a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610

General

Target

a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
Size

78KB
MD5

3d2f979953107bd80d5a53b523e4fde0
SHA1

ddc2fb5add85c6742d37c887949755fff808a9b9
SHA256

a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610
SHA512

44663882d6e3d15e495ea1bf90eb157a50cd3e6da6611cbc57dce9a963bdf7b5367b17e6734ecd54f5b8cb8b5cd01cd8e98a00c4a51df8e5e5ce50a4e861c498
SSDEEP

1536:myV5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67F9/g1Jv:DV5jS7JywQjDgTLopLwdCFJzDF9/U

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2592	tmp1C5.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1C5.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2832	2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	30
PID 2068 wrote to memory of 2832	2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	30
PID 2068 wrote to memory of 2832	2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	30
PID 2068 wrote to memory of 2832	2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	30
PID 2832 wrote to memory of 2904	2832	vbc.exe	32
PID 2832 wrote to memory of 2904	2832	vbc.exe	32
PID 2832 wrote to memory of 2904	2832	vbc.exe	32
PID 2832 wrote to memory of 2904	2832	vbc.exe	32
PID 2068 wrote to memory of 2592	2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	33
PID 2068 wrote to memory of 2592	2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	33
PID 2068 wrote to memory of 2592	2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	33
PID 2068 wrote to memory of 2592	2068	a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe	33

C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
"C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jaldkrmo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a9ef922ff710081e2554ed94730b8dc620b7aae384d275e27e7024ce02e91610N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2DF.tmp

Filesize
1KB

MD5
4ffae47b9e6ee1cbc5bc447d86ed9199

SHA1
347bf66e4c03da89ef986cccb8eb5aa45ea1ff1a

SHA256
c09f0085dec225e551167b4a3787b50d59e13200f76cb841dbb1599e0be607a2

SHA512
503504d6f4a5c63f9d3f59d1b507fceae1221087a76293e33f79689572b4635dffd107dcbeae051f361c2f24d27ba57b58622963f6e56021de5d6c4eb47bf27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaldkrmo.0.vb

Filesize
14KB

MD5
65be1c9ec8946f955bf726f82ab538af

SHA1
db5ecf08093186e4cfa0c62233c222a230ecef07

SHA256
61c4a9eed48b37c74b371149f53ef71a3d0233264c078128150b16ae837e2697

SHA512
53f80f0e69f10f2c24231d295d036a829edd019a7a3652266b8d60f0ccce26b210ae23459c0184a6df199bbec191f378a86b711e6f48eddd4c336e3c16861860

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaldkrmo.cmdline

Filesize
265B

MD5
3c3c99b197e5c5a210413b18a00e47f2

SHA1
760b575c2086f602f7104e4104c8dc277e3bb47e

SHA256
2292a0c6378b74d3a59847d485f862f67084f5548b0e0c12544dbdbdbc08365d

SHA512
de1195fc5ce12ff0140f2bffae79cc9b923b43f88e4f31e01fdcf983a9d4bf24260e4969a8c0bfe3d15fed89d96f5b5c77ecc0220d38a9d9407eddeee37c9bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp.exe

Filesize
78KB

MD5
90adcadfc936a12a5426f857f0cc6032

SHA1
a2fcde208c0dd519101bf611dd75f2c3da2026f6

SHA256
a8eb1d1cbc324b6a71678d399adefbdb441226c6b5f9650bb80eb482f4e6df88

SHA512
9d528aed2ce1a02c3b85bd436bde010e6158035c2e7d16f5d844be137084d4443f5c273547bb433e2452314c101abc14c21145884aeec6660e6ca021db24f977

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp

Filesize
660B

MD5
75406e6f33f9a1f3a00b4e51b2df31ef

SHA1
847fc8a6f51d0a5bce417fb7b413541bf0cbc2a7

SHA256
f892fb45345eab8488e516638a0e252ef4b0013a6ed07db9fb217fd80d5e8898

SHA512
2f491227c8f4e767344a517ee163474e01d8bfefe3338b4ef1d217e6ccd663515ac2ee5dd91c0607d6592a12b26242bf9d97e5dc420ff9f326ee975970accead

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2068-0-0x0000000074D11000-0x0000000074D12000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2068-2-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2068-24-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-8-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-18-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing