f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a

General

Target

55f813b368e7834f7f692c2e2451b8f2.exe
Size

37KB
MD5

55f813b368e7834f7f692c2e2451b8f2
SHA1

3ff5aee5e0acd936ddabe4ec6113744988d526d3
SHA256

f6df63c031b23c4fc8f3d235284539fa4745086388e10e2d226564dea47ab54a
SHA512

941663b113c4fb35ccae4428bf37717c78e96ea832c9700de92741f39c1cef65bd2adbf1ae4138ba5d3d97e9f8381b50425a6f7d760ca1f49e33a6305ae9074b
SSDEEP

384:d4so92aul8VctMCqTX3xAkSVE6B95rfRqzhBaSUR4WVJl/vrseE7+Db9/:d4s6ulPg6XO66WRqGB

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4620	RuntimeBrokers.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4412 set thread context of 2984	4412	55f813b368e7834f7f692c2e2451b8f2.exe	77

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55f813b368e7834f7f692c2e2451b8f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBrokers.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4412	55f813b368e7834f7f692c2e2451b8f2.exe
4412	55f813b368e7834f7f692c2e2451b8f2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	55f813b368e7834f7f692c2e2451b8f2.exe
Token: SeDebugPrivilege	2984	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4584	4412	55f813b368e7834f7f692c2e2451b8f2.exe	73
PID 4412 wrote to memory of 4584	4412	55f813b368e7834f7f692c2e2451b8f2.exe	73
PID 4412 wrote to memory of 4584	4412	55f813b368e7834f7f692c2e2451b8f2.exe	73
PID 4584 wrote to memory of 308	4584	csc.exe	75
PID 4584 wrote to memory of 308	4584	csc.exe	75
PID 4584 wrote to memory of 308	4584	csc.exe	75
PID 4412 wrote to memory of 4484	4412	55f813b368e7834f7f692c2e2451b8f2.exe	76
PID 4412 wrote to memory of 4484	4412	55f813b368e7834f7f692c2e2451b8f2.exe	76
PID 4412 wrote to memory of 4484	4412	55f813b368e7834f7f692c2e2451b8f2.exe	76
PID 4412 wrote to memory of 2984	4412	55f813b368e7834f7f692c2e2451b8f2.exe	77
PID 4412 wrote to memory of 2984	4412	55f813b368e7834f7f692c2e2451b8f2.exe	77
PID 4412 wrote to memory of 2984	4412	55f813b368e7834f7f692c2e2451b8f2.exe	77
PID 4412 wrote to memory of 2984	4412	55f813b368e7834f7f692c2e2451b8f2.exe	77
PID 4412 wrote to memory of 2984	4412	55f813b368e7834f7f692c2e2451b8f2.exe	77
PID 4412 wrote to memory of 2984	4412	55f813b368e7834f7f692c2e2451b8f2.exe	77
PID 4412 wrote to memory of 2984	4412	55f813b368e7834f7f692c2e2451b8f2.exe	77
PID 4412 wrote to memory of 2984	4412	55f813b368e7834f7f692c2e2451b8f2.exe	77
PID 2984 wrote to memory of 4620	2984	RegAsm.exe	79
PID 2984 wrote to memory of 4620	2984	RegAsm.exe	79
PID 2984 wrote to memory of 4620	2984	RegAsm.exe	79

C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe
"C:\Users\Admin\AppData\Local\Temp\55f813b368e7834f7f692c2e2451b8f2.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h2zvye5f\h2zvye5f.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE00.tmp" "c:\Users\Admin\AppData\Local\Temp\h2zvye5f\CSC979D110DB5C944C5BC48C0DEF45FC6AA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  PID:4484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\ProgramData\Visual_Studio\RuntimeBrokers.exe
    "C:\ProgramData\Visual_Studio\RuntimeBrokers.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBE00.tmp

Filesize
1KB

MD5
85a1ba87bccf7c0cffcbd1949bcb0871

SHA1
492a4e6dc115c0db340bbe22a5ecf67dbcd7a971

SHA256
9b50c3c4c7b5b8c5fd7749c236e6f727692ec88b6c916dff4065527dc6e42c4a

SHA512
43364b62f0d278fa33b745d5c45cc62334f92de3c5a7fc5c6941a3cba1dbed18d9b63a6a3eed1ffc0e9ac82b07497db514c8cdc14d5b630e36e6965b1ec6c594

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2zvye5f\h2zvye5f.dll

Filesize
9KB

MD5
6a7d2ad7c61a0f22cfed488b11217720

SHA1
2e59d6a1e0ec7dd47c47cc01e0a0252828148953

SHA256
7fbe23a4f2a7a59ae1ae78d0b2ef60b928e6eab018185dffc229abef003a9682

SHA512
f42b153d02118a6f5982c893262f22f090fe8c2612b63e6a2c87b9b4df6823d6c75b2e6954ad3dc596bc46194f3717ae6b1142cbdb0bbf882554ec59f992e508

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h2zvye5f\CSC979D110DB5C944C5BC48C0DEF45FC6AA.TMP

Filesize
652B

MD5
f4b86420e3a44bfb26d4ab143e04c14a

SHA1
567913a9a1b6866f074c5cc30982daafbd192763

SHA256
ad655f33bb7fe59d3ce9ac8d3639f4f2c99d5896888138a7696dd5df40b16baa

SHA512
5f499d0fc2abe8fa8dd5a2db96c382227464ed262a6449d34e05ceca07dd0d688862422fb6b4a386a5c762ca104d6a60578968e6172e2ad9fdd293601bf6a8f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h2zvye5f\h2zvye5f.0.cs

Filesize
10KB

MD5
1b6ac34c4169b5a34200e793d21182e6

SHA1
7a195f13804f6d4f38774b2a94962faa2f6c03e6

SHA256
38eca887cb1764ceccab157b44915f0a41760c843c530a72d66ee414a9a61296

SHA512
454f50f81b31594855c7bf2b6168c7a4ead6e83e4c60cf7f49c54a4a6378ba7946b00b9336b3ffa9c390fc85ea4305577093411448a68cb0d8280b115ea0dd58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h2zvye5f\h2zvye5f.cmdline

Filesize
204B

MD5
b1e03bfe628f94000d907bcc03a4c731

SHA1
3fed8aa0ba6aa14c50adb10cfac3eea57b44de0a

SHA256
c268c3ebae6e2cbe30603fc0cb3d44059a3cc94b5fe3b7cd21d2b2b95d9886ba

SHA512
85ad3f7954cd8512013613576c84d96d8d3bdefc126fd3ffa86139d988388d0333e1c6f8d78f7c434b94a897bc979407f3bd294ff80c1f01fb2da381b81ebb5a

Download Submit
memory/2984-24-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/2984-23-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/2984-22-0x00000000053D0000-0x00000000058CE000-memory.dmp

Filesize
5.0MB

Download
memory/2984-19-0x0000000000400000-0x0000000000968000-memory.dmp

Filesize
5.4MB

Download
memory/4412-4-0x0000000073390000-0x0000000073A7E000-memory.dmp

Filesize
6.9MB

Download
memory/4412-17-0x0000000005E20000-0x0000000005E28000-memory.dmp

Filesize
32KB

Download
memory/4412-0-0x000000007339E000-0x000000007339F000-memory.dmp

Filesize
4KB

Download
memory/4412-21-0x0000000073390000-0x0000000073A7E000-memory.dmp

Filesize
6.9MB

Download
memory/4412-3-0x000000007339E000-0x000000007339F000-memory.dmp

Filesize
4KB

Download
memory/4412-2-0x0000000073390000-0x0000000073A7E000-memory.dmp

Filesize
6.9MB

Download
memory/4412-1-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/4620-33-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing