eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89

General

Target

eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Size

78KB
MD5

edadcbcef93c77248f4d2c0c723ac480
SHA1

9e63fbfcdc6d64d4e2eeb25f7b252ba6d5c1bd00
SHA256

eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89
SHA512

ef758c1a6b869ff711d6803e177e78670ab711868216881630108aa846ef1d63d824e9d92f99245eccf0c91939f26f1510fdfb12e5c2f16bd5f7932e144946c0
SSDEEP

1536:ZWtHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRM9/q51KS:ZWtHFonhASyRxvhTzXPvCbW2URM9/E

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe

Deletes itself 1 IoCs

pid	Process
1192	tmp9EA1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1192	tmp9EA1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9EA1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9EA1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
Token: SeDebugPrivilege	1192	tmp9EA1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 404	856	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	86
PID 856 wrote to memory of 404	856	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	86
PID 856 wrote to memory of 404	856	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	86
PID 404 wrote to memory of 1032	404	vbc.exe	89
PID 404 wrote to memory of 1032	404	vbc.exe	89
PID 404 wrote to memory of 1032	404	vbc.exe	89
PID 856 wrote to memory of 1192	856	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	90
PID 856 wrote to memory of 1192	856	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	90
PID 856 wrote to memory of 1192	856	eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe	90

C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
"C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-wjo36of.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FDA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17BC190287FF4501B3D683BB142ADD59.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1032
- C:\Users\Admin\AppData\Local\Temp\tmp9EA1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9EA1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eece45f26d79f1dfc633210cd874ac92cbf707752f9a79be72032a27511cff89N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-wjo36of.0.vb

Filesize
15KB

MD5
6b86b451c5335b6ce0d3a171b1fa8cd2

SHA1
c6524d43563de82cbfc7a3f81d6f45276849767f

SHA256
38f98759b1165183c5e4ebd1f22c5372190fa5fd25f72959415ccc782d1974c7

SHA512
01dbbe37b62fa6b0417a05f5ebc5ab14a04302a389ef16f85d0c3a04ce4395d04400fd83890d3597c083fb0f0a26de04124ca3263140ae22f9cbb15b2ec269e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\-wjo36of.cmdline

Filesize
266B

MD5
93841053acd4bf52cef4bed2f349ac7e

SHA1
f98e65478e1c0aca51c995dd4f02e9c926d4f608

SHA256
39b10b19281515fdc4ec21f990322a2529e840f4bc5402d892836838a0bd660f

SHA512
08be3ecda33934a228311ed5e37dcf524d1d4db29a2d956f359ce4b2c03f23075358ab04e605b13e542deadb27ef8f2d605f947316bd219a00f81ccd41cf0755

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FDA.tmp

Filesize
1KB

MD5
6aa93910e164ad93bcf8411dab54c8ea

SHA1
6237cc562b639fcb4736b619727873f4b4aaf340

SHA256
813854c5c7f204316c5789ad689f90aacd981413eac4d902d785185308021130

SHA512
8ebc91efdd95ae1e0ef015269891e385946722f317f5827bb4b28557fac28f4c9155c981a7d67fd4a4679b5c6a5a140df81a0790016c57ab1cf2d7f69245e48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9EA1.tmp.exe

Filesize
78KB

MD5
e85da57992ccdf6b37870533b48d2fb7

SHA1
861f8354d6bb6df458f931a452059382bafd9ee1

SHA256
5be9420d70a90e0c2f12a005aad21c26f69aee56eefb850d7a66a9e4b4134d70

SHA512
8aae15c8bc1ba15dde37b3286cd3f4f7a5b32a21bd8d9f54a3a16ee305e1993dcc67a432a08727b1d070dff0aea80ea5e0bd7c488fdbce20d9970e190105d5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc17BC190287FF4501B3D683BB142ADD59.TMP

Filesize
660B

MD5
296af5c3c7851ef62b2781e7c160128f

SHA1
4d399eb3621696c672ed55da01244a8625e7e127

SHA256
5d727ae1cc420a96d7893fd78478403956723e4798fc73c8e54dc5c87f3f047d

SHA512
d029c0f8f599e0f8f344d9ddb8bf312c38da0f8caceedd52b027e20bc8f6008a71b2f699da559535e8acaba5279a4bd511b629f1c9451aa68359d90ad1fcf549

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/404-8-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/404-18-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/856-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/856-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/856-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/856-23-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-22-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-24-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-25-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-27-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-28-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-29-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads