c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5e

General

Target

c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe
Size

78KB
MD5

24729cbc6d01f42791d77e2701e7e370
SHA1

139bd8e10e130f5ff0455d8173f2544174a78585
SHA256

c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5e
SHA512

eab0b56aaabc7afafa5399c503e80d1552ea0af574519defb5db15dd1454af34d7944f4ce948c15cc26377db291dcc9bf9ffbbe1f7dfd10443af58d11389a612
SSDEEP

1536:IRWtHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRb9/k1oR:IRWtHF8hASyRxvhTzXPvCbW2URb9/J

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2136	tmpA573.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2136	tmpA573.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe
2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA573.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA573.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe
Token: SeDebugPrivilege	2136	tmpA573.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1932	2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe	30
PID 2672 wrote to memory of 1932	2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe	30
PID 2672 wrote to memory of 1932	2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe	30
PID 2672 wrote to memory of 1932	2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe	30
PID 1932 wrote to memory of 2372	1932	vbc.exe	32
PID 1932 wrote to memory of 2372	1932	vbc.exe	32
PID 1932 wrote to memory of 2372	1932	vbc.exe	32
PID 1932 wrote to memory of 2372	1932	vbc.exe	32
PID 2672 wrote to memory of 2136	2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe	33
PID 2672 wrote to memory of 2136	2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe	33
PID 2672 wrote to memory of 2136	2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe	33
PID 2672 wrote to memory of 2136	2672	c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe	33

C:\Users\Admin\AppData\Local\Temp\c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe
"C:\Users\Admin\AppData\Local\Temp\c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\prwwj-ft.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6DA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- C:\Users\Admin\AppData\Local\Temp\tmpA573.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA573.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c297a0ae680b065ac057e23249cb2d777a9e6d2c0dd58c1bb8fac79da77f1d5eN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA6DB.tmp

Filesize
1KB

MD5
da47971f28c65fccad5fb715be8800e9

SHA1
892e0d51634b4e4b27f4a4988eafc603369efc18

SHA256
64d5ec5367cbe95f18e7d2b46ddb6968b04e976d9c3c1185447947ec090d753e

SHA512
3a9bdcf969df783adbc88de7648164a55d7114dcfd61e7161c4b85b6652692f160dc65700243af025cbb0c146eda10cc71997cc7d5848c164cf35f1f6d8e8323

Download Submit
C:\Users\Admin\AppData\Local\Temp\prwwj-ft.0.vb

Filesize
15KB

MD5
40c13af08c23808d1c9f7ca6efd2362d

SHA1
b16ff4e4fe27051e9f5229831b4a75e93fc5ede8

SHA256
e5f646f70026794427c27e702a79d9909d9d98716a3a276a079322f5d269eed1

SHA512
7029775ec71452f66fbe6d8aa664a82d5f60aa3883b0f27d845e7171c95fd61b12ad921d71dd86c5ea107095a7d4ed1fa528df205c20f3eb1b25b4f4cf480bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\prwwj-ft.cmdline

Filesize
266B

MD5
78121ad29e6466a3b5b0b6fa1f2edeb7

SHA1
41138e6d356ec7ddb3ba35ab14d348661459025a

SHA256
e150447ac2d10e1dd0bef2bc9783cd8b31b7730f2f0841419a48a8f3d7e4413c

SHA512
479cd97047973e8acac8200ce959b58dc4c603a08140f28c94a065e47ae8c8507a35f4e208164429cb6b6b833ef4f2722866f3fdd2bffd58c7cb2ba6308aa280

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA573.tmp.exe

Filesize
78KB

MD5
38b360d09e7241cab41e76202628ac1d

SHA1
7403b9b85b62eac17af4d2d1914b93602958f2ac

SHA256
181bda53612de0c424d81228ef79b3fca6ad7c695800349428f4711c3784e27e

SHA512
2240d001f354f58877f1ea6770014f58e32f996a557b9dca8a62e5a88900cbf819a973fe4f9c4a33ce5736f2c0f8c28640d928659aa37ff1ce4d0c48d209f70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA6DA.tmp

Filesize
660B

MD5
f732e31c55548bdcab7f5f24c7a349cf

SHA1
da2bc04f374fc273c0b5f87e07c6a6ff69f6c122

SHA256
13656c2a231940ed722651f4053b82ed62fa020be6a5d02a8ae957f01eb3e644

SHA512
2281f7b1b3e95c429ba1969f3a2e31c2fa8ed735d1421a3f38d88a02e910936ecbaeac733839629dd162d2a49c2d4a9364758ab9aedb800564b22e16ec8487ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1932-8-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-18-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

Filesize
4KB

Download
memory/2672-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-3-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-24-0x00000000749E0000-0x0000000074F8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads