c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11

General

Target

c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
Size

78KB
MD5

d33d0480db077326513829ec447228e0
SHA1

f31fcdbc6d2d8d3412a098ba88a80eb5b545ebaf
SHA256

c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11
SHA512

70e76359a1c4a8e64727b5617becfd945bd897ed9596374c31d9098c4644ebe8a35b8e7628fa24541f3cbdbbf3c0fd894ad6c263a46c82f31e0a72c4a4c2dedf
SSDEEP

1536:F4tHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt1d9/n1c1:F4tHYnhASyRxvhTzXPvCbW2U1d9/u

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
848	tmpE2F0.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpE2F0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE2F0.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
Token: SeDebugPrivilege	848	tmpE2F0.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2492	1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	31
PID 1944 wrote to memory of 2492	1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	31
PID 1944 wrote to memory of 2492	1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	31
PID 1944 wrote to memory of 2492	1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	31
PID 2492 wrote to memory of 2900	2492	vbc.exe	33
PID 2492 wrote to memory of 2900	2492	vbc.exe	33
PID 2492 wrote to memory of 2900	2492	vbc.exe	33
PID 2492 wrote to memory of 2900	2492	vbc.exe	33
PID 1944 wrote to memory of 848	1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	34
PID 1944 wrote to memory of 848	1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	34
PID 1944 wrote to memory of 848	1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	34
PID 1944 wrote to memory of 848	1944	c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe	34

C:\Users\Admin\AppData\Local\Temp\c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
"C:\Users\Admin\AppData\Local\Temp\c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g-jzvrn7.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3AB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
- C:\Users\Admin\AppData\Local\Temp\tmpE2F0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE2F0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c19aadb23fb89687aa8150708f6519c071c6dcc55029ad888b288a067556aa11N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE3AC.tmp

Filesize
1KB

MD5
61067bde7cbb0a5754e2c558b484bfa6

SHA1
9aeb23bbf831e1276eb21bd21fd610c1a30afe6d

SHA256
d21a484122515f24f1c73a8c91f5c68304ccc8cd60e21a20be791237cb5c5348

SHA512
69a41b973684ae880201ca528214f8cbd5c98b7dfc93ff10612508cb385b766f3e097270a0652a4f935c575f2d2a3d41f6607d2df7e2d89263b18f2efd285e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\g-jzvrn7.0.vb

Filesize
15KB

MD5
5145f0095ffc69413fb2a3f3e160cabd

SHA1
74cb81962745207a6f2260e20da3dc32fa8a55dd

SHA256
370fb7e33b513a1df44a28ac7e4094c495286fe2fa10c4943232a4d958cc9ef9

SHA512
c907a01bf01f0d156ae6b481168dd551b28a0e18a8591e45f26673fd1188003bc045e106d5cfa064153db6c52dd47764e4ba86f8c94fa1b1e358f8a9e1dbad9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\g-jzvrn7.cmdline

Filesize
266B

MD5
bbe8c426ff87ff23118323f42a9d5a8e

SHA1
24226f22a848112585d9dcfd740546db9892fb74

SHA256
3e1c04d7f955987e782ba8a3ab2bb3f722f0f695af4be864be19c3714074cf1a

SHA512
06e85b4937055b386f9d82809e5e58328d2ca8da4a7354bfa042c7a68246728587c7b883236b3944391f6e194e61a52fca7b72e0d9e8f978726078c2322595d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2F0.tmp.exe

Filesize
78KB

MD5
19af89a891fd3e2c5fa379e4654147d9

SHA1
4fe911106d9b22cc70eaf640913b9f520d8154cb

SHA256
7615661ac68cec263e1b5606587001dc0783678dddaf3b7fde1d81c12806588a

SHA512
97696c48157d2575b9fc7b3bd26f40ac5da6043b7f859489dee6c1d04a3ac49da5d520b0298dee025472caba12bb5b27cfd88f02fb72ffad1129033a2b24e0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE3AB.tmp

Filesize
660B

MD5
2b6491eadc29cda152ca7e64acc096e6

SHA1
080eaf7d53e4bfb51cd98e977ad452f57b071e27

SHA256
41bc71222f81e6981b82aab72836589449edd601ac5411c28ffca4baf57c6cc1

SHA512
c53b1ca2adec4cd3c15ff3a1e3c24013750693f35d2d42a1b295afde70162a0ac56b76cfebd3148f0cabca73b35d3d0a70a690479c5b0b4f49b899844afa522f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1944-0-0x0000000074381000-0x0000000074382000-memory.dmp

Filesize
4KB

Download
memory/1944-1-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-2-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1944-24-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-8-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-18-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads