2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623

General

Target

2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
Size

78KB
MD5

4adfd680023da3bf0963cb67d056a4c8
SHA1

8ba966cef1c6714a4f82cd2039438e56051631f2
SHA256

2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623
SHA512

fdc61c575eddac41a79dbeb6af0e2b22dc68f8016da18dcde4462dad4e0ba955f60d8091cfebdb64806c70c27f3ddcb45df00d660c588eb7dd252f2dbc88876d
SSDEEP

1536:kc5jSwXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC67O9/e1Vi:kc5jSoSyRxvY3md+dWWZyjO9//

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2584	tmp5B1B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp5B1B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5B1B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
Token: SeDebugPrivilege	2584	tmp5B1B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2740	2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe	30
PID 2668 wrote to memory of 2740	2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe	30
PID 2668 wrote to memory of 2740	2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe	30
PID 2668 wrote to memory of 2740	2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe	30
PID 2740 wrote to memory of 2432	2740	vbc.exe	32
PID 2740 wrote to memory of 2432	2740	vbc.exe	32
PID 2740 wrote to memory of 2432	2740	vbc.exe	32
PID 2740 wrote to memory of 2432	2740	vbc.exe	32
PID 2668 wrote to memory of 2584	2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe	33
PID 2668 wrote to memory of 2584	2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe	33
PID 2668 wrote to memory of 2584	2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe	33
PID 2668 wrote to memory of 2584	2668	2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe	33

C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
"C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fnvjqh-q.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C54.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C43.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
- C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2f03b48d9a284dd6560be825b965f8393cb8d5e5bb3bd6a860d4a28be9709623.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5C54.tmp

Filesize
1KB

MD5
e1af5adad05c5962325ed94528d068f3

SHA1
80ed5ae86b87c5cf0514770fcc5138f9554747bf

SHA256
312aebe2c0fd6dce682d19721614df1f97d62b0bb81ec8893b27208541c9a6b2

SHA512
1d2b1962f7add9680d9ff70ecebf25294af827855ec9d9c64831b74e36296ae0ac1c2b5d4c82ae91cf3d106b06ac5d0426bb084f45ee29f33781d4de34e1cb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnvjqh-q.0.vb

Filesize
14KB

MD5
798d702731e64f06a4caced619033d3d

SHA1
fbea0ffc6827fc3a8a30a26148757d9ad241d8c2

SHA256
7604bcf711d578d76d5155f85d02ac2c85afd8c243e8587128a79aefea799e70

SHA512
a9e0d8ed5f60a3484e161c93265d65a8825abe1a7f7439aa775c98e8b9a8acd59b48fb048794ba7d1dfce53559b7d7558abea1c6bc3e9341d76b95a9816db17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fnvjqh-q.cmdline

Filesize
266B

MD5
a777ed8e274fe3cd01cca2e2a47ca250

SHA1
ce52b5b73e01024fea066a3bba00ba8a14e2c5f1

SHA256
d4f06387cbc71ee5c311e9aa1c4e9dbf3ff202ff01a175188f254e6cea13a752

SHA512
49cc9bae5189a946668df547a25b1cd152a237501fc404f590d2311ba242bcf1f55b93f7c2ee8499c177e9ef19c57db30032589bc7086d6bb2c026cd5331412d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B1B.tmp.exe

Filesize
78KB

MD5
60c0680ee4ae7bacdbef91e5bd4f0856

SHA1
80cd65c64f3797710f6c181591af15b5335e9351

SHA256
1fe6aa80927a7e4a90a3b35415c7c11858270c9f1ea7d78a703b75f7d2a37cbd

SHA512
65e9f535d40804ace0cda2f7d69c2564786ce2fce0372f288685443cc627b0e2b1833989375aff367084bb13f0985ffa3825ffbb88af6f0c8f868d241fd764db

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5C43.tmp

Filesize
660B

MD5
1fb1ac606b89b5d98878ea0938ce2609

SHA1
e116c69dec9397109f5e2b1b83362952e1d48319

SHA256
25969d2f5e0e7f976416459ac989395c09801a83ca670481d5f4d31d83596b1a

SHA512
d2b6f3fe0b909f6091fa9ffd8e5bc3dfda08e60c05a60043000719dd73b05841e360e6e9718b4ceb06dcad7b0e45b1a9a5847fe7515384c8a81aa386f50a79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2668-0-0x0000000074891000-0x0000000074892000-memory.dmp

Filesize
4KB

Download
memory/2668-1-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-2-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-24-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-8-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-18-0x0000000074890000-0x0000000074E3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads