e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0

General

Target

e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
Size

78KB
MD5

01bfd73e71d195804e870481cd09be83
SHA1

cbca8b71bb31b755363efc9f538ec3047d8802a8
SHA256

e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0
SHA512

d98594e5f6ca7015ac4300366d1be20fee4f9001a0d4ba8ff7f2c87f5d2a1e84396e2f011502abd58f1a4a64546ceb5010aec207ed1486c2f2b47abf3b46989b
SSDEEP

1536:9ouHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtMl9/N1nN:iuH/3ZAtWDDILJLovbicqOq3o+nMl9/t

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2092	tmp8EF7.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp8EF7.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8EF7.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
Token: SeDebugPrivilege	2092	tmp8EF7.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2840	1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	28
PID 1604 wrote to memory of 2840	1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	28
PID 1604 wrote to memory of 2840	1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	28
PID 1604 wrote to memory of 2840	1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	28
PID 2840 wrote to memory of 2400	2840	vbc.exe	30
PID 2840 wrote to memory of 2400	2840	vbc.exe	30
PID 2840 wrote to memory of 2400	2840	vbc.exe	30
PID 2840 wrote to memory of 2400	2840	vbc.exe	30
PID 1604 wrote to memory of 2092	1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	31
PID 1604 wrote to memory of 2092	1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	31
PID 1604 wrote to memory of 2092	1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	31
PID 1604 wrote to memory of 2092	1604	e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe	31

C:\Users\Admin\AppData\Local\Temp\e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
"C:\Users\Admin\AppData\Local\Temp\e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-p58bwld.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FF1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FF0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\tmp8EF7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8EF7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e088e5989ef33d6f06391625e25fffb415317643b931fc43ed5a14e56abd27b0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-p58bwld.0.vb

Filesize
15KB

MD5
5a82f01b92f8225bcbebc99b30b872ee

SHA1
0312a366e9a46ba918d8f555b4e5a0bad5f06196

SHA256
0a2b5511c8a97b5bed9cb9d6fb5c9d666cbba37ffbf10346cb40b04f1f245591

SHA512
2641fef040c1fb8b8c8a6d7f501f04cee89707766a0cdac1149ec27d828280cc077255a03394de8b80b87c02c7e924cf9207f11c9082d77b5a770d109b7dbcbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\-p58bwld.cmdline

Filesize
266B

MD5
08ec1162affbf0dfc97dbdecba278738

SHA1
680ac27547d9d2d1143cc9c7fdb48b37beb0adc4

SHA256
3e2ad18cbbf2836060b70bf0e7ce0c42c39fd8339fe99f71bb40312a41051d01

SHA512
94d02e7284021e4d02c29ca1cd038e44f7a4bc0b050ea69adbfe8105b4d38286642babbe8e9a40049ee7098351c9af927e760fa483bcd3c1d66ef68edeb0a91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8FF1.tmp

Filesize
1KB

MD5
a7dfd0240879b105b6b2edef33455e17

SHA1
aaf64354d7348955052c7abef8e70f0ddf6d7657

SHA256
2dc563b5391d4684622878374ad95776bbc91ed7f6fdcbe95f09b3c7f6f7c371

SHA512
d68ec4a94cf8555e2914f4f5c1715a31be0b47d8bb830d19e7944d296e183a3729ed07141ce6761acaab96e856308295e57c69a1cb22285ebe565e90541948e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EF7.tmp.exe

Filesize
78KB

MD5
9bee58cb536bc6626ac51ace3e9bbe02

SHA1
f63193f10ed04e504c85b549b4a36a4f210ed7de

SHA256
0e4a9da5643e4e04d2befab1b019a246a0985baa2d0ab277c6f7a9a2ecddd239

SHA512
3550833a35b45419473caec9fe58f03c4db644927a83fbdb6492fc04c1a7aedef2339d284469157ff1c1737a5517858ead3e97d4877ee0e1c49bba99b250d558

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8FF0.tmp

Filesize
660B

MD5
60fc172ca2d6ebebd1336b2374dbb215

SHA1
c408b3d146f697d53ebcb4759ae49ee125ceb622

SHA256
3cfbffdfdc30fad07f2e7ec9e7f0136bd8e979415c50b7aa4bd3738796e73bf0

SHA512
d5309d2df81f05b4f5dbc03cb09858353330fd5c230c3c4dbf7b9d243cf3b6a74d0fc1fb293b456b273a5767d1d6dce9ff8590567a313efb8debaa30442a05db

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1604-0-0x00000000748D1000-0x00000000748D2000-memory.dmp

Filesize
4KB

Download
memory/1604-2-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1604-1-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/1604-24-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-8-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-18-0x00000000748D0000-0x0000000074E7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads