49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefac

General

Target

49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
Size

78KB
MD5

b9f95303e3af29e83ea3a63c9514c4b0
SHA1

da8899cd5066a6fd59468ba3f3344fe949343efd
SHA256

49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefac
SHA512

1803cd8ea7ab1e2698e3c7f4037e945015227046329805414b263b31ad6493fa78a380612913455c9fc3612a73ddb2e7c265c06d824fb5695fcdeb335d7459bd
SSDEEP

1536:FWtHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRP9/B1cA:FWtHFon3xSyRxvY3md+dWWZyRP9/N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2664	tmpA4D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpA4D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA4D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
Token: SeDebugPrivilege	2664	tmpA4D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2540	2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	30
PID 2628 wrote to memory of 2540	2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	30
PID 2628 wrote to memory of 2540	2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	30
PID 2628 wrote to memory of 2540	2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	30
PID 2540 wrote to memory of 2768	2540	vbc.exe	32
PID 2540 wrote to memory of 2768	2540	vbc.exe	32
PID 2540 wrote to memory of 2768	2540	vbc.exe	32
PID 2540 wrote to memory of 2768	2540	vbc.exe	32
PID 2628 wrote to memory of 2664	2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	33
PID 2628 wrote to memory of 2664	2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	33
PID 2628 wrote to memory of 2664	2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	33
PID 2628 wrote to memory of 2664	2628	49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe	33

C:\Users\Admin\AppData\Local\Temp\49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
"C:\Users\Admin\AppData\Local\Temp\49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a1qcxhzg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB29.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB28.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- C:\Users\Admin\AppData\Local\Temp\tmpA4D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA4D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\49d6e275a6e7055eb2049e7e558b5f33ee476f8cba3011b738b6b5eecceaefacN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB29.tmp

Filesize
1KB

MD5
5809d7b2c6c2019c71d4791d59e80c2a

SHA1
28999a85f1808774c52cc49d52d6833fefa4f100

SHA256
f8e3a8921c10d6dafdc1a0fca7d394d6497d02b72cbe25b6b7016b15ce0bbbbc

SHA512
9f2a08860260c60243d5bb10da097c66bafe9f0b67b6fe287902cbd752defcdd3d888f9b87e297172895e0e49700b3b5e31a0c08b50250af3d797fe52639cadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1qcxhzg.0.vb

Filesize
15KB

MD5
1b8614a18e9c19e88b9d0b480a709a44

SHA1
9f7b195b5f8af62a5eda1cf72ab38d0953d0b81c

SHA256
f21052744dd72a23ee02eb4f7899c77d95b2bf02905afcf7a3d5dff46357d2b2

SHA512
25191a3b6aa3ae1c7263ff201dc43753a93511eae0ae4613febdb01101aa00f620010fbf1f682a6bff4fd49abd95e4399a143c5ef9d04f350a44383eb4713bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1qcxhzg.cmdline

Filesize
265B

MD5
38ee2f15f9e316a22c3d89c3eb606f1f

SHA1
bbc1ed7e2f63d6044614bc99a3761181190edf8c

SHA256
5eead107e03b86c8855323d5ed9071cfa063050c8e6fb032c13426b242200975

SHA512
0931f575fd32abaeca0412b6c4fa59151678352bc5b20aa0fb275f5b066a9d8011db23cd0dd7ddf2cd00ce85caa7d415ac28e807a7367782aea5e9c65aaf4834

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4D.tmp.exe

Filesize
78KB

MD5
be2f49fd753b7f905a4cf1d87a97ff61

SHA1
f62da08395bb7f6848f8bdc0d3bf3c844eeb3ffc

SHA256
73375680d1e1c992ca95e2128c803990a6bdd4228070d0e2ea71b15b3e9d85fa

SHA512
a74cb6e4044bd4c603880efbbfd0526e8202ff5722cfcef3b3f73edf941f3a5d95df5fe621d8623d7f98e55a49695092d020fd5054b8ca1e4197aab99362e84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB28.tmp

Filesize
660B

MD5
2f7113d4b268963928dde4e2e1abab52

SHA1
cfd58b0f2b80d9057ea7a74443fef2f672816f32

SHA256
c82476585915d862fa248998537e37e293fb319b6e62d5fcfe01dde75078647e

SHA512
008d03371d884be6ab2c47c580efe6f4ed7a2ff7f5fb56b75c13a321d3c96b24413c199cdc339cd5ed0d0f31a97918e31b9f3d2c241977fc360c3289848362f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2540-8-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-18-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-0-0x0000000074CA1000-0x0000000074CA2000-memory.dmp

Filesize
4KB

Download
memory/2628-1-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-2-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-24-0x0000000074CA0000-0x000000007524B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads