3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44

General

Target

3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
Size

78KB
MD5

d1b0cbaad6725537e9d1dd41c4c5ea31
SHA1

7f5c4531fa1b3bf6b749dac24ea8e0c11d1b5e0d
SHA256

3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44
SHA512

dc478a735c33cb4563c401f6912250948e50754cb9e273f35c800d65c84a1d9cab6da14993174c32a2db40ffbd97c3332d74ceaa6d495b8052d0edbb681d5f87
SSDEEP

1536:zMCHF3uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/J1PY:4CHFP3ZAtWDDILJLovbicqOq3o+n89/U

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2140	tmpCFCD.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpCFCD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCFCD.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
Token: SeDebugPrivilege	2140	tmpCFCD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3012	2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	31
PID 2380 wrote to memory of 3012	2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	31
PID 2380 wrote to memory of 3012	2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	31
PID 2380 wrote to memory of 3012	2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	31
PID 3012 wrote to memory of 2952	3012	vbc.exe	33
PID 3012 wrote to memory of 2952	3012	vbc.exe	33
PID 3012 wrote to memory of 2952	3012	vbc.exe	33
PID 3012 wrote to memory of 2952	3012	vbc.exe	33
PID 2380 wrote to memory of 2140	2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	34
PID 2380 wrote to memory of 2140	2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	34
PID 2380 wrote to memory of 2140	2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	34
PID 2380 wrote to memory of 2140	2380	3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe	34

C:\Users\Admin\AppData\Local\Temp\3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
"C:\Users\Admin\AppData\Local\Temp\3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-bjecfga.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD099.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD098.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\tmpCFCD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCFCD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3d1885a7ef245540379d764c975dd377a17cf23ca850fd7fa1080499f5898a44.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-bjecfga.0.vb

Filesize
15KB

MD5
6135427a2479e41b5ddd1e781f77037c

SHA1
2f6fcf2a9c2d043f5cd4b201955fbfaf5e92a8e9

SHA256
5f82400f247b878b87479604cc7038db316bbbd99839b596200798d0170cce01

SHA512
aa079eb4463eb22eb835ccbb11401318f35f960d34994402083e5477c6f209d9b2b7f7e484e170ea60b79339a957bfdeaa6592730bdaae7543e85b580189b688

Download Submit
C:\Users\Admin\AppData\Local\Temp\-bjecfga.cmdline

Filesize
266B

MD5
25af1f92385b76b17ff840a43f29ab91

SHA1
885af24331f335723674a40f3fa23a349ca8b294

SHA256
bff421baec20a693e47fcf343df1f2215f2d3c325658c293de3719811fa03a36

SHA512
765a185acd9cc7c27d13e586258ec2900fcd68020bedbad6ce2503174d8ad27501f2c7aca6af711a54efef3f8498ed3b83f25c5432ea07b728a85b89a4010cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD099.tmp

Filesize
1KB

MD5
ed14d97dd1dd336fa343949e52f9a11d

SHA1
61e2f2c919d87e07c6a21d62cb40170b2ffa43eb

SHA256
7efc7ce7521aedafaffcf65c8cca86b9baa89dd0a95a8242de6b081864e95cf7

SHA512
7f1d747bc414b53ec36092f2e0ee2db0c7a7b1df9e31dcb98239724e9b324f86f85184a49ec59e4eafb4e6c4dbe4d3401ad24603d516706d838147dbc581bf84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCFCD.tmp.exe

Filesize
78KB

MD5
c18a56dca9d69d835cad951cf510a650

SHA1
94b4c024f8280d7bff434cd6c843db0fda3a5f4b

SHA256
405346018cce86127a0d71017cd8fb2a6a7ba5b7f58ecc98e7e25332f06dc8bc

SHA512
c27aae58de5c0fc75213d6410a91fd3094e2b984d28344d5ad97e790167b11ec5d8ca3275bad2be21cd4d1c5333221b90ab2b7238d11458286d55bc5f07826bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD098.tmp

Filesize
660B

MD5
86677339f43909c1233231020f1f2c6e

SHA1
a75fb09227a7c969aa6235683a05ca5caaab59ec

SHA256
e1a5e9c45b58613decc59110780eeb27d31ef3ebf8a6a34a430400c8576dd4b1

SHA512
f242f6a2ab09141d278980bf54eebb0ab7a2890eb63daf79013a49e5ee9db9ddf3a034592e0ff95b38c4956edec4894b9a29bc8c4db9b227dfbbfa79566a5638

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2380-0-0x0000000074C11000-0x0000000074C12000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-2-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-24-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/3012-8-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download
memory/3012-18-0x0000000074C10000-0x00000000751BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads