bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714

General

Target

bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
Size

78KB
MD5

940cbf6fc38ae3ed695bd467dcd82a31
SHA1

37dcc728fd377786af00bacadc10ee427c6cee26
SHA256

bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714
SHA512

7480a388874546d61a1df263cd35ffa41545b1f712db92a43bffb1cccaa4aa6137aeaa7e0fb8ece873c098087a1519bfa0425b879a794c015a7f3ae435bc5734
SSDEEP

1536:SWtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtS9/dC1Kc:SWtHYnhASyRxvhTzXPvCbW2US9/e

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe

Executes dropped EXE 1 IoCs

pid	Process
556	tmp8A7D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp8A7D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8A7D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
Token: SeDebugPrivilege	556	tmp8A7D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 4468	1808	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	85
PID 1808 wrote to memory of 4468	1808	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	85
PID 1808 wrote to memory of 4468	1808	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	85
PID 4468 wrote to memory of 4380	4468	vbc.exe	88
PID 4468 wrote to memory of 4380	4468	vbc.exe	88
PID 4468 wrote to memory of 4380	4468	vbc.exe	88
PID 1808 wrote to memory of 556	1808	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	89
PID 1808 wrote to memory of 556	1808	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	89
PID 1808 wrote to memory of 556	1808	bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe	89

C:\Users\Admin\AppData\Local\Temp\bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
"C:\Users\Admin\AppData\Local\Temp\bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jncpwg6-.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B96.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE7B378BA3D24CD484C342F61CCF20F2.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4380
- C:\Users\Admin\AppData\Local\Temp\tmp8A7D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8A7D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdbe5fc8ed566a09851b5575d4c21957cd41c03f303175f3902da2d2cef62714.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8B96.tmp

Filesize
1KB

MD5
0951eea292e577c03c402d6885039936

SHA1
e685caf712468be387ebcb5e754c68da4a425d2f

SHA256
5e607b9570d0012916aecbf6942c64e7529742f061ebf009f4ab963bfd24d08a

SHA512
5951f898c561f46095ee6f81dac03b60c4649c0af92443d6e5720fb0d68362a8b8348bf2ff6885c7599b5c003a5033ea6f4c4b7b51b0298ad76e86ce3a7af89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jncpwg6-.0.vb

Filesize
15KB

MD5
b5ad31d06750edb0a894e85008917be3

SHA1
a1448e93e290ea92ea2cb5a5da0e6c98d5090188

SHA256
df3f84e943261fa76504d3ae4139819e09101bd347f122d33af05a6b8469dd1c

SHA512
f0fe5cc91f2326d763d25fd9cc125698c5bea05ab1abbcd10590fb2d17def625494a0b35d895ecd83db5186ef4c036b7d4d9b936d4b1f980db93c9a5963f1786

Download Submit
C:\Users\Admin\AppData\Local\Temp\jncpwg6-.cmdline

Filesize
266B

MD5
aac322b85a06bcd71b82c5129befad9d

SHA1
aefeba2d42580e8a180d6fadb4b2305fa7622292

SHA256
7a2f65a0dc8e82ed5ebe473d95a94f57c80f63e2c8976c71809507f2dc35f616

SHA512
3e64d8c0d512cbe3170d8510fb2f987cb201f01b922635a6e91f8b9f0839c1f13a0e25819a5f0d9c033e5c044875e5cc781eef1b0cd42034fa0392e4ab86e5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A7D.tmp.exe

Filesize
78KB

MD5
109387039f8ece521de78572953252dd

SHA1
a64977a41ca684b7e870969ddf0040b3ada25aff

SHA256
e056491f782c0de5c4260b2223010dcbd5410a1334b987aafa8ca16b0f7baf3e

SHA512
e5cb7caea02a1b5269e5149d8f399c57854d0ba8ac0a36db03dfbb79506a7d8035c0bfc4c573ddeef0a48683c1f204bd4e0304b25a70b6af9cf3334c3c3a6e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE7B378BA3D24CD484C342F61CCF20F2.TMP

Filesize
660B

MD5
6ec53d0c92700b18b31bb889b9dd2516

SHA1
ac0a20370941118c5bba033a52631b37f33156fd

SHA256
e43858a59a9068186f8420dae6cacd36892f91c6a94c3dda57bcaffdf2dee7f4

SHA512
48ac45ae24df7781db56ae8f9bb1fdb21894ddc145ad865709521b9e3133c920ac5f1bdd375b66186b980b0c61ff58097b73f215fe28efddf9b9f31ed6603818

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/556-23-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/556-24-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/556-25-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/556-27-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/556-28-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/556-29-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/1808-2-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/1808-1-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/1808-22-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/1808-0-0x0000000074622000-0x0000000074623000-memory.dmp

Filesize
4KB

Download
memory/4468-9-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download
memory/4468-18-0x0000000074620000-0x0000000074BD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads