55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21

General

Target

55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe
Size

78KB
MD5

8112e15a8c0344f48465bd7b587f2430
SHA1

bfc0e8d7df97fd4d034d24849490437a3c2a7701
SHA256

55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21
SHA512

62dccec34fbbad6cdd484ea8213de5e38b0bbda6754b0e454ce9f140a7d26b3d0dfcd8d60d6326c063092174bc7fbb80373557cb5cbb7f4a01341a2b1c613514
SSDEEP

1536:Sc4tHFo6uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtT9/JL:h4tHFoI3ZAtWDDILJLovbicqOq3o+nT7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2104	tmp9405.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2104	tmp9405.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe
860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp9405.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9405.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe
Token: SeDebugPrivilege	2104	tmp9405.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2540	860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe	30
PID 860 wrote to memory of 2540	860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe	30
PID 860 wrote to memory of 2540	860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe	30
PID 860 wrote to memory of 2540	860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe	30
PID 2540 wrote to memory of 1296	2540	vbc.exe	32
PID 2540 wrote to memory of 1296	2540	vbc.exe	32
PID 2540 wrote to memory of 1296	2540	vbc.exe	32
PID 2540 wrote to memory of 1296	2540	vbc.exe	32
PID 860 wrote to memory of 2104	860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe	33
PID 860 wrote to memory of 2104	860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe	33
PID 860 wrote to memory of 2104	860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe	33
PID 860 wrote to memory of 2104	860	55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe	33

C:\Users\Admin\AppData\Local\Temp\55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe
"C:\Users\Admin\AppData\Local\Temp\55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-iltipa3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES954E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc954D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1296
- C:\Users\Admin\AppData\Local\Temp\tmp9405.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9405.tmp.exe" C:\Users\Admin\AppData\Local\Temp\55eeaa7c696c0c4055bee9b8b50c9be9110d6b9cdc60c953b34fb2f94ced4d21N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-iltipa3.0.vb

Filesize
15KB

MD5
e9fce0f720c747588a66e622ce9d4bf9

SHA1
ddc0b061a182c59280120754f0d92bfd243b2f0a

SHA256
163904f17b0bb7c72c5cadbb2c71af0a7f7a328f6b6c706acf27d89bc4ca2f83

SHA512
c9520d8e599bf914989407e177f4a27c96fbf197ffd6b32d4a8cc08fd0df29593dfa2325ceb102526fb6f1e90227c1b5b076f2824176b0b6b2c757836361aba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\-iltipa3.cmdline

Filesize
266B

MD5
329d5723f7ebb3c60d011fcad046b933

SHA1
222b31f8db408f2846b4bea45c008d1fff15f676

SHA256
3aaa352206f627a0411e7a5c09d89911cda12d16b2208810d5d43a8a1dfab638

SHA512
f3ac66ece1d37354c841870a00ee2423364fda297b19a6daef325d699c6dd96c5bf3a4819da59e95444948e2a30dd82c208b86e3e21596b0d2f6221df9756cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES954E.tmp

Filesize
1KB

MD5
d4fd99cb66ba62afb57c130c873dbed1

SHA1
6d5a2ac0b72aff33593b50a560a07dee5898ebe1

SHA256
750ab8e75729979f4c37e2d1d143f956c570a73c0060c4904a84580f8a5ebe15

SHA512
deb18f758422c652ce39fcb087af9934ef8cdd2447716d21489dea6e5095dc4c729d9c0d399c31e94636486c8674cda1051e3df9180bcd96d0f5d7c27b30c66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9405.tmp.exe

Filesize
78KB

MD5
e2b3c92c92042c3a35ef0b6c93d3237b

SHA1
4c47b0de55a4957c5c48a6c5900fe5489c89b03e

SHA256
6c7c63baae68b9dbc2756e3d7568a09b4626a0fd4245f8c55367a106bc34807c

SHA512
b4cb8a479856b0da740223804c1bf5a71e6890bea8e4009b495356cac6dd7eef21b3b15f207e18eb896c7f2f690e32fde77c128ecbf2851289f79fe6071f59fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc954D.tmp

Filesize
660B

MD5
a8d5bab05cf760fb22cb8e1924e6ae3c

SHA1
dd974fa2c247bb689dffbde4a4916b8c90398a6a

SHA256
970eb068624f6614fad4cc6015574f87e9b3a9dfe5ef4d4d42a7751889c9c965

SHA512
6491314eafa37850809ef94a574f1fb928c44442607a8c524859c67d206cdc99ead23547a15297e22732f83277d6b25197d7fb1d7792b7fa8c7980dca652fc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/860-0-0x0000000074D51000-0x0000000074D52000-memory.dmp

Filesize
4KB

Download
memory/860-1-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/860-2-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/860-23-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-8-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-18-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads