3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44

General

Target

3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
Size

78KB
MD5

d1b0cbaad6725537e9d1dd41c4c5ea31
SHA1

7f5c4531fa1b3bf6b749dac24ea8e0c11d1b5e0d
SHA256

3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44
SHA512

dc478a735c33cb4563c401f6912250948e50754cb9e273f35c800d65c84a1d9cab6da14993174c32a2db40ffbd97c3332d74ceaa6d495b8052d0edbb681d5f87
SSDEEP

1536:zMCHF3uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/J1PY:4CHFP3ZAtWDDILJLovbicqOq3o+n89/U

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	tmpBD35.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpBD35.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBD35.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
Token: SeDebugPrivilege	2732	tmpBD35.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 3888	1372	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	86
PID 1372 wrote to memory of 3888	1372	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	86
PID 1372 wrote to memory of 3888	1372	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	86
PID 3888 wrote to memory of 2724	3888	vbc.exe	89
PID 3888 wrote to memory of 2724	3888	vbc.exe	89
PID 3888 wrote to memory of 2724	3888	vbc.exe	89
PID 1372 wrote to memory of 2732	1372	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	92
PID 1372 wrote to memory of 2732	1372	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	92
PID 1372 wrote to memory of 2732	1372	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	92

C:\Users\Admin\AppData\Local\Temp\3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
"C:\Users\Admin\AppData\Local\Temp\3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\de-ubfkc.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5E60236CB9674CD3B9C723D672EB3BA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBE10.tmp

Filesize
1KB

MD5
f16248502ba75dcc8e58571158b65f4d

SHA1
da48b4f3d7f3d532ccddd0d5844caf51dd259e66

SHA256
b07e26837e2d745cf2ec121ffebcda28f85a38212f1230cc7963e3ab5f482e13

SHA512
add3fbe16f409f7eeecc3d88c53aaa593e22fb485e40b240ebd742f4f0dde7f8f339326b2bc7c211e651c4eb9d22a74fac8c0bd6f0fd92a3484f46d182cf6f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\de-ubfkc.0.vb

Filesize
15KB

MD5
8d1d77767160c9c16d5bc5bf91ff7bd1

SHA1
804b054d82f8d6405a7e93e34144d374444a799b

SHA256
237d9d33803c19f5bdd3ed1aa59b028fcf9ad60541cd233fd14504a7cbd6c290

SHA512
48147c6b8e54319ee3c02dcc7dcf3ccf7d1ed3fb6ea633289257c30c17ff31d0f05719cedeba181018d05bc6fc66abc04f469481f220929de8966c41208f2798

Download Submit
C:\Users\Admin\AppData\Local\Temp\de-ubfkc.cmdline

Filesize
266B

MD5
b6c16f4674e7bead1d40493aff471884

SHA1
621740595a724b5eeced2fc4228567b3a57a7895

SHA256
2ea3a8c608dd1af94f8eacfa1d5ab9150fb13fd8db7497ba784b246aa42bb242

SHA512
df6a7444157e6d5766781d334fe48805ccf4f2cc2c6e4551ccc99139566b3f36beaf622110cda5ee463b8129589ddb841667b8e6069d90b3129763f3ab0aed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp.exe

Filesize
78KB

MD5
ff7f12d9d002fb0fa9b744148b98dfb0

SHA1
c9b4d7222a69a49bf753eac0de1957ef50e944db

SHA256
4458bc275565a7ad83b6aabc481f99faf9c5c4e1256ae55cc1855566ebc20064

SHA512
dd371681c6085220bf85e53afad3feb72454a6f5566c192e9484c5f7d25f9093c4423b924f0b087d0374e7e363864b16ffcac092b48fa565b2a9e521e83feef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5E60236CB9674CD3B9C723D672EB3BA.TMP

Filesize
660B

MD5
4d54f061efff9cc751a5c36a0d471d44

SHA1
378d07e4333cde8385cd9f13153dc411202c416a

SHA256
0debe719b70154bb1c810249d7e64939533bea061d7b9da99426b1fe60af6414

SHA512
51fa0cbe871ecf12aeb7b5602a7d27e6c4613446850448f816272d74de3951649422738e42e5a7f75fcc057eabd005d6b8b00956767fb53ba2dcc7724aa71804

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1372-22-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/1372-2-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/1372-0-0x0000000074702000-0x0000000074703000-memory.dmp

Filesize
4KB

Download
memory/1372-1-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/2732-23-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/2732-24-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/2732-25-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/2732-26-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/2732-27-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3888-18-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3888-8-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads