5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530d

General

Target

5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
Size

78KB
MD5

f3f5a2d7317fe6bbfc8e956b8f05f720
SHA1

5335b48c16b8a577344e8c11c82a7847a1dcd8ad
SHA256

5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530d
SHA512

da53f307a6a1b92ce96ee594c3fd8f7380dbcc0543e5a08c87877a05680946d8835a45f346fa4e1223e28eeac21bc13bc75f43cd4b461f237c252caa30392e54
SSDEEP

1536:MHFo6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtRJ9/f1jT:MHFonhASyRxvhTzXPvCbW2URJ9/d

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2980	tmp7E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7E.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
Token: SeDebugPrivilege	2980	tmp7E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2548	1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	29
PID 1564 wrote to memory of 2548	1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	29
PID 1564 wrote to memory of 2548	1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	29
PID 1564 wrote to memory of 2548	1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	29
PID 2548 wrote to memory of 2684	2548	vbc.exe	31
PID 2548 wrote to memory of 2684	2548	vbc.exe	31
PID 2548 wrote to memory of 2684	2548	vbc.exe	31
PID 2548 wrote to memory of 2684	2548	vbc.exe	31
PID 1564 wrote to memory of 2980	1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	32
PID 1564 wrote to memory of 2980	1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	32
PID 1564 wrote to memory of 2980	1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	32
PID 1564 wrote to memory of 2980	1564	5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe	32

C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
"C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qjqwuokn.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d9a0276c5b56b42f488b86bd553e1692243d079a1a715564b48d87d91e1530dN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2CF.tmp

Filesize
1KB

MD5
b6a9db8a3ec3dbe72e701527379b00c6

SHA1
338a3119397ce02ebf3e00399d309d6d236da490

SHA256
c902e2de0114c880a3aec040a585dca4ab11d7780117849ad2ae119d558c2162

SHA512
8109237785ca6559b5b31ce8cc3276e468f8461326289058bddde0576ea35b1ff45e6f7a3e3f9b282da4a2cbd346e026cedf87d1c09471ab6273dc8fc431c561

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjqwuokn.0.vb

Filesize
15KB

MD5
e5efca5b95107a7f079a43a6d582cc05

SHA1
e5870fac1097d5988460c399e3d6a21f14fe3cd6

SHA256
247fbe93d6ed2f1b0481c8d06abd656ec0db1b6485d7c591c114bf38792a106a

SHA512
1b66154d0dd94613106dc28188dff108ee64e8f3053d129270adeadc7799c2422ce68413d9f560dd19436d0633fc91d11cf964265cbb4b1d63cc408c81c46add

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjqwuokn.cmdline

Filesize
264B

MD5
75cd06a1b925fb38c0e4007f30db6216

SHA1
aa8c4c0edf4e72281587e63aa16542f1a785b3da

SHA256
a7bf52f754ef16b2b20417befc6c15f25ae6d1bd4001e3bd4f60e5ebd5ca6c99

SHA512
809fe440e96044ebfae67fa026c6e05b657cf463cb0b4d560a5cd6c4916505e07110f5e4385b580e8915f6367e284c669b5de5c65d3a1501c91f48e7a2a3b912

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7E.tmp.exe

Filesize
78KB

MD5
1c749eb49c53931306d40063e1933744

SHA1
4eeec30480d14e17804e5f02164c51a4d45dc550

SHA256
314a625ada99172ff18633c2b251dd37de955109b00698c106b04b2432742765

SHA512
c5a005020628c6f1bc766a082c449878e1ccd1cb3cee192bf320147c6bbbb1a414675b514449eede09bbed4e2b542db2e92c934fe7296b72476a3a5a0f5252d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2CE.tmp

Filesize
652B

MD5
c358198688a140b94fc3585cf86be5d9

SHA1
c58f405925cef1690b22f43046b7e16bdd32c1df

SHA256
69dcb6778f6aaa1c49e64fecbd5429d32b05098871fd95651fac8dd8f1301b78

SHA512
0d3d54611c8acfe8108a6b78155b06d09a5ac80a8c987426a6f1e2c1c55877e2be9d9a790968b096806a29eebcff627ff85fd6a504e98f60740d44c19fc00ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1564-0-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/1564-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1564-3-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1564-24-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-8-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-18-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads