6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6f

General

Target

6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
Size

78KB
MD5

e3dbe94d0c54fae63e9347ba0db697d0
SHA1

06db23739a8c3cc35f236963d5ba7797b8848139
SHA256

6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6f
SHA512

62e8badc84efccce08327145e853c94ee94f9256a08e391d1dfe1c2c090680d2eefe8128f0efa276438672246c190eeba9ad80120409b7e667060304ad82eaac
SSDEEP

1536:hPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtR9/e1ck:hPCHY53Ln7N041QqhgR9/y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2980	tmpCFFC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpCFFC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpCFFC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
Token: SeDebugPrivilege	2980	tmpCFFC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 3052	2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	31
PID 2096 wrote to memory of 3052	2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	31
PID 2096 wrote to memory of 3052	2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	31
PID 2096 wrote to memory of 3052	2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	31
PID 3052 wrote to memory of 996	3052	vbc.exe	33
PID 3052 wrote to memory of 996	3052	vbc.exe	33
PID 3052 wrote to memory of 996	3052	vbc.exe	33
PID 3052 wrote to memory of 996	3052	vbc.exe	33
PID 2096 wrote to memory of 2980	2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	34
PID 2096 wrote to memory of 2980	2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	34
PID 2096 wrote to memory of 2980	2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	34
PID 2096 wrote to memory of 2980	2096	6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe	34

C:\Users\Admin\AppData\Local\Temp\6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
"C:\Users\Admin\AppData\Local\Temp\6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zsnse-gw.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD106.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD105.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:996
- C:\Users\Admin\AppData\Local\Temp\tmpCFFC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCFFC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6065fcecb73dffaf105fc78858f5a693eb9037e0369831f7fc619b23fbc88c6fN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD106.tmp

Filesize
1KB

MD5
b487c8196d53b9ef9cef47259e98aefd

SHA1
5e5c42d6547c88936791458eac27e28e9e64e7eb

SHA256
22bbad2f79ad19d52e5f14e509dd62bfdac6097ba074334c2c8f2421935b0651

SHA512
e818908f7b98033b36133ab9aa7c421f64ba37b6bf6e20b362d451317c713865002b8de5ccb5c1190168f14aef7fa733b71e69d7104bcba91f637cfa3e87d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCFFC.tmp.exe

Filesize
78KB

MD5
988cdb708a65c28ba8efd701211f853f

SHA1
cf602f2e54d046880aebeacf07ff29aa76052b48

SHA256
e6a5d78cd4a3f4eaf2cfba28ab6cfce02ead79d54285ea87331b0282ae3b9295

SHA512
a36be4f2ab1b6e828d1fe911046e9cc72c45d9f78c5e74cebde90b9e8e25a0c54e77301b1ca6207c7e9f58987fd2a3d15320448712902e689e59bedf8435ef12

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD105.tmp

Filesize
660B

MD5
b784389a7743b992d05c506ba11b9911

SHA1
e010d6d9a7b488509009c09ea4def8f61e2b649e

SHA256
d98ccab7cc55c0ca956984d174bcfbf43f546a6dc1c371ef8d26739dce2abfd5

SHA512
3b8e1bea4a19a208708a0e360fda7acbfa917c54c74baec0087a5fbb2b79899d49696489758dc2a2860b21126e1b9c773f554c85b672c497817c2dfa69d30a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsnse-gw.0.vb

Filesize
15KB

MD5
524d447dec4591dfdf7e7babf7c080f3

SHA1
7568274c84d27a4dd44ed5d5af7f34eb05534b73

SHA256
61f5d84846e877a5ecfdd1b56e1f848d4e0c2df230f68f3c8696646d2e0ed9bf

SHA512
90bfc8d2d97838c25ccdbb6f97646dacf745355438932bdd5e38e2747c9f333ecc9d3d7f2abeff3225e50a149aa049cb09a1da46cf4bef175ff49e84d69b9a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\zsnse-gw.cmdline

Filesize
266B

MD5
a5dd8cd835592c6b619a03c0e8946eb9

SHA1
dc382a96a02c24a309a2cd3b5ad7145a8dfce3f5

SHA256
095b296e8a0578036251a333b5e01583dc52693f719247cac4346c99eda6dc06

SHA512
01ee4cc98b767f7c5ca6c97a1dca02ecc92e64c76ca9bec084bb516d3f40fb9c38b3b234a70e798b2a08bc854f085a2e127276adfca4954e58647d5c55e9e7da

Download Submit
memory/2096-0-0x0000000074F91000-0x0000000074F92000-memory.dmp

Filesize
4KB

Download
memory/2096-1-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-2-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-24-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-8-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/3052-18-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads