f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014

General

Target

f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe
Size

78KB
MD5

312b2cc8ea25af01ca9df477c4d04740
SHA1

035d33b077c0b6893428915cb39bc8d6e6c3fa96
SHA256

f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014
SHA512

6d8b1ac8f8ec0d2549a25ceb66e4a8d21047807901c73824b3c0302ed58a08e113e31646a202f70dedf79406c193bd7e783c80547e7481c4099ff9e144a95577
SSDEEP

1536:/WtHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRx9/b21bZ:/WtHshASyRxvhTzXPvCbW2URx9/2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1156	tmpDDC2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1156	tmpDDC2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe
2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDDC2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDDC2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe
Token: SeDebugPrivilege	1156	tmpDDC2.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2088	2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe	31
PID 2492 wrote to memory of 2088	2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe	31
PID 2492 wrote to memory of 2088	2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe	31
PID 2492 wrote to memory of 2088	2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe	31
PID 2088 wrote to memory of 2916	2088	vbc.exe	33
PID 2088 wrote to memory of 2916	2088	vbc.exe	33
PID 2088 wrote to memory of 2916	2088	vbc.exe	33
PID 2088 wrote to memory of 2916	2088	vbc.exe	33
PID 2492 wrote to memory of 1156	2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe	34
PID 2492 wrote to memory of 1156	2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe	34
PID 2492 wrote to memory of 1156	2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe	34
PID 2492 wrote to memory of 1156	2492	f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe	34

C:\Users\Admin\AppData\Local\Temp\f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe
"C:\Users\Admin\AppData\Local\Temp\f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\edgwge_-.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDEDA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\tmpDDC2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDDC2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f535d466ac391e82fdbefdbbb4a6b1ce3b9e379cff0ae451dd6044c3a13f7014N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDEDB.tmp

Filesize
1KB

MD5
410703a463d65dd3ebd5dc3bdac3047e

SHA1
5e9dce3f3c937d4cf27ff8537f24812e97977e80

SHA256
bf9fff32229c50cd5afad5610080ba2c4d54b60b6016be9d15220eb5bf9c9f54

SHA512
f6a10b7749e987c30cb88a471d762919d0d99ea96e3f536588fafb198360bd73ffbaa8974f0151fdc4ddc994ca1d2169ae0204df89d6dd0a0bfea1fa5450139d

Download Submit
C:\Users\Admin\AppData\Local\Temp\edgwge_-.0.vb

Filesize
15KB

MD5
198b0332844b260fc956c387a3bf70dd

SHA1
05c7fb2532a58c7da5a5cf79b7c5676421eed09b

SHA256
5935afdc61751fdef8d0dfdbe5eb3e3859269f70d506c01ec4d9deeb0be3e06a

SHA512
796f979faa37a84ee888bd006602a98a2bb952f3877b9d22fcdc06d4add9134ee01e04c481ad4836c456c41392649282554c85bdd48c26fa1e71e69f09722013

Download Submit
C:\Users\Admin\AppData\Local\Temp\edgwge_-.cmdline

Filesize
266B

MD5
a1a99fbd32f89f624f171624659846a8

SHA1
6413bbfe25d246b6c501ef7fd0fc1c2694b5ec82

SHA256
ea1bba2c89e1c17b37df161bcddf721fd82f70283e7c3ccbacd8d63da9cd9147

SHA512
4051e42178c0c99b54f0d29508251150206e0d9b1669b071628fdbc8c344bb242678a39063ce23f7696c8b5ac993166f5431c18723ef7e19ae0bde002e44dce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDC2.tmp.exe

Filesize
78KB

MD5
0fb82f0a09fcf3ccc8c46c8fcb6276ee

SHA1
fb6c4a5a42eba5539bbabba933639d625c0b3f41

SHA256
df5e082e8571c0cfca73e567d90e936b66dae80a763e165d6fbd28745d58da9f

SHA512
acfa2a559d9bfe104a2f4e55a04150cd5716e9e2c11734cb900e2b354b4f5028450b559390fe8f87bd064112416ad0f235375199778ca9355866716686a64200

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDEDA.tmp

Filesize
660B

MD5
b21c421970ab847f02924feb2376ca4e

SHA1
ba2f462a0a85767d3fb6bc8d24ffc16f0107c1c8

SHA256
a2836058da8e24745e1616905b1f282abea2de1b49a260909cec8340ef19c0e5

SHA512
343e248e2696cc5b51154f1ba07936ea6f28e973cf6b757f5971603c72b8a572d4007467113de1198e3e3c95e0ddc00dbd675f24f57fd93228caecc1e7a99b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2088-8-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-18-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2492-24-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads