ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919

General

Target

ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe
Size

78KB
MD5

415ea480dd1ddfb40eebd372faec85a2
SHA1

17b5c8dfa4604e3ba47b45e6c9d79c2341ae3725
SHA256

ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919
SHA512

a141a8b1228a15e284741e86977c05c66d25238925137de1a3e30e3d8d085bee1ffeff2d7b732a1571daaadd1069d622ccb056b53127461e9ab88a7aeb9d70be
SSDEEP

1536:u58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6i9/R1Nw:u58An7N041Qqhg69/C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2676	tmp81C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe
1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp81C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp81C.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe
Token: SeDebugPrivilege	2676	tmp81C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2612	1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe	30
PID 1476 wrote to memory of 2612	1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe	30
PID 1476 wrote to memory of 2612	1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe	30
PID 1476 wrote to memory of 2612	1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe	30
PID 2612 wrote to memory of 2716	2612	vbc.exe	32
PID 2612 wrote to memory of 2716	2612	vbc.exe	32
PID 2612 wrote to memory of 2716	2612	vbc.exe	32
PID 2612 wrote to memory of 2716	2612	vbc.exe	32
PID 1476 wrote to memory of 2676	1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe	33
PID 1476 wrote to memory of 2676	1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe	33
PID 1476 wrote to memory of 2676	1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe	33
PID 1476 wrote to memory of 2676	1476	ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe	33

C:\Users\Admin\AppData\Local\Temp\ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe
"C:\Users\Admin\AppData\Local\Temp\ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\etkjrlbi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8B8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\tmp81C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp81C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ee7322bae41d7ec10617f909e1288b52aa992de099eef44aa7c16c575ad14919.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8B9.tmp

Filesize
1KB

MD5
1d715e993c2230d8a5f0c4282897040b

SHA1
2e993452d19566122a90d418e295ef57ece2f62e

SHA256
29a963d60c07c8e14e89aa527d08314cc197d6b884be343521601ecbf274b27c

SHA512
5d4d8f9409dc298da3a300709f2e71c98a9eb836a8ecb2f0cfe91221bfe396cecc7355f8181950c8427c2db28507223d75e9842a2c6d499106e288da5c5fca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\etkjrlbi.0.vb

Filesize
14KB

MD5
1f2ef3c8709bb27c2be954c37e1e4427

SHA1
10795056554c132f56b9c55e7572e42d9489428a

SHA256
592f43a15b0a88c31bb8aad882aec23191a69d109e09c427ebc5dc67214f77ac

SHA512
8927ff4446c9a54c06d04d6df1744dd0a0a158864f2889daaab659a7a25ea14857f230b8f7caffb1b7228117f8775b6cfb597a618d37cc6c742d940387cc30c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\etkjrlbi.cmdline

Filesize
265B

MD5
7cc8df7c41595c98542081514f9dd799

SHA1
373df56f838d486b9c970ad26ae2b3b919f0fa51

SHA256
1f196a216dfacc82b09eda57a5712b6ff6ea6f52e76a5ee7174a9794d2168904

SHA512
d12081a64766cb7b6c6d2080f6000feda3ae0620d8900642fafad080f044ab5b228496d5405a9c6e176c57ba19397208e9b038c03b23d92f6f3f8908ef1dce07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81C.tmp.exe

Filesize
78KB

MD5
d06599b02a15c77d41794894f4b17aa7

SHA1
0d1b02163a2479b3449e1b21dd59200575ccdcb9

SHA256
7e2bd5efa4dedec37bccd0de594cc31b2730b0d3a1f0c14955951826b17ad842

SHA512
ccffdbaf70bb530b0d4801445f852c34550dc488af758a70bbe03ea447251be1a182172c1eafc9d6ed3cfa62b7236a9d12477630656f4e873b96bc9cc9dfa380

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8B8.tmp

Filesize
660B

MD5
f85dc42c5d6f0d33ca6381064ecf465f

SHA1
5a091f47617c80f70271a31d6c581c85509c753b

SHA256
9519e21f0d9f1ab0afb7f6fdb7229280be0cbaf1ccde25341badf91b3fa81070

SHA512
f352890396479e15ad98a0ec3277c2b8a6a78ca281b6278e50ee88cafe180aa41b185ad2e2e8c28de8962aa3485a7aba28d848068a1fe7549ee91fcbbc7571a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1476-0-0x0000000074A81000-0x0000000074A82000-memory.dmp

Filesize
4KB

Download
memory/1476-1-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-2-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-24-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-8-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-18-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads