c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415

General

Target

c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe
Size

78KB
MD5

c926938fb669ee9810423b42306c6bbc
SHA1

8cbd0e7215ae6b87f85502698f158f5528640918
SHA256

c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415
SHA512

d1d542cfdea974ea0ed61b10bc54282554511d3ec039ee31682c48d6721925079eece72b5f2aa51bd4a34225e4c79b34ca203cc4b50d2d2745b8bcbe169ac270
SSDEEP

1536:pPWtHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtc9/J1aS:pPWtHF83xSyRxvY3md+dWWZyc9/J

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe

Executes dropped EXE 1 IoCs

pid	Process
972	tmp8993.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp8993.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8993.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe
Token: SeDebugPrivilege	972	tmp8993.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 1192	4124	c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe	86
PID 4124 wrote to memory of 1192	4124	c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe	86
PID 4124 wrote to memory of 1192	4124	c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe	86
PID 1192 wrote to memory of 3700	1192	vbc.exe	89
PID 1192 wrote to memory of 3700	1192	vbc.exe	89
PID 1192 wrote to memory of 3700	1192	vbc.exe	89
PID 4124 wrote to memory of 972	4124	c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe	90
PID 4124 wrote to memory of 972	4124	c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe	90
PID 4124 wrote to memory of 972	4124	c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe	90

C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe
"C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4e-ugpkl.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AAC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92A6D2CB2F5644E9B2E64CC68CE0214D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3700
- C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c766907e1aa7f5b0a5d05663c8886a5581d8e5934e745eee53b24dcdc300f415.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4e-ugpkl.0.vb

Filesize
15KB

MD5
4c372b8ba364cf4efe7306a60e161bd9

SHA1
824bf5d02cac40cbae27bf9060ba82c7d6908515

SHA256
774b0fe21b02d4f14c56e213d39779bdc370265d591aaa501e1afece76a2d94e

SHA512
bbaaf4054d4d0b5076fc2a2adcf01f03287a727521ec637f5975e793ae78e1233f6c7412ef8ddb51b419c710404540f968bb1808769e5ce0168adf07e4d9e678

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e-ugpkl.cmdline

Filesize
266B

MD5
c940963f45c8cb91a18e378f4c0ff08a

SHA1
56d1f12198b938a3647254772bd870b70e12d472

SHA256
2bb2bfc22ca509f52cfbab3292cb761f618b058fef838e41778e4dcdb8c4c33a

SHA512
8f10a83962265d79813a2e25459b779a5af6bbefce9115c0b2b247cd0a013e5f57c140f53e12d6cbd79a25f254c1c5476ebdf6d7c14ce3e76a6287663696d452

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8AAC.tmp

Filesize
1KB

MD5
8d4805a2872e949916b20e5a3741f6e8

SHA1
0343691c7620c8e78a46d3580f359850a22fc864

SHA256
1e504c26812fe9c8da304b1c90b6e13965cceb244bc3bf0af6cad6404208cbc1

SHA512
b42fcbae6fe55a02735dd493f94a61577c8bc189d3bea91fbc67dfa9435efa6c2c9d7322505d1f8fa4084f44618ebf6384e37720377a1eefd2395bb8bc5d115d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8993.tmp.exe

Filesize
78KB

MD5
22810df01c4b3f3277e4341ca127488d

SHA1
e32b14296283f1a91ab5315010bfa5d473e7db71

SHA256
ffe33c77d827e1ca9bb2d390597299cbe06f47b6b07de2d147864f5582fd261c

SHA512
6de91b28a04a20793d46b1dfbaff8786c8570ffeb63c19385786054fd48ea03a07e9bb62bced7558b341571968d03c546b8a7ab544f02752db166b36bc6c46b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc92A6D2CB2F5644E9B2E64CC68CE0214D.TMP

Filesize
660B

MD5
ea4cc557edd440c57b265a1a3ba113f3

SHA1
fe84def0bf99f9d1c51b7d3b74db4ebb6a6d3114

SHA256
25f9e12e3f64cd48fa9f17c9e554b59cb0a2debf48afcac3912051c3a32ee845

SHA512
336af301a236acc0932475d3397e819c667bf2e9fc5bc4b23b9e4a127f729ac243f0c236fb68368dba5757e80f5d1633c919c230076ad353d32667f12d695d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/972-27-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/972-23-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/972-24-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/972-26-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/972-28-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/972-29-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/972-30-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-9-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/1192-18-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4124-0-0x0000000075012000-0x0000000075013000-memory.dmp

Filesize
4KB

Download
memory/4124-1-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4124-22-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4124-2-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads