbde62c23b96df77bd7623a7e6d60c0369a5fdf948c2130796da2c6321

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEF8.tmp.exe

Filesize
78KB

MD5
18d5c2185742ebb2d05517f2e4370611

SHA1
9308a85ae4875cc326e3198414fe3f7810cbd96d

SHA256
5faa9b0e88675f7f3fb55e098554f74ed57ebe1b21f1641a77d750bc1c792e93

SHA512
97e708a44ddf63a0ef25c19eeeab28e266788d6a8ebdeaa1cbe48f971ec2edaa420f454f6506f09924fba6c898bb8876d829846901b9c09c6b0a1fa55e8fdef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc10A.tmp

Filesize
660B

MD5
9e91fb68cee2bcf7878e85489994e5b8

SHA1
caea723eca4d4df552240ac1a3d9eda7353ae33b

SHA256
9f9a52abfa0c0b1be7ff155065f109ef7f02d085ee3b2a09397e27530bb2c6a1

SHA512
4bd2f60b6d941bdeaee939e00eee38ded7feb4d2accbaac894d1d2c4cc39d4f310e50afd7f581b75ac986bc053733a4c75625d7159f9d5616ee45394306a72e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2836-8-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-18-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/3056-0-0x0000000074A21000-0x0000000074A22000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/3056-2-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/3056-24-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads