2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5d

General

Target

2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
Size

78KB
MD5

835e65b1480a66868a104d77b9c4ef30
SHA1

3101e4fba324264700712ab7f182135e9afb4865
SHA256

2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5d
SHA512

81ba04f163250178724093a3105f1483947285ce8bd368cc43112f65a6ba84d067f3dec94fa54cd4f60477648ad48c2a6a75edf06a6c16524c73cb21a87d9afb
SSDEEP

1536:9Ty58xAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qti6Y9/yj1FD:hy58xAtWDDILJLovbicqOq3o+nQ9/Y

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe

Deletes itself 1 IoCs

pid	Process
1120	tmpB323.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1120	tmpB323.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpB323.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB323.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1088	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
Token: SeDebugPrivilege	1120	tmpB323.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1112	1088	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	84
PID 1088 wrote to memory of 1112	1088	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	84
PID 1088 wrote to memory of 1112	1088	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	84
PID 1112 wrote to memory of 3792	1112	vbc.exe	87
PID 1112 wrote to memory of 3792	1112	vbc.exe	87
PID 1112 wrote to memory of 3792	1112	vbc.exe	87
PID 1088 wrote to memory of 1120	1088	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	90
PID 1088 wrote to memory of 1120	1088	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	90
PID 1088 wrote to memory of 1120	1088	2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe	90

C:\Users\Admin\AppData\Local\Temp\2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
"C:\Users\Admin\AppData\Local\Temp\2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8nxgye-g.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB45C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB2FAD9AE0FB4151BBAA65D16E43175F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3792
- C:\Users\Admin\AppData\Local\Temp\tmpB323.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB323.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2188d5497980aaf859f208f45cb7111365301967dc2f93fe1f2b5263a8b4ab5dN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8nxgye-g.0.vb

Filesize
14KB

MD5
bfddbaa59c7314c32f34310f92c69a2c

SHA1
da22db8c08cbd83cfb7aa28304c51e1980536644

SHA256
51c9dd3d9a02d887e2e3efcad57e9db51b1d6d9af4092ae003e9138c33ed9ebd

SHA512
dc861a1a89e390f31e79d6f3e578e9532538d52764e99feccce9f81faa344b975bbd5177cc7ae173ed9c3e1436d40dd143ad7ffaa8bb2cbcbfa3f67db8b681da

Download Submit
C:\Users\Admin\AppData\Local\Temp\8nxgye-g.cmdline

Filesize
266B

MD5
e1564c793d1f25935b486c1049d30f84

SHA1
b5d16362b7a04781a7d6d96732f8d022676291b7

SHA256
a3281d30673e3b98a99170000953659ab238b04e5d20231250f363f4ff8f9e1e

SHA512
7c09f9b40f72d8f5cb0ed7d2a205dab585d80dbfd1ba435d96b9492b1b45cbbba5f887dcc7c0f3ffcc0793227ec2142026ad18bee6d9d903d8a99dd2233c9104

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB45C.tmp

Filesize
1KB

MD5
157e5d5350bdbf883e7b3018d4655386

SHA1
d5924dc7fa1b62dee4cca7c569182e1ecd57f930

SHA256
8eac2a5696af64ac227545b4c6c8a5cf6fd9e6eaadf971241c3c65fbc61924a6

SHA512
2e202737ababed27ad13493e71078e992d2f02b929975e64fdf4bf17c8ffd7a81d7cefa2a7b03617c2553532e8d69286d6b7ab4d0103ad04cb4f94526664f8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB323.tmp.exe

Filesize
78KB

MD5
5a553dfb0fdc96d54593c502406c5782

SHA1
9e08dda59d26ac9a224302c8976ea63a385d1960

SHA256
c7de8cd5e33f42a61999495a6c4193cd987e8fda4a2a8339a24699cf8775eec5

SHA512
7e849990c0b2fd5d019aa8023dfecfb58598f9f9ddea0a0e7a29c4cec6454f26576462eafcb86b586a780facb5ba64675224a0cad0aeb2956ae2fd1c907548ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAB2FAD9AE0FB4151BBAA65D16E43175F.TMP

Filesize
660B

MD5
7c6bcad1dc971902c60566f7170b1808

SHA1
0f81174c70bb70d6e723e56dc7c6fbe0ca6b11b3

SHA256
b72218f4f8591562ca26ba1e7f400c868b3266b3cb3c0cb25b3421d82daf52d1

SHA512
16851e493c2ce233290fae256b961e4cd65edcbe05114f55b78528e25c41a8764cd7d09be07e3d0cd6f0c15a78830e0c28a5bb34545191973d88c5835315930d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1088-1-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1088-22-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1088-0-0x0000000074992000-0x0000000074993000-memory.dmp

Filesize
4KB

Download
memory/1088-2-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1112-18-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1112-9-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-23-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-24-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-25-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-26-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-27-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download
memory/1120-28-0x0000000074990000-0x0000000074F41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads