b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570

General

Target

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
Size

78KB
MD5

639265f6013573f257f7ab35a0fb88fb
SHA1

cf45a64368939a2b194c08b20bacb65824df9c76
SHA256

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570
SHA512

2f49048fdb55b0439552b428b2751f9dd9c0850280a950fcd85eb195891101ec4f96362ed3dde06dbdcc9d335dad7deccf1a935744ed0be387347d27ef5e5fe7
SSDEEP

1536:8Vc5lAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtS6GD9/A13F:Gc5lAtWDDILJLovbicqOq3o+n69/Q

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmpB165.tmp.exe

pid process

2288 tmpB165.tmp.exe

pid	process
2288	tmpB165.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe

pid	process
1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpB165.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpB165.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exevbc.execvtres.exetmpB165.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB165.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exetmpB165.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
Token: SeDebugPrivilege	2288	tmpB165.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exevbc.exe

description	pid	process	target process
PID 1292 wrote to memory of 2548	1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	vbc.exe
PID 1292 wrote to memory of 2548	1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	vbc.exe
PID 1292 wrote to memory of 2548	1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	vbc.exe
PID 1292 wrote to memory of 2548	1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	vbc.exe
PID 2548 wrote to memory of 2080	2548	vbc.exe	cvtres.exe
PID 2548 wrote to memory of 2080	2548	vbc.exe	cvtres.exe
PID 2548 wrote to memory of 2080	2548	vbc.exe	cvtres.exe
PID 2548 wrote to memory of 2080	2548	vbc.exe	cvtres.exe
PID 1292 wrote to memory of 2288	1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	tmpB165.tmp.exe
PID 1292 wrote to memory of 2288	1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	tmpB165.tmp.exe
PID 1292 wrote to memory of 2288	1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	tmpB165.tmp.exe
PID 1292 wrote to memory of 2288	1292	b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe	tmpB165.tmp.exe

C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
"C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h-bp_grx.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB27E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB27D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
- C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b238414476b03dcc16a8272a8771986be90de8a5997fa9383983c073f05e2570.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB27E.tmp

Filesize
1KB

MD5
3405930fd5ffb4f888d239877e89ce26

SHA1
0f547eb703f43f4f866f25e622e6adf0a9a1440f

SHA256
163331a96f6ddf1ea0d35e304a200ebe8c91c9406d6d1e3afdaf6081a37a64b8

SHA512
e4ab3eb79e26a0252f3085b86a6e0f95c8fb4c43bc05772eeeaf51e2cc295ba6f732d53a7c4b03772999a544e486f3d4da023cb8bc8ca2a9e8f9a2a8c5a80bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\h-bp_grx.0.vb

Filesize
14KB

MD5
d39809f5b6c7dfca17cbe6b793f682e4

SHA1
ca75b3ca02800605d295fb086d24f51652a13bf3

SHA256
a1b800ac1307d169974a3e933334315455d97e17d57c43a23f5d75d48362fc31

SHA512
c56c41724beea1ad14df3d8abbe0dacd46ed695acbd1a6cb43e6beb173a6fcf8d411a4420f385fe1ca3b0bb534b4828f77002738cd2479377f144550d9fc828a

Download Submit
C:\Users\Admin\AppData\Local\Temp\h-bp_grx.cmdline

Filesize
266B

MD5
06d3c988e27ea3597ef67295a7b932ab

SHA1
e4a409d2f23cec55cefbcb6c827f4ed0c12fba31

SHA256
a3d44a7821471955dc76f311233065e4a386a2f6d5d96460206a9c8bdf1449d6

SHA512
27107a4c45f8029fde96d3d17bb53b356b6799bc64ace03f4095729e597081f0eee9e0a228e9def8b3cfd49db1ce919f45989a59454e92099af571a46cf06e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB165.tmp.exe

Filesize
78KB

MD5
939d261f432e07e1ba1d3d2abca61cf0

SHA1
cc6db01681c76c3edb3439a682f984548be042bf

SHA256
a221a635c6ce41813adde90bd62190dfd8220a87df0913bc13cc3ce1cb71867a

SHA512
ddb0a5c09e9ce920671b04bab3833b7c4cad87948c3b98f48c45ead5b74cddc5f56050ec0b3955c5de3b326e54ee7144494261e24bd8939b8e3429bf4de512c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB27D.tmp

Filesize
660B

MD5
5e80f47a3ec03e1a06232bfbb1966184

SHA1
ddbadf7d102fc8c0db4b46b21249a6d4b0fe2e21

SHA256
2f5e1046ce4d9f472b57e6ac1c9a8e53f50ec7e6c9d4f968198a2bbb00a37836

SHA512
9a6a5835ac84d48458d573f94cb3f63b9fbf8848c8cd3615a942e0ad38cd12568b0ae23a1e5ed2660858a4ee27daf858fbe646cf600c32165d66d0295b8317b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1292-0-0x0000000074201000-0x0000000074202000-memory.dmp

Filesize
4KB

Download
memory/1292-1-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-3-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-24-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-8-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-18-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads