94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52b

General

Target

94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe
Size

78KB
MD5

0e3e82661b76faee66a115a0401d5c70
SHA1

d6b65617cbfb1c17b9a9989317ad6eb4a02e9b6c
SHA256

94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52b
SHA512

a766664d546ccf3debba635d7581bb5dd611bf669a93aaa0c4f5a5eb8894ed3baeafbbf808539616bf67a797ec51c9f252d4d493a421fe397dfe0da1794db145
SSDEEP

1536:L58XLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtS6k9/u+1AY:L587E2EwR4uY41HyvYs9/um

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe

Deletes itself 1 IoCs

pid	Process
3180	tmp8F5F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3180	tmp8F5F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp8F5F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8F5F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe
Token: SeDebugPrivilege	3180	tmp8F5F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2756	1720	94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe	84
PID 1720 wrote to memory of 2756	1720	94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe	84
PID 1720 wrote to memory of 2756	1720	94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe	84
PID 2756 wrote to memory of 4680	2756	vbc.exe	87
PID 2756 wrote to memory of 4680	2756	vbc.exe	87
PID 2756 wrote to memory of 4680	2756	vbc.exe	87
PID 1720 wrote to memory of 3180	1720	94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe	89
PID 1720 wrote to memory of 3180	1720	94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe	89
PID 1720 wrote to memory of 3180	1720	94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe	89

C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe
"C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_mym-pfs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9078.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc463D82C58CBD4FD3976CF844EC8F32.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4680
- C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\94a59b9c7c21f10dabd2037921a755d8d60acc33415863ecbc9e64c5eaa2b52bN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9078.tmp

Filesize
1KB

MD5
9490099935311c99874b93437e019ad9

SHA1
6d0f5963cfc9fef721b9f67ab8fcf58e831c489d

SHA256
e4681c931446027ad5862ff8db3f1cafeca3d12d228a411a5add5248534d84ff

SHA512
8c8f7bdb103e78bdca8bdb24233d0d604e5f8b6eae4862fc2a5274d9033c12fbfef9f4517dab73bc0efbc2ee4d7cf1ca5150a77539e8c0e7770a07a2483665d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_mym-pfs.0.vb

Filesize
14KB

MD5
598fe73a88949020ddfe50870da65e9c

SHA1
3469fa4c76c4cf7ce2eb9b941be921114d8b1eaa

SHA256
3a0e832857ab9435c86973bc82eaf737f67ba7e71ef959708cddee28cafda97b

SHA512
3bc602afcfa0b96ae6927e3f23e4cf3b54eab3ab63e9c37dce486ab47c6204f30aa184d06fad191514d879d38737c32d4bd0ae5ea204c921b3fa3e2fb524651c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_mym-pfs.cmdline

Filesize
266B

MD5
48e6332a5b083340f2456bb101e2cbb1

SHA1
fadac5c608d61e623e308d80d2136e1c47066426

SHA256
4d477e06a356f276311772ac10cc405d976b0606ff4a32f07cd7af84a9ba535c

SHA512
09decf5aeb33c4c34913f667c7b4885b201760b1cf2b55ee72f3663da2ca723b112fbd558a843521cbe7c832301f095ec505331801a0efc80806824befcd8533

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F5F.tmp.exe

Filesize
78KB

MD5
7cf8103b7f88099cf61dd0d2995ef009

SHA1
29843463e001528afa9205a99764bbb434c196e0

SHA256
75a1ed3ab304d2d7c443e2cffb13ae08d2a2c34da22c32544e8e89e64ccd9adc

SHA512
a69b3e061191838369417c36ca0df144309eda3b40f59086790fd1f1f19eda33807a82448dd6faf3eb12bee814b9eefb57c01aae7b0adf96b2345018b3d6b376

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc463D82C58CBD4FD3976CF844EC8F32.TMP

Filesize
660B

MD5
6de6752b6791f328c5a6d8182f86d477

SHA1
19207a69bc05f7ba23afcb00d802b630b730e68d

SHA256
5b63520b52b463298f2c806f00dad110f4804a37a73324bf29ce3bca2024929b

SHA512
7c4b4dc1208488a90a96f76fb7cd3ddcdfc1f932bd761f75e9be412debbece8c8ba34410461a5b4d1094ed4646336806aeade935ef671b082efee01effa8567d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/1720-22-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1720-2-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/1720-0-0x0000000074A52000-0x0000000074A53000-memory.dmp

Filesize
4KB

Download
memory/1720-1-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2756-18-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/2756-9-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/3180-23-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/3180-24-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/3180-26-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/3180-27-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download
memory/3180-28-0x0000000074A50000-0x0000000075001000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads