6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172

General

Target

6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
Size

78KB
MD5

41bfbd29b3d9a9f22e0290f77cc24af0
SHA1

f939e45ce0e1f7d92ee5c0e5b2cde2f85a1c7205
SHA256

6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172
SHA512

0ce5f3cddd6c82a1e88c87d3e766e46d8badf2606d08e98194ebebb51e8e73b864798d00a0d38bc3785d46e4938e47accde92f674be2db693bd7f740de4f7cd6
SSDEEP

1536:LtHY6JIdXT0XRhyRjVf3HaXOJR0zcEIvCZ1xjs9np/IPioYJbQtH9/x915k:LtHYOINSyRxvHF5vCbxwpI6WH9/xK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	tmpAE2A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\""	tmpAE2A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpAE2A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
Token: SeDebugPrivilege	2736	tmpAE2A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2192	3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	30
PID 3032 wrote to memory of 2192	3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	30
PID 3032 wrote to memory of 2192	3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	30
PID 3032 wrote to memory of 2192	3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	30
PID 2192 wrote to memory of 2816	2192	vbc.exe	32
PID 2192 wrote to memory of 2816	2192	vbc.exe	32
PID 2192 wrote to memory of 2816	2192	vbc.exe	32
PID 2192 wrote to memory of 2816	2192	vbc.exe	32
PID 3032 wrote to memory of 2736	3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	33
PID 3032 wrote to memory of 2736	3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	33
PID 3032 wrote to memory of 2736	3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	33
PID 3032 wrote to memory of 2736	3032	6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe	33

C:\Users\Admin\AppData\Local\Temp\6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
"C:\Users\Admin\AppData\Local\Temp\6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u0iqya3-.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAEF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAEF5.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816
- C:\Users\Admin\AppData\Local\Temp\tmpAE2A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAE2A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6be675050af067bc32a7e996cc00d93f6e254c3b6184021a6c16213b208a3172N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAEF6.tmp

Filesize
1KB

MD5
aa706e1c41f4283eff68574e5994c48c

SHA1
1ca68aed377d8e0e0c920267336055978f750267

SHA256
dbad81e6457000781f352c977b3c7c116a236e42ea20a883c6902b4944bcf973

SHA512
e0b0f0c190bd4e4055fe5435aeb9eabc9755cbe0034e79889e179a02756005c6d76f7f6269633a0677ce3b2a051ba11c2def92e36d43a8c1285bb1bab7b2e53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE2A.tmp.exe

Filesize
78KB

MD5
138d4478f3fe3057d1e2ebff603a8f77

SHA1
5d6d7e314133e4d8204bc15fce04288cc4dd3ecb

SHA256
26796616d1ef898e2f82a85786e21183b5767c2ed0f69b8cd475cef699014639

SHA512
c3ebed4329e3b51c323a58e26959d8e527f6b2260cddccc47cc3638b4548981a658a29a10a3d6517949d1fdf558ce69da8c436ff58bbfa848b87725c8c2b9bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0iqya3-.0.vb

Filesize
15KB

MD5
968d815f2dfa0bc2cd10391be405a7ca

SHA1
95b447dd13272545c8d1a165957d92683029bf14

SHA256
9fac36a8f644c68926a179c410eb14f942fe9782282e4166903f9b33317cf107

SHA512
4498702c8e66a7ad02978541b4d89f2c72569e654e21202abd9fd13d84ebf0b135ab03e651d97eda583b9369dfcb50e3ce91e8531eace24b2349a93d771e25ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\u0iqya3-.cmdline

Filesize
266B

MD5
a0f27c9a6f05a5929cd243f3b7d8d60f

SHA1
c72671d479ed9aa8970ea1307f475b677e1cbc59

SHA256
3d871430e196f9f17d06b233aca1ab68b94b082ecdd501d4b85f847aa6346b24

SHA512
423146991b0bc906e5be1204a38ce33b779be9198d806cbb9f32b57e5e55586d5955b121b21c41b8c3cde3f3ffc78076d5f2b9c64e16013b3ff8b0fcfbab0438

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAEF5.tmp

Filesize
660B

MD5
0cdf9c02d7a63b81f15fa19dee9c2d9d

SHA1
df6f6eff1e332bf4477c3691059818995fd5bd6f

SHA256
176cad8d951fd280ab0c331c506800d6de73ea2a9f52433dcfc6c1d7a198abb9

SHA512
793f50881d14e3826986780170af1fb0a323ad932fdf2cf79d530074d987d1403571e1389f07aa981e6f758b5c97c0b92bf312a6b89f0017b41a5640fb2dc28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
097dd7d3902f824a3960ad33401b539f

SHA1
4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f

SHA256
e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f

SHA512
bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

Download Submit
memory/2192-8-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-18-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-0-0x00000000743E1000-0x00000000743E2000-memory.dmp

Filesize
4KB

Download
memory/3032-1-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-2-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-24-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads