e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eec

General

Target

e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
Size

78KB
MD5

3f162cce79e533c8bd8a0dad74046970
SHA1

6189fbb781d792187710d4b931dfe66af64b159f
SHA256

e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eec
SHA512

da87dbcf846d9f0d16b7c942fbbed3903c27f5b65e506002315597c08d4ad21c8bcfc63a0252b79cc04a61ea605e65c9576c077ae85f5b211a940f0fcb2aecee
SSDEEP

1536:gPCHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtz9/m1BU:gPCHYn3xSyRxvY3md+dWWZyz9/1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1784	tmpD440.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpD440.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD440.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
Token: SeDebugPrivilege	1784	tmpD440.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2544	2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	31
PID 2316 wrote to memory of 2544	2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	31
PID 2316 wrote to memory of 2544	2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	31
PID 2316 wrote to memory of 2544	2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	31
PID 2544 wrote to memory of 2060	2544	vbc.exe	33
PID 2544 wrote to memory of 2060	2544	vbc.exe	33
PID 2544 wrote to memory of 2060	2544	vbc.exe	33
PID 2544 wrote to memory of 2060	2544	vbc.exe	33
PID 2316 wrote to memory of 1784	2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	34
PID 2316 wrote to memory of 1784	2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	34
PID 2316 wrote to memory of 1784	2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	34
PID 2316 wrote to memory of 1784	2316	e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe	34

C:\Users\Admin\AppData\Local\Temp\e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
"C:\Users\Admin\AppData\Local\Temp\e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xh-sme1c.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD588.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD587.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- C:\Users\Admin\AppData\Local\Temp\tmpD440.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD440.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e0da7cd6bdd8c04bdaab054fac3043330373e3f9fe9baa6ce1d36d5d59267eecN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD588.tmp

Filesize
1KB

MD5
be8cff768c75b27153943339c8adacbe

SHA1
0045fa554566ce71f48685f81c6a23fdf970234a

SHA256
0448f9c3bce7042bae601423c11636e785c1702a2603a3f30cf7fac256b0e344

SHA512
7a7d4933b39579d6320810f01a9c230474feb8a9ca67dfbf9beef0a507b2bedda27ccf8830b275663e68899089a1549bce6bc2ab8fbe585b9ed77d45ad01e369

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD440.tmp.exe

Filesize
78KB

MD5
25049d59652a236b6a3af572dd399093

SHA1
2909d698300681fb4a2328924208fbedd231ad94

SHA256
8f0de295a740b0a6b50ef9e49d17ad414fc7914c9b8024d98cef8015efd42e9e

SHA512
2d39d3c58d062ff71dae120366035f147f89ecb92799cacb60f9b9cc54802bdce6554ced9e8aec8443395acc5eaa73ece197b178c7443ff96bf1f5070a568dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD587.tmp

Filesize
660B

MD5
401e477736a4821f03b64e282e51b8ce

SHA1
7dc16982d9ac09ba47ca660347adf4826f93821c

SHA256
f5a66a9108bf9bc82c700e0e8ea965779e092f878fe2aa6e665bc6842be6ec35

SHA512
d0879eb3c87ddf6104d0b2cf01c10f89adfd2799b83cfc431efe1823c8f9af3e6a7eb33569db51acba36468401d546bccbc54a328ba0700217cff3884f95400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh-sme1c.0.vb

Filesize
15KB

MD5
13da5c1206c48441ca476ca2c7d686b3

SHA1
a22db876088f24c5d44d6679d4ac7e76c2194ac3

SHA256
c031c7bb6225ffdf1a5a65f7402c7a582699d69c83c8d56e426c5709ec8f1dfb

SHA512
01fa9cafe4174a0dc84e28a3dc23cdb56645a45a421d5d6f73c65bc30f02b33b02bdf5cf99434448fe5d7a259a4c5204c093e39c9af2d5ef8e430963e27b9283

Download Submit
C:\Users\Admin\AppData\Local\Temp\xh-sme1c.cmdline

Filesize
266B

MD5
f47546ca872a0c0162a4cf28e6b01cc8

SHA1
4acada9bc01edc17f2ff561055741ec7c21fa87b

SHA256
d5eb74fe09c8e804e12e73092fefafab6476df20f2de03b01c5a48ef2f6ada9f

SHA512
4ac412f1a53776d22ee0cab9b96a2aac57fa41e53712aff9ab0f3d82947401f59aecc425e8c18997f197411f6e79248d60b15a9db7c2525fdfa10ee364026851

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2316-0-0x0000000074B01000-0x0000000074B02000-memory.dmp

Filesize
4KB

Download
memory/2316-1-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-2-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2316-24-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-8-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-18-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads