d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273

General

Target

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
Size

78KB
MD5

1bcb46b33c8090dfe71118c387d072f0
SHA1

9a3d4fc274bc581f266f8aae273251cdf0148075
SHA256

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273
SHA512

15afddd4461a0d91c4bb22cc9da7f6a3a3eaa62d3779dd7b530668cff1174d21f3927c90a24d9730e0b540357662cbbe968f47c7c49c0746094c109baa3dfe83
SSDEEP

1536:+y5YXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96l9/ej1Dr:+y5gSyRxvhTzXPvCbW2U+9/W

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmpE791.tmp.exe

pid process

2596 tmpE791.tmp.exe

pid	process
2596	tmpE791.tmp.exe

Loads dropped DLL 2 IoCs

Processes:

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe

pid	process
2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmpE791.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpE791.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exevbc.execvtres.exetmpE791.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE791.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exetmpE791.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
Token: SeDebugPrivilege	2596	tmpE791.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exevbc.exe

description	pid	process	target process
PID 2704 wrote to memory of 2860	2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	vbc.exe
PID 2704 wrote to memory of 2860	2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	vbc.exe
PID 2704 wrote to memory of 2860	2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	vbc.exe
PID 2704 wrote to memory of 2860	2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	vbc.exe
PID 2860 wrote to memory of 1040	2860	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 1040	2860	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 1040	2860	vbc.exe	cvtres.exe
PID 2860 wrote to memory of 1040	2860	vbc.exe	cvtres.exe
PID 2704 wrote to memory of 2596	2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	tmpE791.tmp.exe
PID 2704 wrote to memory of 2596	2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	tmpE791.tmp.exe
PID 2704 wrote to memory of 2596	2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	tmpE791.tmp.exe
PID 2704 wrote to memory of 2596	2704	d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe	tmpE791.tmp.exe

C:\Users\Admin\AppData\Local\Temp\d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
"C:\Users\Admin\AppData\Local\Temp\d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-ugvwsun.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE937.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE936.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1040
- C:\Users\Admin\AppData\Local\Temp\tmpE791.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE791.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d2c09b96fced3db6421d45a7855103f915e1f01ecb822c95174ffe7ebee00273N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-ugvwsun.0.vb

Filesize
14KB

MD5
138c91e97e1ae26550eea6b1ced9ab0a

SHA1
d3b7f9c161b7dde481025d4a34f80d39fa27dc39

SHA256
b6e8cff50d0936eb88ae10143474662dc0aa7548e5a60c67cdc7090b98776607

SHA512
a7b0b7548994b518c98ffcc32d18f6efce316856b26cd68a4eb55c5415a01e8cdb82f7f135261640c991623d2d6ec2b36aa1ebc7b46a91edb3c6d297c86576f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\-ugvwsun.cmdline

Filesize
266B

MD5
3cb6382ec99144a128b2eefa04eb1327

SHA1
fc350db330e8484314dd3548b6fc4c7c721b83f3

SHA256
4eec1b83a5d98ca7ccff1e88571f676be159bb4fea5553149b283035314e8dd0

SHA512
3761beb1f8592e92e85a3288991187baa35ecb495387d5dc1496b4e2fa051867d53d3cbff72259e542d58739e1941c782a55d7d19fa03207aa98fddb90a5359f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE937.tmp

Filesize
1KB

MD5
81f0d4ab6fd9ec38eb4858a2ed478f25

SHA1
439e614e9aef573cb641b14c0fc07581c508a0aa

SHA256
d8d99d8ea2e3ff91f7d00f8c04a15d160c8638c2e7515db979229e24978a9806

SHA512
602c431048c9102337c5d7f7e5a1072ec04990aa72ca7e25bac64618de520a8b4012a5cc34aa313df1593d780db68acc2db1e32d6b0e0374a0cfade7a1967647

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE791.tmp.exe

Filesize
78KB

MD5
215e3143ff0a3d30dc332452a902e77d

SHA1
088329a84dc3c31339eaf4ee4037943fd1c721ca

SHA256
694cee4adf940a944628235a62354d7fa48bcc08d21cd9d8dd99b2f416685a8c

SHA512
7f42d573eb15356875a84d6b2230b6218bb6465f4a46f1e58f0a64086702e62b38ffd98a8af4f3705be80b7b256c09afe8b600a761415db7f39749ad662efe53

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE936.tmp

Filesize
660B

MD5
c901c9f8646711ceeff2a5135875b323

SHA1
8ea32f5a4c3dda597ff8745fcc91ba7d85e74c13

SHA256
1fe14aecb174fbfa74a0b8c4f0e9ccadb861a653b34e438c57e23ad6b193e1c7

SHA512
4960c1afe53260e9ff283954f2e3131fe4f9a9f234f9d84114a0268d2a35fe1f95da2f97d4b488e0da698c07f68659cd997e5dd347bd160acd706dd93235a079

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2704-0-0x0000000074491000-0x0000000074492000-memory.dmp

Filesize
4KB

Download
memory/2704-1-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-2-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-24-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-8-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-18-0x0000000074490000-0x0000000074A3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads