c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a

General

Target

c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
Size

78KB
MD5

3fe92d6af27ec0dd0fc474939a8c3ab6
SHA1

b355cbcaccc68da313d7513da35c96091328d6a5
SHA256

c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a
SHA512

3725be1320c9b7fb653f5392a9249895828fa7b63d58454695f5173e3e1c5ea7445d2bc15179d55e88c92eb4a93cf4ea546204f0616c11c5148bc4e6d527d405
SSDEEP

1536:sWtHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQteG9/s1Re:sWtHYnhASyRxvhTzXPvCbW2UeG9/p

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1940	tmpB77D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB77D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB77D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
Token: SeDebugPrivilege	1940	tmpB77D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2328	2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	30
PID 2520 wrote to memory of 2328	2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	30
PID 2520 wrote to memory of 2328	2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	30
PID 2520 wrote to memory of 2328	2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	30
PID 2328 wrote to memory of 2532	2328	vbc.exe	32
PID 2328 wrote to memory of 2532	2328	vbc.exe	32
PID 2328 wrote to memory of 2532	2328	vbc.exe	32
PID 2328 wrote to memory of 2532	2328	vbc.exe	32
PID 2520 wrote to memory of 1940	2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	33
PID 2520 wrote to memory of 1940	2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	33
PID 2520 wrote to memory of 1940	2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	33
PID 2520 wrote to memory of 1940	2520	c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe	33

C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
"C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\obwy-8-x.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8F3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c32995b73373a9cd1dc7f3f9dcbd706ffaac68ff21a6ee431fea909a33d1599a.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB8F4.tmp

Filesize
1KB

MD5
c07bbd1c4e2b5b89042489e4c172527a

SHA1
3b0fe5b268615badcb3632b206e015c6c6de75e3

SHA256
cd6599aebd3bebca10ae6f29be69599a9c970e08ad5b6df9164f9bd8727e5842

SHA512
dfd29f9ac2649f7fcbcd0159ed5a19e56e31f7904db113623be313b48cea5781da69f528dc7d02798da9f686d713b91c0835aa8d6b5a0cdc6928ab9ed75f35c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\obwy-8-x.0.vb

Filesize
15KB

MD5
e29ab1b0934d20f7abc9cacedb2a0310

SHA1
ec477d46793ab10ddce3000a0ad68ed964bb8bd6

SHA256
bc6e59581bdff21477b3f8e19ed85c41a49daa72dc18699c374ff4a9f43e3b17

SHA512
04577be96aab122eb840519138aca535981dc2eb3c6c738186c9e936af3263963392b06d7ff9be741b8d44ad0f55fa71aa3c7f3a9a49df0fc33ad6210586ef43

Download Submit
C:\Users\Admin\AppData\Local\Temp\obwy-8-x.cmdline

Filesize
266B

MD5
ea6b5c63e7dff0fe241c3090750b3c83

SHA1
1ad12d0edd1a29973c1c54fc1df2a3665ac5fe3e

SHA256
4e6b192d9227dd5903a2bfb3fd68ec7ecc276e8cd77617f72b7ec009c1dc9ef0

SHA512
d5c3362e1a7ac669c1aa7087945866f3f63ac2732228bf9712bd5b5ad82a0bcda6bc0e12d34904b0e69e1ffcf82fcaf4ea93317126309500cab9227381901d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.exe

Filesize
78KB

MD5
98873f757dc74f58105b3fe50e6be15e

SHA1
ada9ca13406ae2c7ef4249115cd7dfe0f0c7e290

SHA256
e267217953534d89149b9f4bf60b4a72aa56073366caa6a4fa9eb280bb8836bc

SHA512
dc895fdd34a85e318730b707a68e673a068d3c90cfe35e8dee2b8dbfebb453850a2a3120b78f772f2cdc790045d534fbe78d8223b3e0bef31004bbbdc9876feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB8F3.tmp

Filesize
660B

MD5
fc0fce039dd9b02e635cd63caaeb267f

SHA1
7c31cc180a7f8a37479f52764c4f5328be303f65

SHA256
e7a52a15a201a1005762ae2addeb05dbcd44937679f1270682d1cea773286ce7

SHA512
7d02989efb9fabc9bbf5d765329fdffe8a0b6afccfb04f732e89587dad27a78d2169baa53a12c0a7823d2f79a78c83d3913a8aea37e701208d3aa2afbbe7ae1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2328-8-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-18-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-0-0x0000000074BC1000-0x0000000074BC2000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-5-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-24-0x0000000074BC0000-0x000000007516B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads