1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3

General

Target

1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe
Size

78KB
MD5

f30d905a04787aafd07f4393b63a5660
SHA1

54c0ae409613224f5b0cd092f66f5cf4b3ab851b
SHA256

1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3
SHA512

a32c89a73e809e23ff22bf096929c74f4e636f6d537579acb809c96480c7eb285c8d6e0c053721d8f9ccd1e426faa0830503df7d89bc92f89f4f3e48efb1e5b4
SSDEEP

1536:E58fXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96w9/c1uB:E58/SyRxvhTzXPvCbW2UP9//

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe

Deletes itself 1 IoCs

pid	Process
1800	tmpB18D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1800	tmpB18D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB18D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB18D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe
Token: SeDebugPrivilege	1800	tmpB18D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1476	2328	1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe	86
PID 2328 wrote to memory of 1476	2328	1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe	86
PID 2328 wrote to memory of 1476	2328	1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe	86
PID 1476 wrote to memory of 4936	1476	vbc.exe	88
PID 1476 wrote to memory of 4936	1476	vbc.exe	88
PID 1476 wrote to memory of 4936	1476	vbc.exe	88
PID 2328 wrote to memory of 1800	2328	1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe	90
PID 2328 wrote to memory of 1800	2328	1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe	90
PID 2328 wrote to memory of 1800	2328	1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe	90

C:\Users\Admin\AppData\Local\Temp\1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe
"C:\Users\Admin\AppData\Local\Temp\1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bgpnbq-f.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4BA8BB9E98F3416AA7A43C9FDE3CAFB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
- C:\Users\Admin\AppData\Local\Temp\tmpB18D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB18D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1f55099e7a17fc26f66f0794cb93fba7ad7515da4455f510fd687d44e86a50a3N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB2B6.tmp

Filesize
1KB

MD5
bc025070f13f1dc8830d394a7988bca0

SHA1
f315a27ab2d5b9fa50bdc53869fb40f78ac3438d

SHA256
58bf3d0735b1a597084902210102b9825b0139a7142cc66adb04e649422194f5

SHA512
3baf4a96a8f42c3e99f6ba607aa522ebfdb220bb1cf4b555182c9b492916ea4487d5547cde109036a28ba8f3006a32dfacd46fe93dc6e8e45c27dacd2f6cb99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgpnbq-f.0.vb

Filesize
14KB

MD5
305cac9873913fbcc6edf18a02e0a7d3

SHA1
faa54bc393392c5c2e4611f66a8f55069df3d2ce

SHA256
2bafe1b1a41a050ba4411cb1fc48fc41fec4518e2d331447419c8c37d1b2685d

SHA512
5d736204086427475b6b2b3cf7c78c61fb9d8b2c3de33cf45d4525173cfae2e6932d16124ac73bfe40ec7674f6e96953e9db9c3bb33b060c677483d0124fa64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgpnbq-f.cmdline

Filesize
266B

MD5
88356832e7c952cf66933ea558e91b2d

SHA1
4b6440594f94bd557fa3e543f57ab420333fe252

SHA256
f8e9dd924fe0f537761145c51f98f41ce9b535fc49a366c9f8ef33a7706cbdfa

SHA512
298b29a6f4fe4f9f5753545575244cb705861c6638bf423d0d418af6e210b8e946e1f1ca45e0d05cfee945af84cb8cf041fb3a3c5e86f7fa74f83e7747f6f3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB18D.tmp.exe

Filesize
78KB

MD5
a3e6b19f92c32babf6dc20858cae1ca2

SHA1
77a2ac2875fd4472807bd2f69d55a6480e9dceea

SHA256
7e14c304563cf83a6cde74d69f952f4fa21d457f140b8de10ef51515bf3b83d2

SHA512
a6d1c8b1f295ab279991391242d7a631412043b7e4ecb1ffe7fc46286cf9f3eaefa081f837ab9506755a9236436c0d67606d29d1b9133dbfb8c33ac9da65d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4BA8BB9E98F3416AA7A43C9FDE3CAFB.TMP

Filesize
660B

MD5
e595d1f4256faa09275706cc04e987c7

SHA1
3eb5b6fa070d65c46bfc3235f1d8efb1c4fa3d33

SHA256
d3af4e0b6ec3aad467f534ae2ae38561ca857d4c147f09711c07f04926e8c383

SHA512
4cd3a6d43919bf03de77bceecffb26832014a45d1aaf2d4bde66f6702b786e8bde133ba26b300cd59b6bab3025b88fda0dbfb10e96a2517fd6c8b6b4dd88e7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1476-9-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1476-18-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1800-23-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1800-24-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1800-26-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1800-27-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/1800-28-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/2328-0-0x0000000075462000-0x0000000075463000-memory.dmp

Filesize
4KB

Download
memory/2328-2-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/2328-1-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download
memory/2328-22-0x0000000075460000-0x0000000075A11000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads