e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76e

General

Target

e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe
Size

78KB
MD5

083e1caa9f36b4d52f87cff1c12846d0
SHA1

ace541deffacdd8caa7dbeb33c9eb540065fb346
SHA256

e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76e
SHA512

60cb4a22930de024052ded13b60edbf411b2ee3260ac712210cdcd7459f3a69cdc5aead90f98a838a52969016f39d0bd717c113a3c892a33ea1000a8108e0fac
SSDEEP

1536:ayV5jS2pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6F9/y1XI:3V5jSoJywQjDgTLopLwdCFJzN9//

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2724	tmp54E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2724	tmp54E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe
1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp54E.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2424	1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe	30
PID 1444 wrote to memory of 2424	1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe	30
PID 1444 wrote to memory of 2424	1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe	30
PID 1444 wrote to memory of 2424	1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe	30
PID 2424 wrote to memory of 2844	2424	vbc.exe	32
PID 2424 wrote to memory of 2844	2424	vbc.exe	32
PID 2424 wrote to memory of 2844	2424	vbc.exe	32
PID 2424 wrote to memory of 2844	2424	vbc.exe	32
PID 1444 wrote to memory of 2724	1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe	33
PID 1444 wrote to memory of 2724	1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe	33
PID 1444 wrote to memory of 2724	1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe	33
PID 1444 wrote to memory of 2724	1444	e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe	33

C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe
"C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gnnh6lmf.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES723.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc722.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e7e1c0f58c1a7339b56fb59eb88d5b72add931c37a333680ba12182723c5c76eN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES723.tmp

Filesize
1KB

MD5
3558379d87315d88f0485d50be71b5bf

SHA1
84f1d4817f0d6927d641a918785b776774dc96fc

SHA256
1a972671a341361d609d8edf92e9252f3793f59957b0d231edb73b24c3e9dada

SHA512
9a0ee0f8275977c6b47e1a7c7b7d9e1bb73120945316d2ea8aed256b775bac105704f276ce78cdb1ec2ba9bd4d9920f28dd5a95bedf9f6c397e419258904fe4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnnh6lmf.0.vb

Filesize
14KB

MD5
d6bfe8b204cfb96a7c8bb7b0d0c386c8

SHA1
7d6ca8d9fd3706b24f138d7cadd895cf48af9f2c

SHA256
46658309c82b5a46955bc682be53ed737cfed636067578ae82651ae70825ae99

SHA512
4b0bd109ba6c15a3be5e596a193a7e2307ecf0927239ac8bf65a0827128e6bfe6a8dc707b75ed1679b332db7934a18f534aabe7140f0e84ffe1486d7f423c999

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnnh6lmf.cmdline

Filesize
265B

MD5
5a742bb856abe23807ed053e5a3833a8

SHA1
5c95af0c9a5605f8d89278a9ed628bd267699b1d

SHA256
faf180afa99fbc281645fab9a3925a8358ecf93fdfe5c2feff93d20446f68149

SHA512
946d42b03837db9a4c79d813de0388d6d949beaae675a4e13388ea81f32c217875042952c681f5ea34071f9efa0dcd3dcddde9a126f0da0636a71a94ada9346b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe

Filesize
78KB

MD5
f478fb806dd14027b89b0295e786cfcf

SHA1
e6745b5a1da3ad1a5181e851027110fc03c3b462

SHA256
ffd25055716ef86292d76d73255430f9702d4b5dfa84cf0a47910e590ec2881c

SHA512
eba7cad231233dee198aad1d648e865567ec2659ef7b4aeb2b61575dd297fd8119534f0bb62038760b2d979ff0754fde3833e0711ae2f2d796a011becd8eb2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc722.tmp

Filesize
660B

MD5
e7a91f98d4e6da0a16a4b9261e29cb91

SHA1
3337d3035764d0c0672db988ea9e84fd15aee403

SHA256
218ff786e6fb112e560af6761feeecece7b3bc90a4dca250e3efacb6476c9f0b

SHA512
bf7bbd1ba02111ba332597d5be1fc5012ed85fa8b17c8af71378b826b918172e76b4c280617a4188eb01eef77b0489878d09493ca932a5a8d2a2632151819de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1444-0-0x00000000744A1000-0x00000000744A2000-memory.dmp

Filesize
4KB

Download
memory/1444-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/1444-2-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/1444-23-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2424-8-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2424-18-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing