a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11b

General

Target

a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
Size

78KB
MD5

9b545f0c4b73fc1813e01414e50af4f0
SHA1

f7adb760241827c3011bb246d0bf5d2e7e0690ce
SHA256

a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11b
SHA512

fa2cdc9b8b7c93cd38119190162a2d822ca5aa0289cf6935e533b88473528451277c3115af4c2f930563effb1b12c013b0411c430bb6fe5eba2f80a7907299f1
SSDEEP

1536:eRy5jSxLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtW6tn9/+1oE:eRy5jSJE2EwR4uY41HyvYd9/y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	tmpB664.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmpB664.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB664.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
Token: SeDebugPrivilege	2808	tmpB664.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2372	2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	30
PID 2888 wrote to memory of 2372	2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	30
PID 2888 wrote to memory of 2372	2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	30
PID 2888 wrote to memory of 2372	2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	30
PID 2372 wrote to memory of 2216	2372	vbc.exe	32
PID 2372 wrote to memory of 2216	2372	vbc.exe	32
PID 2372 wrote to memory of 2216	2372	vbc.exe	32
PID 2372 wrote to memory of 2216	2372	vbc.exe	32
PID 2888 wrote to memory of 2808	2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	33
PID 2888 wrote to memory of 2808	2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	33
PID 2888 wrote to memory of 2808	2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	33
PID 2888 wrote to memory of 2808	2888	a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe	33

C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
"C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-iww_5nk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7AC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB7AB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a33acf15e4ac917c94f099c5ea1c97dfdd26eada2f1330c96f07d23d63eda11bN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-iww_5nk.0.vb

Filesize
14KB

MD5
cf255b63ca976d8d219c3a69a44f7b69

SHA1
64dda9e7bd8cbbd585ba505d348a04d23ec4a52c

SHA256
c3c89a754d103c164e344ec28901ac9a7010bacbc97b84f2b8f8da55ef0227b7

SHA512
a58da2d685831d11d46a2d41ab4f87f1b65df3221f3437309e6acaccc9f74f7a84b6557866bc900114e88638e412ecfa09ae7f50666bdfeb2fc19e69541fd890

Download Submit
C:\Users\Admin\AppData\Local\Temp\-iww_5nk.cmdline

Filesize
266B

MD5
6a172514fe6ee39bdc99b05226224897

SHA1
db14de21dd806ae2f67525d453c461a8d1a1047e

SHA256
d034b7a841ebfba24c951e8322ca30a1af62c65a4685f582674cf8c7fd0dd21a

SHA512
c90a7775d42b48e4983b7717f7dd80d4907669d555c8828cb70aca844b64a6f74bb215f40329a9c0e2bc540d4821091df7e2382b86ab80f435843f71d8cba2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB7AC.tmp

Filesize
1KB

MD5
fd764058559237acc4f5e30d559aa18c

SHA1
d0568492b1e586ba52b3932bf26f69ffd098e40f

SHA256
1a181d024165f140b362e671f5bc2fe855ebb4224b8fb5bd595385c26695f676

SHA512
9816614a599be66bdaf2dddfbb2970d325bd53107539422cbc65fbf66b1c571bba3eb062238991a216884684f44dea413ffce3b8d8d720e00fd3f16f63649f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB664.tmp.exe

Filesize
78KB

MD5
9bd960d556510f9c9c89d8d6e165f1aa

SHA1
c62bf8dd87f63da58fa33d10529635632a6cf637

SHA256
ed522760b528f55eed17e3278fc66f73b1f7d46c07f0a83b5cfe577848077a0c

SHA512
18064954e413ff7e5503bb549bd0792fdb01889701c7ad84357b042bcbb0deab5c401149c0d268f5d37b9640c9f725c4e2c877d643b9df0d5ba9c70e40e5370b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB7AB.tmp

Filesize
660B

MD5
4a3d3a02628c1a6c746fc5222d0c8213

SHA1
874f7349cbc86e02f4681bcebc05d637e816ffe9

SHA256
dbbd0d43ead9cd5c3051d147efe6cbe50cd6cb831f7615c9cd5a8345149c8f00

SHA512
f83a56ed140d76e6f09d6504fa514624d4b74a3de025019af2efd953fc2050a2ac765a3a7f8b1d2c23d91041339a78ff06d7f1fca01e586a7cddfae5d3b34bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2372-8-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-18-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-0-0x0000000074FC1000-0x0000000074FC2000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-2-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download
memory/2888-24-0x0000000074FC0000-0x000000007556B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads