d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662

General

Target

d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe
Size

78KB
MD5

5fe6e6c238aeeae9b31020099714d230
SHA1

8f5746cd718d6004afef9c00df899f519e3d642c
SHA256

d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662
SHA512

ffcd84dd45465c8f69e183b36ef7eed4801353b940cb8bfb9683f2fc65c55e6749ff580c48b6e1262c35f711e734fec4008364866fab3d79c433366054cbc548
SSDEEP

1536:VRCHF3638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQteKb9/k1/A:VRCHFq3Ln7N041QqhgeKb9/l

Score

7^/10

discovery

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3200	d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe
Token: SeRestorePrivilege	3920	dw20.exe
Token: SeBackupPrivilege	3920	dw20.exe
Token: SeBackupPrivilege	3920	dw20.exe
Token: SeBackupPrivilege	3920	dw20.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 3408	3200	d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe	84
PID 3200 wrote to memory of 3408	3200	d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe	84
PID 3200 wrote to memory of 3408	3200	d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe	84
PID 3408 wrote to memory of 468	3408	vbc.exe	88
PID 3408 wrote to memory of 468	3408	vbc.exe	88
PID 3408 wrote to memory of 468	3408	vbc.exe	88
PID 3200 wrote to memory of 3920	3200	d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe	90
PID 3200 wrote to memory of 3920	3200	d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe	90
PID 3200 wrote to memory of 3920	3200	d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe	90

C:\Users\Admin\AppData\Local\Temp\d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe
"C:\Users\Admin\AppData\Local\Temp\d97e205d250aeb462f423921ebbc8932761660d87411b0052c06f02fe1c02662N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\585z-izx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD542.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE22849C4470C49B9A0A138932132C3F6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:468
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 948
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\585z-izx.0.vb

Filesize
15KB

MD5
a72f1040a8efbeb3e57020d2a93ac464

SHA1
bb56f9270790d0660feedb5ee524eaf7765db7b4

SHA256
58a630f8c0229baa50fc695ae9f1f4d774c41a9f05332351e70a14747b1373c8

SHA512
08e4a318667fad04b9915172660e3d79d26ef28c8e128878ead060dfbb7f84024a851a1672083265986542a81161600a3b3204145935baca682d04bd192bdae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\585z-izx.cmdline

Filesize
266B

MD5
5343d7f7815d29404670fe73eee023ff

SHA1
8a62020672fc70cfdb655f7fe341971fb369bdb5

SHA256
16eec998abb3257e874029cd4cf529f9d94220097f71fdf848b6a0c8b2c61064

SHA512
82203d35521310471251baff6cc35250f896d028761274294104b8f052083cc630bb6f9288323dd1f0a8ff37eec030d06c45b7513c42d1263039d4c9c23ba0e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD542.tmp

Filesize
1KB

MD5
c985e7075e1e12f485a0066cc1e9dbe9

SHA1
15e10ed2b7add0d32db963729f7c75b28c14f062

SHA256
43bc9f6749c1bb52a406c8d4a7cb0cda078c210cca6ef1d7b9c07512b25585d4

SHA512
6d5fb9056ac7a910622da5b8e30c5005b728293484f4c2866a617e1146c6eda54a82df6bb309a55095af7c25300c10f7f53bc8957e9692f6c65b3bb30071f516

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE22849C4470C49B9A0A138932132C3F6.TMP

Filesize
660B

MD5
4f035b00310cc1f7dfb1dbea1e79f551

SHA1
f57a4144e631288c426c9c27739b0520573204e6

SHA256
834fbbe38dada45c47f04a0e7903d6548dac3fd5b6da25585f06fe13a63cb50d

SHA512
d6427c749127ff1e086bbaf8b8f07b52e9b4c37c2b9b631fec0a617f49f50da139b9a7da34840a524dfa5945e52fe2cb86902f6ef47431d7e3d019e3219e420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/3200-0-0x0000000075552000-0x0000000075553000-memory.dmp

Filesize
4KB

Download
memory/3200-1-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3200-2-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3200-26-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3408-9-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download
memory/3408-18-0x0000000075550000-0x0000000075B01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads