459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e

General

Target

459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe
Size

78KB
MD5

6d67df35944bf3ad49ced1b91c245bc5
SHA1

f74f514f6ad74ec6a6da89075ab79164fa2308ed
SHA256

459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e
SHA512

248ce399d8f7d02bcc693e1c47362e6d654fdd543bdfc70cb31ceb35a6c822a2768363f67aaa769e6c645bd2b4d9aa7d11fbc8fd4a0b2c0b690ea40853dc4130
SSDEEP

1536:phPWV5jLXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt961i9/vB1i9:LPWV5jLSyRxvY3md+dWWZyGi9/G

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe

Deletes itself 1 IoCs

pid	Process
3204	tmp9097.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3204	tmp9097.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp9097.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9097.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe
Token: SeDebugPrivilege	3204	tmp9097.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 3852	3884	459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe	85
PID 3884 wrote to memory of 3852	3884	459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe	85
PID 3884 wrote to memory of 3852	3884	459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe	85
PID 3852 wrote to memory of 4176	3852	vbc.exe	88
PID 3852 wrote to memory of 4176	3852	vbc.exe	88
PID 3852 wrote to memory of 4176	3852	vbc.exe	88
PID 3884 wrote to memory of 3204	3884	459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe	89
PID 3884 wrote to memory of 3204	3884	459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe	89
PID 3884 wrote to memory of 3204	3884	459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe	89

C:\Users\Admin\AppData\Local\Temp\459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe
"C:\Users\Admin\AppData\Local\Temp\459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-kbp1cl_.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91E0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc708C2D74D5744634ACC8D42CDE722C7F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4176
- C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe" C:\Users\Admin\AppData\Local\Temp\459af3c8861d19444a5bb1e9de5e4242ba6302dd8f3692b5930f0eb2c8ed6b0e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-kbp1cl_.0.vb

Filesize
14KB

MD5
0684915a2f6e8050e4572ff33a8c9ff0

SHA1
d9dca3c64bd895314511487f3c005864a2480ea0

SHA256
46fb8e384225e5dcba1f3ec6520558f070ae72c801b7b0ec8a2785e70e845642

SHA512
eb5c320d4c570557b21c4cc34202553eba57f1a7469ea3de5ea686bff0017a2a4d735d33b179ab834905e7d08b1c8a814c94a137bacfb02d9044f807851b174c

Download Submit
C:\Users\Admin\AppData\Local\Temp\-kbp1cl_.cmdline

Filesize
266B

MD5
310279e8e8268908dbdd64609a289fac

SHA1
ea49eed2ae258b303bf5f9531e647ce5a24382a6

SHA256
bfb62041848995d099dc7a0062d4cccf0252c5ed414596bf9dfa5298159ac4b8

SHA512
fb63b8ebe198b87589ed7182efec43349ec14e77a093aae47cbcbed3cb552ab5db32a6e0ba7223a024842b56913fe24e76d54ab8147849de55103f1afc231df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91E0.tmp

Filesize
1KB

MD5
cfd7bf8597aeaf9e24df3b985a30d75f

SHA1
a80d8a4157d31aa8533bca8d52882eaed1e4687d

SHA256
26c5978036f3c8c18e054ffd651cf6428d25855d271998c7aa585e5807af1d63

SHA512
952b05c5615dfaa168244e8b37aac6fc2f10775919b43b5a06ab1e61922c62058b9065d38b979cbb5621e59f942a39ac4d2ec023601b8b939354410b3b82bec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9097.tmp.exe

Filesize
78KB

MD5
c0fb05def995ef1624c628f6a9227f0c

SHA1
ab628ceb1661c1caa9390414b7f9e0db4f032aaf

SHA256
9229d3f107bda530b98e2c42fc00f59e8cc36b7cb080a6f5806771ec9be93988

SHA512
5920e141403b5a5ff192c470f9fd927fe0558858d602aa7c51a9a4adc9c70e30caf2677198fa8112b5ac69960f1f547927aee1acf9acb8a4a21d7496bbc591fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc708C2D74D5744634ACC8D42CDE722C7F.TMP

Filesize
660B

MD5
46a9a1d65891d7131dd5286f52c6203e

SHA1
a6fe8efcca856334b1f8b9a35627654d699f0d1c

SHA256
e7abe5e7c2ab777e3fc56a8b4cefc61d29c8b16d3517961ae0cca57855ce1584

SHA512
5a70bda074f6c31fca36e61a7958a07c770ad8225d0cd84ecae2355b4fa1a02abde1781822b644fab128a416ee1be2626bf177d53e9b10ae9ef9858bcb7e059f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/3204-24-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3204-28-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3204-29-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3204-27-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3204-30-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3204-23-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3204-26-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3852-8-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3852-18-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-22-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-0-0x0000000074F42000-0x0000000074F43000-memory.dmp

Filesize
4KB

Download
memory/3884-2-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download
memory/3884-1-0x0000000074F40000-0x00000000754F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads