a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabc

General

Target

a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
Size

78KB
MD5

65401931f5e4367d829d2a43b4fee2c0
SHA1

bd154f5a3946280905d2cf01a9e4d745a0b6f616
SHA256

a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabc
SHA512

cb3f00a174b4820f75c2254804f051bdbd1ddb5206eecfce6f8e6621a8d6c606c7cd7036d814c7055aacaa5d01a56ce27a0cf8c2f2886289b214bc1165c5fd21
SSDEEP

1536:IHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtd9/G12B:IHshASyRxvhTzXPvCbW2Ud9/l

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	tmp9A9A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9A9A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A9A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
Token: SeDebugPrivilege	2716	tmp9A9A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 4480	436	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	84
PID 436 wrote to memory of 4480	436	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	84
PID 436 wrote to memory of 4480	436	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	84
PID 4480 wrote to memory of 1216	4480	vbc.exe	86
PID 4480 wrote to memory of 1216	4480	vbc.exe	86
PID 4480 wrote to memory of 1216	4480	vbc.exe	86
PID 436 wrote to memory of 2716	436	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	90
PID 436 wrote to memory of 2716	436	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	90
PID 436 wrote to memory of 2716	436	a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe	90

C:\Users\Admin\AppData\Local\Temp\a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
"C:\Users\Admin\AppData\Local\Temp\a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a-n7fhtx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BD2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCEACBBF78DA44CE1BCA997753046D197.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1216
- C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a70d6bb6cf18d990e14d34870e163ca14451a3a64f465893bcd21b7702cadabcN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9BD2.tmp

Filesize
1KB

MD5
39c80ffc96d3380024ce2201059d0b4f

SHA1
015105be765eb707f338068e8c09732d46c332a4

SHA256
938fa13bbcef7d68c1f4f37bab24088f6844fbbfedf51ca229b28411bd93588e

SHA512
f93e72b9ecf33435c5b7be6bd4bbfd4248f24f04bb595519a4ddf0e636feb907955d000f48b050365b0d11768b583ae1e888a8dd7dedda1db35a74b0266c1fb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a-n7fhtx.0.vb

Filesize
15KB

MD5
5ecd99f20dbdcb0698b0f8b97755eeb4

SHA1
2746390ad64b8991c6ae19d34dfb9d2581e896f9

SHA256
3c06c0b6215d68cc9c6dbdb40f67af3d8290fdef4168401d5cd42396a241de42

SHA512
1e8523c0c47a118ff37a6f3cfa0acbbbf3fd68c8e0650c0133b1befa238a5f61e0869f960645439ad560e35c8d374f18d01f037f7415b8fecc60d265e2d3b33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a-n7fhtx.cmdline

Filesize
266B

MD5
755277b5653538a7c0f14439271278ca

SHA1
93839e0770c7f271a220557effbf5b19ffd342d5

SHA256
21823cb07c6fab75fe1b3bf7700ae121aa1c9d50f0fa57056861475d912f5957

SHA512
0eecd14db0ec20b26fa0f8ab3998bef0804268ab47a62d87247d6cb0f6ce537e23e221bf69fcd7364268f654d4227576d9d5ea90464c94807113c5f9328d0d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A9A.tmp.exe

Filesize
78KB

MD5
95bf050270cec7ef95fddff0d3be50bd

SHA1
fe23bcb6c72799a2f06a85f5e7c412fac489d6b3

SHA256
1bba23112807d5972781b0dfcdd459cd374f3252186f9b4c5b76e739882119ba

SHA512
64ddcd3c149e1d69eae4c345b70d392efce878192b8f687479f091e08bf6127b561ef09b425cbbaf55fc39b2351db7aff11997f510e59a921771a42496cf1635

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCEACBBF78DA44CE1BCA997753046D197.TMP

Filesize
660B

MD5
c0dc8a76a6b8151727fd299fb8fcaf60

SHA1
eb4828088205baaf92cfc000534f045b0c7b5cfe

SHA256
a01e63f95fcd953b8de23d44899af867ac98f7cb8dca8f069823512d70d19036

SHA512
7c6532389098fb3686ad1444a2119fe9338c364d587077ede0d8a5cda5216f4c4d3e47d620609b22e847206313356db4258c7ef1a9d7622939ed85f7b1d91946

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/436-22-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/436-2-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/436-1-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/436-0-0x00000000748B2000-0x00000000748B3000-memory.dmp

Filesize
4KB

Download
memory/2716-23-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2716-24-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2716-25-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2716-27-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2716-28-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2716-29-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/2716-30-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/4480-8-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download
memory/4480-18-0x00000000748B0000-0x0000000074E61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads