3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099

General

Target

3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe
Size

78KB
MD5

1f11a1453b73145b7a2ac0a60d2f7fc3
SHA1

543c2de427870b9cf0d199c821c0f6dd9c9522ec
SHA256

3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099
SHA512

250af54f6129ce74d211a72150297b29b147f4841b6dabfd92a19a97cf623e51961c5fc29f7f49786a435c50f77a42a6e55a230c941771696e3228e1b3922c29
SSDEEP

1536:Je5jSgpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtC6R9/nb1iHn:Je5jSeJywQj2TLo4UJuXHhZ9/nmn

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2072	tmpA303.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2072	tmpA303.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe
2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA303.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2088	2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe	30
PID 2348 wrote to memory of 2088	2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe	30
PID 2348 wrote to memory of 2088	2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe	30
PID 2348 wrote to memory of 2088	2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe	30
PID 2088 wrote to memory of 2688	2088	vbc.exe	32
PID 2088 wrote to memory of 2688	2088	vbc.exe	32
PID 2088 wrote to memory of 2688	2088	vbc.exe	32
PID 2088 wrote to memory of 2688	2088	vbc.exe	32
PID 2348 wrote to memory of 2072	2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe	33
PID 2348 wrote to memory of 2072	2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe	33
PID 2348 wrote to memory of 2072	2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe	33
PID 2348 wrote to memory of 2072	2348	3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe	33

C:\Users\Admin\AppData\Local\Temp\3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe
"C:\Users\Admin\AppData\Local\Temp\3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m-igoqly.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA42C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA41C.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- C:\Users\Admin\AppData\Local\Temp\tmpA303.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA303.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3cb69feb673453fff02ad4fa6c49a87052408a50740d7ae031e539fdad2f8099.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA42C.tmp

Filesize
1KB

MD5
6b7fac33d3bd1ae6927da3becda2a5e2

SHA1
43485e46634cd328588d2fb6a596f5ea49098dcf

SHA256
7f1afe9417fc297bf2ecbf42ba52df66ed9113721f0b5425fcdfa486d7e0418f

SHA512
0da6ce04071f8ee4b7e59513a03dc4c778e14d3dd9e69e1e9ea122998e2f3ed88731238a3dc3515f51fd8a30f74f758e6aab1707a5a0db34b9b43a47a9a9f32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\m-igoqly.0.vb

Filesize
14KB

MD5
573cf5133b0bd3920ed5ef3f70688f05

SHA1
8d4c57efe6f74b98c4f1506a32cab4093630fdeb

SHA256
0dab3a0db137cabcdd2115935293812fb307588087831e002cb278c00843fa8e

SHA512
3c780c8a93e8e87c9429f96fb2cef171eabdf3361edfed5a9cc8c707469cb33d54333396e78f1a04a4c7efd69718ee7b744b716ba6fd4d5555fc60a831df2dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\m-igoqly.cmdline

Filesize
266B

MD5
c48acc0d46aa4a3e96a707e80056f685

SHA1
b201d7c722de2cf27c6a89344cdef2a5d7940135

SHA256
bba6ab795a883231167abeac0234bf979b97428bec8f47ae6c11de9b5505e1ab

SHA512
dffa9fa10823e0c51679158f33633e6bda0b428d3bd82a4c378d58e3b42f5f080bea039bbc78cc2c3c1c1ec955d6b1c0a8e0ffefaf952eb5463f2604af00e805

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA303.tmp.exe

Filesize
78KB

MD5
7489a04232759152d65fecc0e19e0d92

SHA1
bbf79592f8a3cdb0c6cc4f244153cbc036e0822a

SHA256
17c1f219f5c58e9292590fd227d88fb631d709538ed40bd2c7643a2095b15003

SHA512
debc46a4be04757094f312c8330d9f7c62183e63c0c4de9950baab002286be73bd21ab43f02cc40828736ae8e5701bff166cda05d3fb6735fd189d247cfa4b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA41C.tmp

Filesize
660B

MD5
2c30d99f6850b8af41fcd02b684d0fa6

SHA1
ea5ef081279312f83626e4f9e170e6722f87143f

SHA256
8a21ba3f5433618bfa43d28f6a1b58e7de8bf47483185b0afc31874fb6edf025

SHA512
b9723c6f3fd4ec8e53afb981346969f84e9ea4b9291d261327d71403801a6d510a8fff691f8425f897c2bedf62a9d50d5a8941cc74af4afb3cec7fd14f1c7661

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2088-8-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-18-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2348-0-0x00000000742E1000-0x00000000742E2000-memory.dmp

Filesize
4KB

Download
memory/2348-1-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2348-2-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download
memory/2348-23-0x00000000742E0000-0x000000007488B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing