f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a

General

Target

55f813b368e7834f7f692c2e2451b8f2.exe
Size

37KB
MD5

55f813b368e7834f7f692c2e2451b8f2
SHA1

3ff5aee5e0acd936ddabe4ec6113744988d526d3
SHA256

f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a
SHA512

941663b113c4fb35ccae4428bf37717c78e96ea832c9700de92741f39c1cef65bd2adbf1ae4138ba5d3d97e9f8381b50425a6f7d760ca1f49e33a6305ae9074b
SSDEEP

384:d4so92aul8VctMCqTX3xAkSVE6B95rfRqzhBaSUR4WVJl/vrseE7+Db9/:d4s6ulPg6XO66WRqGB

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1232	RuntimeBrokers.exe

Loads dropped DLL 1 IoCs

pid	Process
2728	RegAsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
7	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBrokers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55f813b368e7834f7f692c2e2451b8f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	55f813b368e7834f7f692c2e2451b8f2.exe
Token: SeDebugPrivilege	2728	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2716	2416	55f813b368e7834f7f692c2e2451b8f2.exe	31
PID 2416 wrote to memory of 2716	2416	55f813b368e7834f7f692c2e2451b8f2.exe	31
PID 2416 wrote to memory of 2716	2416	55f813b368e7834f7f692c2e2451b8f2.exe	31
PID 2416 wrote to memory of 2716	2416	55f813b368e7834f7f692c2e2451b8f2.exe	31
PID 2716 wrote to memory of 2620	2716	csc.exe	33
PID 2716 wrote to memory of 2620	2716	csc.exe	33
PID 2716 wrote to memory of 2620	2716	csc.exe	33
PID 2716 wrote to memory of 2620	2716	csc.exe	33
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2416 wrote to memory of 2728	2416	55f813b368e7834f7f692c2e2451b8f2.exe	34
PID 2728 wrote to memory of 1232	2728	RegAsm.exe	36
PID 2728 wrote to memory of 1232	2728	RegAsm.exe	36
PID 2728 wrote to memory of 1232	2728	RegAsm.exe	36
PID 2728 wrote to memory of 1232	2728	RegAsm.exe	36

C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe
"C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0zx2wzhw\0zx2wzhw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1842.tmp" "c:\Users\Admin\AppData\Local\Temp\0zx2wzhw\CSCA86CE12DADE445D6BE24CBC4105640FD.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\ProgramData\Visual_Studio\RuntimeBrokers.exe
    "C:\ProgramData\Visual_Studio\RuntimeBrokers.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0zx2wzhw\0zx2wzhw.dll

Filesize
9KB

MD5
a55e5002046b5751e9e77ad7cbe1b9d0

SHA1
29eeb7d764330f19548a36aab8501b90f83277d0

SHA256
c7d4aee891c057c070b76b7d577c6c23741d1535482ea46881ed36ae77c0b279

SHA512
ffd32489ca8ed15f1f7f821eeca3a934e8f64bf48af597c9b8d84eb1ec04f1368d0ba426d0ae56d57af71053df7ca9028cd5b3239c748e5abbdf1c1e2e638d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1842.tmp

Filesize
1KB

MD5
5879eb18f000008214e81d0a480d26e1

SHA1
ef28a4be8002f9dbb1d9772d5098e797290ab7fb

SHA256
0008f61330da4708771f08823f9f5cca16f30747e0d231bada3afa08d4e3cae7

SHA512
05e7aa466a58237687395daf7f7d3da3d37875b1d7be8c9e6ee2f543f236515ed3825217117701bae9f745ad804e257f0eb3fe5bb7c8a983bf927b28f1c77104

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0zx2wzhw\0zx2wzhw.0.cs

Filesize
10KB

MD5
1b6ac34c4169b5a34200e793d21182e6

SHA1
7a195f13804f6d4f38774b2a94962faa2f6c03e6

SHA256
38eca887cb1764ceccab157b44915f0a41760c843c530a72d66ee414a9a61296

SHA512
454f50f81b31594855c7bf2b6168c7a4ead6e83e4c60cf7f49c54a4a6378ba7946b00b9336b3ffa9c390fc85ea4305577093411448a68cb0d8280b115ea0dd58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0zx2wzhw\0zx2wzhw.cmdline

Filesize
204B

MD5
a87658b7adbf8553e455413c16d2b0b0

SHA1
5a977cea3dc6f2f73cf3a959f3a58de0d10edff8

SHA256
60eecda0e3efbed6e96b25b700ca0b8636105f272644e03d1a35aaf06fb5f720

SHA512
8a5b897151e77b2c3b8f7f230e411b6684bba6edca93e1aa56a308e0d697610a09c28ab7d566f57f4bc6e4300dcecce1e38b699fafdbe6af7f1f8a5fe01ec058

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0zx2wzhw\CSCA86CE12DADE445D6BE24CBC4105640FD.TMP

Filesize
652B

MD5
18b9914e7728b6237e5342664e9cd80e

SHA1
e59c7102abbfea6967963016ef0cda09105fd2e9

SHA256
92fa80322b34cf4920850bc81c30fceff13697b320bcfbde10d3fdb83e4440c1

SHA512
8fd3e0cd727d70ca8d515a2695cdf4ff8d3c4f703162bc99c58c565aa890a1cbdc40deff61d41e6a553376706003966ab6c241036fbc4b535198626d2f5aaafa

Download Submit
memory/1232-42-0x0000000001010000-0x0000000001022000-memory.dmp

Filesize
72KB

Download
memory/2416-17-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/2416-4-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-3-0x000000007437E000-0x000000007437F000-memory.dmp

Filesize
4KB

Download
memory/2416-2-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-0-0x000000007437E000-0x000000007437F000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/2416-31-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-32-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2728-26-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2728-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-21-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2728-20-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2728-19-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2728-28-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/2728-23-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download

Resubmissions

Analysis

Sharing