bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f

General

Target

bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
Size

78KB
MD5

d323cb30fb40bdcb6e0449367a1bea24
SHA1

2681d0910b80b36bd9a8bfd0a776ac613e9a769b
SHA256

bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f
SHA512

02c1756a71eeff857235d332094de3232feaaaf9524f05ff6134aa426b3b3c2e21fc5b6c23b06bb7e13d8a866a69be8bfe79124a9aa3f388f0fbfdcea3a69af0
SSDEEP

1536:Py5jSfXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQty6d9/w1sV:Py5jS/SyRxvhTzXPvCbW2Ul9/N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2768	tmp2D19.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp2D19.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2D19.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
Token: SeDebugPrivilege	2768	tmp2D19.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2800	2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	30
PID 2660 wrote to memory of 2800	2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	30
PID 2660 wrote to memory of 2800	2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	30
PID 2660 wrote to memory of 2800	2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	30
PID 2800 wrote to memory of 2684	2800	vbc.exe	32
PID 2800 wrote to memory of 2684	2800	vbc.exe	32
PID 2800 wrote to memory of 2684	2800	vbc.exe	32
PID 2800 wrote to memory of 2684	2800	vbc.exe	32
PID 2660 wrote to memory of 2768	2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	33
PID 2660 wrote to memory of 2768	2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	33
PID 2660 wrote to memory of 2768	2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	33
PID 2660 wrote to memory of 2768	2660	bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe	33

C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
"C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\esajon-c.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2F1C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bdc703ea1f079ed10b0db659fae98fe0103b080e5a21191ecd1b4bb5cd30628f.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2F1D.tmp

Filesize
1KB

MD5
a73adf33c48d9a3357dd789021444d3e

SHA1
ee4aae3278e659ee78c5309cb3471363a2f582ce

SHA256
c490056a5e6ecf955921ed22156673e0373957808cb1dc0951a3ad5b76ff0753

SHA512
624f5d1b240fbaff458bdecd2e469acc79044205013fc269e656a9ccdc4a5ab04785adc2a8f7e241c060df236b2290cfedcfd13f0099798040d0567d1523b8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\esajon-c.0.vb

Filesize
14KB

MD5
b0515dfbaa3b1569c1fa392e25be2961

SHA1
d1aec4862296cb956ccbad7cb2c1dd631dc1bb61

SHA256
88244b221e485f532f95bc3bd58dae196dc5c9f7bc42d17af62348dc23bea14d

SHA512
f0d9c2d821b533ea080016187502cd4088171469702a729a3337fe8e95013f50718bd6674d79942c52a82edcb2e9a12311072d118ec902c3502c1c6959afe314

Download Submit
C:\Users\Admin\AppData\Local\Temp\esajon-c.cmdline

Filesize
266B

MD5
2830091f2b718ccb2b8b494382f342b0

SHA1
1fb967ba73bc1515db7e830c9dec50c844ac9ca3

SHA256
2f97e34459d216de5f1572e5a19341bb07b135744e78e3762b557a098c615a59

SHA512
8189bff7ba43e88abdfdb9d29c1a35ca9ece4ec360f09c9729b6cf4044f0a22c4995e3f981f5c85c0e3d56fca0b0dfa153074bdfd7480ab695b9053bd29d4fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp.exe

Filesize
78KB

MD5
f72279fa6b5c90046f5dcbf81fa701d9

SHA1
df76f84f3b2dd1ff472fa838fa56fc963fb1fc6b

SHA256
f4cca39e76bd011c91c9a58b7383728565ba21e53c37d8effb8e4743d251a9ed

SHA512
e9d10e3ae53967dd27067ca9ccc0f6da9eae5280136c373680659c4059c6b4de2482a2bbc1d029d681f9170022963ec87afd1e4aba51bbeba8c16d01acd36e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2F1C.tmp

Filesize
660B

MD5
2b608531fcea6f96edb158e4ad073542

SHA1
2e44dafbe131956260b6480a18dc8997eec10ada

SHA256
eec1b22fb1c1d560fd5147940b6b58c991b53ae83e4b77303ba42b31ba5988f3

SHA512
038a4246c5ecfe71ce07148b9bf511cd05ccee1b5450bdd5b5381d00dff0672a2a69879ef977e11ab4f2239f9d958032eda4e19076e03947bbd0d1c728557cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2660-0-0x0000000074351000-0x0000000074352000-memory.dmp

Filesize
4KB

Download
memory/2660-1-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2660-2-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2660-24-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-8-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download
memory/2800-18-0x0000000074350000-0x00000000748FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads