33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63d

General

Target

33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
Size

78KB
MD5

b0ec359e94b58d69c223e0ddf544c000
SHA1

be2360bf717a87109b52995bd815b5b1d22f5d17
SHA256

33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63d
SHA512

ac7a5b1c0a44a830affea41673122a599765b9cdb3ae2b59bd1aaecbbcc6eb201b928831b4bf023bf5c8b59eb077c5b37caf6a2b6b864c720602ec04b09b879f
SSDEEP

1536:5CHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtW9/61b8:5CHYnhASyRxvhTzXPvCbW2UW9/3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	tmp8095.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8095.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8095.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
Token: SeDebugPrivilege	2740	tmp8095.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1716	2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe	30
PID 2392 wrote to memory of 1716	2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe	30
PID 2392 wrote to memory of 1716	2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe	30
PID 2392 wrote to memory of 1716	2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe	30
PID 1716 wrote to memory of 2192	1716	vbc.exe	32
PID 1716 wrote to memory of 2192	1716	vbc.exe	32
PID 1716 wrote to memory of 2192	1716	vbc.exe	32
PID 1716 wrote to memory of 2192	1716	vbc.exe	32
PID 2392 wrote to memory of 2740	2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe	33
PID 2392 wrote to memory of 2740	2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe	33
PID 2392 wrote to memory of 2740	2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe	33
PID 2392 wrote to memory of 2740	2392	33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe	33

C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
"C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lwpzqo-n.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8180.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc817F.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe" C:\Users\Admin\AppData\Local\Temp\33f7f66665c08153601d8fcd5f84defba46cf09af23cfcc72361f2a17d49d63dN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8180.tmp

Filesize
1KB

MD5
b4e8f6fec0980ed5a45eef3f72dee0ee

SHA1
f454fd3e16788db690e848a9c787d3ad281bfe5b

SHA256
10de9482fce10fd095279bfc4fa2b1a2b294a949108d7b9c536577485ca07d3a

SHA512
655c196ba8a2e0e6e1e0408521f333dbc691b38c1c876111b71342cacc2d122ccc59723ab78e36d0a5b06d3e268c915c9836951bd01b589e9e13613ceb0e8552

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwpzqo-n.0.vb

Filesize
15KB

MD5
77404c3c0f33987c51966a75afd02971

SHA1
b47758b30e0465e40ae7161b2cf44dc9ae0d32c8

SHA256
415c2ff0c91167dbdeb7666f44e188c3217268ec3567d55cc8c4d28c2e3863bb

SHA512
1630ff2f381c269463276e482ce8c9b3eaea965faf5a23b10e801ae203141a151710751d481e0db4a85f156cc7c3238f77c08b2f3d3833e38e4c4a2bfb5f497a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwpzqo-n.cmdline

Filesize
266B

MD5
9d22f4a9bd16a7b079412562e2f333be

SHA1
c723663b15f68dbbe4ece6e61e69c9c04a8b63c9

SHA256
7fa61916e5b36688634e1405a364133f8facb0ce6f2fe88b75df3aa84fb656ea

SHA512
a331267dedcb686dc4cd90be2f6732addc47a1c6fd4b5555bc5f3759b5482657803a877d720de0b52d80d71c92bb19138a566b71a4864bad6f69f0b952eba1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8095.tmp.exe

Filesize
78KB

MD5
e497f91feae79cb16bc4ab15d5ecc393

SHA1
4580cfd85204a055d1b6aa86e500228efdb29f4d

SHA256
2935e09ea34a1f824f770897326508f606e4f638bad7dfbf32422af9b657f270

SHA512
7579369c346b2a081a3f87218dc2ef602f8d0792fd74e24a31e4e36c912033e120115ef60b4868895d268f34a2b203ef8e2ec822c1309718e0b46bed49ce31a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc817F.tmp

Filesize
660B

MD5
5ed6e4251680e71252259243d980e1a1

SHA1
35137a557cc2d98a04ca205d310f5c3552522224

SHA256
f67ef881934ea7968081c558ea40bc00f2f221e0026c181fa0114213bef697a4

SHA512
62ec4f0b53d4a1229bf63fd299571d391dc3238e218cdc33dcb17827338782a9a2010075f0a29a98d5c6a7b6b291db0ba1a90a7f3cfae6ca9830f18758894c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1716-8-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-18-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-0-0x0000000074A81000-0x0000000074A82000-memory.dmp

Filesize
4KB

Download
memory/2392-1-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-2-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-24-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads