dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1

General

Target

dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe
Size

78KB
MD5

72572b2098fb3bbdf82a46c9ab0ae4e2
SHA1

3c1eafae0aee9f1a2a4256979971f5928d17d2d7
SHA256

dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1
SHA512

39062f79d7bc52e8ae33d625774a909a8ee5c345567dd0997fa0111ecceb3d542777bf659bb95299e89a5bc0a429ab5d7173a3aa45e20df3924706acecdb4634
SSDEEP

1536:NPCHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt1B9/v1mc:NPCHFonhASyRxvhTzXPvCbW2U1B9/J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1692	tmpA6F9.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe
2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA6F9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA6F9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe
Token: SeDebugPrivilege	1692	tmpA6F9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2008	2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe	30
PID 2648 wrote to memory of 2008	2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe	30
PID 2648 wrote to memory of 2008	2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe	30
PID 2648 wrote to memory of 2008	2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe	30
PID 2008 wrote to memory of 1320	2008	vbc.exe	32
PID 2008 wrote to memory of 1320	2008	vbc.exe	32
PID 2008 wrote to memory of 1320	2008	vbc.exe	32
PID 2008 wrote to memory of 1320	2008	vbc.exe	32
PID 2648 wrote to memory of 1692	2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe	33
PID 2648 wrote to memory of 1692	2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe	33
PID 2648 wrote to memory of 1692	2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe	33
PID 2648 wrote to memory of 1692	2648	dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe	33

C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe
"C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p-d2nosz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA90C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA90B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dddc58d8fd1d9e92aa4898c485f14a36e97205ea1977f7a942a8e2138332adb1.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA90C.tmp

Filesize
1KB

MD5
4da874449ee1d0fc4e58425993ba838c

SHA1
7ab3d52f52cc6f89369fee85aa842ec85066cd1c

SHA256
e0c451175689ec00a7fb41344fa220e46346f4072f7e80c98b80a685cc67a2b4

SHA512
424b5161b1ab812ea021b562336555b7236b57f81a4aff882fa5f6e1f7b8916f6fec42e1b6843c56901c61585cdb1350df27f4b89eaa63a7cc0fe37e6b0fb286

Download Submit
C:\Users\Admin\AppData\Local\Temp\p-d2nosz.0.vb

Filesize
15KB

MD5
ccccf4d79d747e52c49cd4ba15498314

SHA1
7e163b9d6fb280772cf465c4f5081c05cddba788

SHA256
85e5394333523cd4026823aea08b15a6793a438644c9ea287cf6c70105da8c9b

SHA512
752e3c1a71226e6c0f9a099246c2ca28e5e4c439313b5bba3ec1003ecd54288e0cc50fc0497eed2f9e86b5dd862e8cfda5a765b14ac3bfc0500093cd28963b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\p-d2nosz.cmdline

Filesize
266B

MD5
0bd3f0c472f242adbe9f83da941a3d4e

SHA1
1ac15837aa70e0f4c97f1563d1d3386166258a75

SHA256
3da7c8bdab9cf7d184dbf9c8aacd74a2b28cf4d0dd6362d3fced4353d6b3cd34

SHA512
5c34f24cc1e11f01aa375f946e2c9518a62ee5ed39ab907c5b8bd2a283ed4557290aeb189db4bf6a1e888d34c0c57fee710047bca2326f2958db031c53b44c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6F9.tmp.exe

Filesize
78KB

MD5
6f13acf218c3f9171e57f5947fedbac4

SHA1
2f712e582a0ae1b0dadef3c8e8ff1e81e33d8409

SHA256
55e586a58ba83e30151c30d741dacd36e772cffdb37605fe418f80e6923af82d

SHA512
12e36fa42dad362fc759f56f250deefba06b5ed84b3071f7fad6754720588247bc63182f15b0f621fb73b6792ded99d4ca711cae63da70e669353d3f29b6fcf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA90B.tmp

Filesize
660B

MD5
d8afe584c7c95255b7a28bc733ea97ed

SHA1
78070df32f6787fc1f3b9b5fedce3f8236576932

SHA256
a6962a76b2dc26f73a471ff24ea32967951861db8d01d605277e505c459d5ceb

SHA512
6c26852e4c60ad18c385a8cffcda20d6e2af26d4649c4c599965ed25ac32fd37786cc1220e69ddc672259ab8ce35359f3f322d6106bac184b1576911f1d09c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2008-8-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2008-18-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-0-0x0000000074D51000-0x0000000074D52000-memory.dmp

Filesize
4KB

Download
memory/2648-1-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-2-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-24-0x0000000074D50000-0x00000000752FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads