54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2e

General

Target

54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
Size

78KB
MD5

f4247435e512d54b0c1c20cd764a8750
SHA1

60912dfdeb34dffe7623d8676734160567d2b3a9
SHA256

54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2e
SHA512

7ca7436464d6ea2b88f50921b3f176bf9bb2a6d3a0ffe7ab6e6249173bf44ad5ed4f9d853b45c51cea34919c542c66fbef750518e11d263e1dc44bded7832f40
SSDEEP

1536:Q58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6P9/F1+g:Q58An7N041Qqhgn9/f

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	tmp760.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp760.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp760.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
Token: SeDebugPrivilege	2672	tmp760.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1280	2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	30
PID 2444 wrote to memory of 1280	2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	30
PID 2444 wrote to memory of 1280	2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	30
PID 2444 wrote to memory of 1280	2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	30
PID 1280 wrote to memory of 2760	1280	vbc.exe	32
PID 1280 wrote to memory of 2760	1280	vbc.exe	32
PID 1280 wrote to memory of 2760	1280	vbc.exe	32
PID 1280 wrote to memory of 2760	1280	vbc.exe	32
PID 2444 wrote to memory of 2672	2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	33
PID 2444 wrote to memory of 2672	2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	33
PID 2444 wrote to memory of 2672	2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	33
PID 2444 wrote to memory of 2672	2444	54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe	33

C:\Users\Admin\AppData\Local\Temp\54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
"C:\Users\Admin\AppData\Local\Temp\54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fjoeji0t.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe" C:\Users\Admin\AppData\Local\Temp\54c420ae2f2b9361205135bd71f0e7cfb3f61a0ddada7842d0a4b47083a02d2eN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES83C.tmp

Filesize
1KB

MD5
85b7fdeedea68730b738afda8192deda

SHA1
c50498ae2205dfaff3e5eaf9d4fc6b3bb68b8d1d

SHA256
5d3ab0ff2852b23361f84ebaccb19ee5b691ddafbd3093b54b81cf5efb6df04e

SHA512
d4c829c067c2dd8f23a73ade28f97a3fe818c4ce9a793c2e99b37dcde1674610cb2d4de8f416ec1f6f8f8c4c3a8a87575c359ac7d1ce83fb2b21003e9591e19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjoeji0t.0.vb

Filesize
14KB

MD5
ddadd39e0bbf06afabaa4117432ddd30

SHA1
82f07ab20bfe7195bfedd03dd43b4e1787666e5b

SHA256
521a2eb849fdc1c4cb29301ca0f5e9bd2794c9c87cd727a65f9a0009a1691eb4

SHA512
ef6fd35108d56132f3ab12b0c312a753626532082e79438f70c17b1d8d56d2bd59614fa3d30b1138d0ad2dab332ad2ea6a1be16c51288d3e3764f86b76a3a46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjoeji0t.cmdline

Filesize
265B

MD5
0e272ea93db24059f0aaa241a2c8ddf1

SHA1
9f234291943f79cafe1edee3dd6989b529832411

SHA256
0cfea364c5d8245435166bd20ca181add59d41b0744e258c1db0bf2a2dba1f47

SHA512
acb1ecbefd2529fbea22811c119a11b7f9228e2e79b1e1cf36fd171a6ca30c8647c55ca4edf3b4b0a75420e57c79c0159ea55f18eefcd91ce548729313b01eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp760.tmp.exe

Filesize
78KB

MD5
a635173ff72d928c25474755620f5a81

SHA1
adf4caccef5584f0df0d1596df3d0287427bf1f2

SHA256
0591c3cc7a0352e986a06c1ccdfaf8a793761453e54fb226ad66144c6d359f02

SHA512
6a71edf8f55a83c9f34456c2835534f6b292cfefd6ed70bf6e97593f6bfec6f04f92ecc483e4b1e2d5deadc454375a531ebc033f023f1cdee1d938c98ec6f6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc83B.tmp

Filesize
660B

MD5
13919ca909b3c480200a1541961ef351

SHA1
53ebe955f84b543d17eac71d2421414f3a620a52

SHA256
599a0159cd645ca31365dfd70d1e26f4819a5a547f210c6261f18a85e82ded35

SHA512
af57a372e925940cb61e91699a42a571599ed8da033cf2f9dadd436154f6200a84d2ac1db2a7d4f51c2bc1a634b200040856c222e299eaf5ac0a03150d651fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1280-8-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-18-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2444-0-0x0000000074E51000-0x0000000074E52000-memory.dmp

Filesize
4KB

Download
memory/2444-1-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2444-2-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download
memory/2444-24-0x0000000074E50000-0x00000000753FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads