2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699

General

Target

2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
Size

78KB
MD5

4a2966b481f738097e4c0a574ed70d00
SHA1

94b17490616dbc1499ea0e0ee39f43eb4f709615
SHA256

2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699
SHA512

bc8e321b039c23a64fd55743a3cad9f29f0fd53e258231b107988ae6761698de12c83a8d229108cab612cbd43d39a8f2195a567be5fea85868fba4ee81f256c2
SSDEEP

1536:6tHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtwF9/jM1uQ:6tHshASyRxvhTzXPvCbW2UwF9/m

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	tmpB04C.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpB04C.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB04C.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
Token: SeDebugPrivilege	2700	tmpB04C.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2800	1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	30
PID 1016 wrote to memory of 2800	1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	30
PID 1016 wrote to memory of 2800	1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	30
PID 1016 wrote to memory of 2800	1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	30
PID 2800 wrote to memory of 2260	2800	vbc.exe	32
PID 2800 wrote to memory of 2260	2800	vbc.exe	32
PID 2800 wrote to memory of 2260	2800	vbc.exe	32
PID 2800 wrote to memory of 2260	2800	vbc.exe	32
PID 1016 wrote to memory of 2700	1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	33
PID 1016 wrote to memory of 2700	1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	33
PID 1016 wrote to memory of 2700	1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	33
PID 1016 wrote to memory of 2700	1016	2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe	33

C:\Users\Admin\AppData\Local\Temp\2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
"C:\Users\Admin\AppData\Local\Temp\2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vqemz-fu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB127.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB126.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- C:\Users\Admin\AppData\Local\Temp\tmpB04C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB04C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2fc8516122040a32de055da40082df181ac5ffe246ab8118c552375dd9b73699N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB127.tmp

Filesize
1KB

MD5
7183f8d21d65a66b960defc459578c96

SHA1
de565b93ee5870e1f3242ef8e7145b3d6eb51ef9

SHA256
ed6a521f65be021baef46a433c2b3c44ef7043d72bd27b92231e58f2aa863309

SHA512
967560e7b37423aea2eddc15f9602da79a57ead41e0602b9ebafe720bb3fbd21195b6e261fdb241fceaa0b8284b9dbd78bcde0a9306b3b1fa6492fce114c59ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB04C.tmp.exe

Filesize
78KB

MD5
2d05385f6755a83ce9abf468e60bc3dd

SHA1
68c17318c4197838696f6899bb88b1870efb2944

SHA256
eedaa2a4c5d0dfb25d72c782fca2ee1b90005ecf90120134ee4a40717d0e5eb3

SHA512
f82c3171a38bc58448e69394d00a8762b69fe7f4c422c7cbf9306e4932a18c4517fa3fe9ec88532d02cc76dfa01197e2c5be2ff5b50b1a6fef5dd57b12833d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB126.tmp

Filesize
660B

MD5
162b3065e6b5fcccd9955d9432bef9cf

SHA1
cc3e9fae0cab7db88f723641577c9e39701b6497

SHA256
848ac5e550cd4a86a1a6f371967a5341bcced2ff45aa4671aa1b31252d6e0334

SHA512
45bf5b09dc964a31859467821473c70edf01f471c510b9171504c8400cffd70d6bed5fe49db71792c9bc07e9c9e841388a7e05890a0d575e50b45f6ded60c9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqemz-fu.0.vb

Filesize
15KB

MD5
a56763eebac99c7e65b2dc4f4480a9fb

SHA1
360f0b181f6895f7d900b5c689d99a631fa347fe

SHA256
3798f35e14f18f48f89f6f2d0bb71923b41b408c68862503f00b389a42440f94

SHA512
d4c246dd2236ff7cae8f0b756ef0ec1152b544e9212654be4a3508e571983e402e2d1d6acb8641dc2a299e12737b2195eb4659cd7655edbc3c2982f544a7c0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqemz-fu.cmdline

Filesize
266B

MD5
7d047a410129d11a789ad0708b4bd880

SHA1
faaa8dd2da14ed12aad364affa64925b1dc8f801

SHA256
8b3db1a134bd2efa30788206514208555095b95d6f6f2d34c93286d9eb54a803

SHA512
2307ac11c18e6b2fb186a28e1869ee48b21e27ed0c1cef243760b945d9e510ef31f7dece571bbcf4700fd638bf5fe8a7d800ae344ac1e8af634fe376330f5377

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1016-0-0x00000000746F1000-0x00000000746F2000-memory.dmp

Filesize
4KB

Download
memory/1016-1-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1016-2-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/1016-24-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-8-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download
memory/2800-18-0x00000000746F0000-0x0000000074C9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads