fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952ca

General

Target

fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe
Size

78KB
MD5

b2292e50056ea3376b677d79dd5bb4c0
SHA1

c1cb05f9606760d151193c87ef59038ca3c689a9
SHA256

fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952ca
SHA512

21ff0983879f3ffbc9f3a70e236f633acc65108079ae8ee6370b42c2eeb9f45438b9c587047d18aa6f46545cbba68acebf6ab572475821ee28aa7ac0d2e97671
SSDEEP

1536:jVSV5jSYpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6R9/1f16F:ZSV5jSWJywQjDgTLopLwdCFJzJ9/6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	tmpB589.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe
2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB589.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1332	2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	30
PID 2124 wrote to memory of 1332	2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	30
PID 2124 wrote to memory of 1332	2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	30
PID 2124 wrote to memory of 1332	2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	30
PID 1332 wrote to memory of 2120	1332	vbc.exe	32
PID 1332 wrote to memory of 2120	1332	vbc.exe	32
PID 1332 wrote to memory of 2120	1332	vbc.exe	32
PID 1332 wrote to memory of 2120	1332	vbc.exe	32
PID 2124 wrote to memory of 2344	2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	33
PID 2124 wrote to memory of 2344	2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	33
PID 2124 wrote to memory of 2344	2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	33
PID 2124 wrote to memory of 2344	2124	fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe	33

C:\Users\Admin\AppData\Local\Temp\fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe
"C:\Users\Admin\AppData\Local\Temp\fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0po-p5q-.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6E2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6E1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- C:\Users\Admin\AppData\Local\Temp\tmpB589.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB589.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fec00fc69975a0def14a538667e7f9ead23bf557e3f6d0c2fdee65d18e3952caN.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0po-p5q-.0.vb

Filesize
14KB

MD5
dba43fc5a16d969d42e39221cbb7dfd3

SHA1
8367926eb27f67b574be16c517128be87e82abe9

SHA256
8fa91e679c152ed089557c5868e54d82226ee0f332895ed8d7cb8005738fc43c

SHA512
357f45e0a597755e1ba6bf319ef3c5abb4e7c96f561072b8c8c824ef9da4f4e37efc4b6d7dd7c11b1f52e3f3bee199cca6a06b424b92615c77699ebb03434753

Download Submit
C:\Users\Admin\AppData\Local\Temp\0po-p5q-.cmdline

Filesize
266B

MD5
71c99ea141c576e6f05e4de609e7dbbf

SHA1
fcbb0c009f74e5bb34410d7b6d93f87aa64140b3

SHA256
b0ee9171d719166f5bc8becce81be5e7cc6d5cca3177f65221d57c32e9cc7885

SHA512
50f0add5d4745729b408273236d7a70c27c8706bb204a5d2b58a73594bedb8f93cc957259562f6dd078d9e424a821cd404296877eb62f32056f30ebd8913ce64

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB6E2.tmp

Filesize
1KB

MD5
ffe96ed735042a54ddd107e32504a292

SHA1
95c4f48509ff0cda90f5d927ec48e968515145ed

SHA256
35598e4987a414fb161ccaba7846375adda72be7af4d79bf9013576150c1f2db

SHA512
5bf509bb177571e2b08b11dd0a1d81f16642ce7b001c1b6c279f2e9460de3123535aaab85fb788dca0cc745cda551d5b91434e40e6f38b8a7bb7f653fe358f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB589.tmp.exe

Filesize
78KB

MD5
ea6c7433db2a4e9280ccd49e3978f3d6

SHA1
9bf65e2d0b2749727465886524722db1cfbc5220

SHA256
04df8ad3365d128adec27cc9ad5e803151dfb13b6d2087b5288cf8596e97e0a0

SHA512
b684936afd2d421ff47adaa91947b7a02741918d6adfadc973ae7e49dabd7ab94996f931a61e5e5da55d179a40fe73feb7c6093a8150f803d19cf4493451ad2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB6E1.tmp

Filesize
660B

MD5
80d84eb0db1c7d490cf31c891913a980

SHA1
af95dd6bc3788077ceb26701fccede7b129e0861

SHA256
d6b6131002109da74ccfbef004b883003a5ca6936803c5851c0aba0e2e6544cd

SHA512
6ebea1a4dd6c1ce9e25ba49a584654d42ba8c983b180e237c489f83e19d28c1c3fecd7b885c494409dce42e7d56ea34b54ec3c2b6f5d75b465f1d9187f55bbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1332-8-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/1332-18-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-3-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download
memory/2124-24-0x00000000748E0000-0x0000000074E8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing