7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465

General

Target

7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe
Size

78KB
MD5

c02a82f244939360afacbea0f5d7e283
SHA1

3f2b0c5be1aad4161bc186448614fdea58cad406
SHA256

7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465
SHA512

57e3b695f2493f0a5b6fd60d99a2804067f2ef500d277b1137ee2e73c1d2c87dabd4dfb9c184ba13016893c804a0cd1197be402fa20e92ab04d91fb4aaf031ba
SSDEEP

1536:+V5jSAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6n9/P1G8:+V5jS4SyRxvhTzXPvCbW2Uv9/t

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe

Executes dropped EXE 1 IoCs

pid	Process
2376	tmp858B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp858B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp858B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe
Token: SeDebugPrivilege	2376	tmp858B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 4016	2480	7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe	82
PID 2480 wrote to memory of 4016	2480	7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe	82
PID 2480 wrote to memory of 4016	2480	7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe	82
PID 4016 wrote to memory of 3312	4016	vbc.exe	84
PID 4016 wrote to memory of 3312	4016	vbc.exe	84
PID 4016 wrote to memory of 3312	4016	vbc.exe	84
PID 2480 wrote to memory of 2376	2480	7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe	85
PID 2480 wrote to memory of 2376	2480	7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe	85
PID 2480 wrote to memory of 2376	2480	7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe	85

C:\Users\Admin\AppData\Local\Temp\7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe
"C:\Users\Admin\AppData\Local\Temp\7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a-yle0pl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4E2B8AC33C0485DA2D2CFFCD576EC.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3312
- C:\Users\Admin\AppData\Local\Temp\tmp858B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp858B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7554e6a296a2c7a7cf558b56ad0d717c28cc8f25caecce2a2628a6ba507d9465.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp

Filesize
1KB

MD5
fab8b7b5e8480285e2b127ebb982ddce

SHA1
b26011625b7786133b15902aa5adf4c695802981

SHA256
8fa845888bbc7d9153cc24e046a79894ea8a0c8426cc2b8222f4aaf27e64195f

SHA512
07b63c22a4be4b16db70aa56568a42e19332ae61fb35b7d1891d34292b3ae2a59a12a5ea4d683aa9e39b17e867046e5ac4add4ab1e9466608b0f875d97bc9496

Download Submit
C:\Users\Admin\AppData\Local\Temp\a-yle0pl.0.vb

Filesize
14KB

MD5
efcf6aabbd17c09fa8dab255d2ccc40a

SHA1
13c5960aaf16a507e9264253026adb1d7a46954e

SHA256
a0e530b7ade5b03dd87e29e02dad65a139a268c6474ba4b405b2409225de0e47

SHA512
d6ac112b01e7ca3b17826080a1a5a90d9177b8ba186e663af1adf396657394a6c0b4fd2d985272f64074932b7fefead46429b7d63407e5f18a2952082dac36d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a-yle0pl.cmdline

Filesize
266B

MD5
a21aa181e609ac0f919e569e3d26278f

SHA1
d8e616b359cb9a8c6170c9314ee6daff368e4961

SHA256
9c3da54af2bd3f6c2cd3f46492c8ac37b89e40be76529e0dcf1da748b323bb2a

SHA512
4c591c6aeda99190add5b53339930b5e3d048f3678168a01c58ca15175d1ef9f67c1d01c572e9a2453a127de1958ce72e64b7960c5aa00911c5620cbc859626c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp858B.tmp.exe

Filesize
78KB

MD5
8f01133ae8e464dd95a619583736c2c6

SHA1
3de28c0433403f3538ed5b4b49a1ce661acc0eaa

SHA256
66f04854727dc62b27be0b2408853748a1d2f3e083c9056361717418127baa37

SHA512
06bb053cd3ea2f4776e7fbf1ee9b7ca122c1157afad3355440caff13a48fabe5e9fcc5f818d2f74ec004fdf0cfb1482b5ab72f8bc2bebd89b415c22efd6de78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD4E2B8AC33C0485DA2D2CFFCD576EC.TMP

Filesize
660B

MD5
2166b03ddfef74581514ff2c32fa21a6

SHA1
313ac6ba800e7bb6cffde7d3fa8b1926fb808c20

SHA256
d50e384adc6e50e60111359c1d4041bad6d83cde2974a004590cff5a65f606ed

SHA512
8d74d92df2905f44946f1afabe6cc26f252c751577b75c734b6e866df72af95799355909de9793ff1e4c071dba7c605a79b7b30a60b488412e7ee1548f2978dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2376-22-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2376-24-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2376-26-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2376-27-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2376-28-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2480-2-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2480-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

Filesize
4KB

Download
memory/2480-1-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/2480-23-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4016-18-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download
memory/4016-9-0x0000000074B90000-0x0000000075141000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads