a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954

General

Target

a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
Size

78KB
MD5

6fd1d6408ef2c4b1fc75cb8ba9517110
SHA1

a26a7ce37aa97802bd266304b5b74a0370bd48a4
SHA256

a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954
SHA512

66f874efb594de7e3954ede98f71f1ce1889fd855f09a8deafeb621114bcc266480491d98925456bb721253273759c729b914019621e70d209cf500dcc11722d
SSDEEP

1536:IvWV5jKpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtt6U9/T011h:+WV5jEJywQjDgTLopLwdCFJzL9/6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2664	tmpEC81.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpEC81.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2644	2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	30
PID 2808 wrote to memory of 2644	2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	30
PID 2808 wrote to memory of 2644	2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	30
PID 2808 wrote to memory of 2644	2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	30
PID 2644 wrote to memory of 2688	2644	vbc.exe	32
PID 2644 wrote to memory of 2688	2644	vbc.exe	32
PID 2644 wrote to memory of 2688	2644	vbc.exe	32
PID 2644 wrote to memory of 2688	2644	vbc.exe	32
PID 2808 wrote to memory of 2664	2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	33
PID 2808 wrote to memory of 2664	2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	33
PID 2808 wrote to memory of 2664	2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	33
PID 2808 wrote to memory of 2664	2808	a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe	33

C:\Users\Admin\AppData\Local\Temp\a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
"C:\Users\Admin\AppData\Local\Temp\a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bedvx-0e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE94.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE93.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- C:\Users\Admin\AppData\Local\Temp\tmpEC81.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEC81.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a37830fa1d3fda372105587593a43ed1bf0073bf9b9d8bd996f2a41fb6183954N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEE94.tmp

Filesize
1KB

MD5
6d031a1db5b744696d6b3264f62b2ca7

SHA1
ef641880a68df94266a71fe2ea2e0c48309dad10

SHA256
8967d9e7b3a375c2de4aeef2b6abacaa9b9f51ce4661671167782a741f5e8a9f

SHA512
61667bd326d561602fef493d4969932c3f9eea36ebb1a7753bbb29ccbc91483b750b012bb179fe2adaa1a192aee93552e062c1fd337e775393f4dcbed6baa515

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedvx-0e.0.vb

Filesize
14KB

MD5
9ab1a15a82cc7356d61c7aaa37892b71

SHA1
a9d70a5b744f9e09ba1840a61220e2c1fb2849b4

SHA256
2d9257d80cd748c9aaf81e7a74fffb4b0969251994041e0f551923d1d8349384

SHA512
12c700f15b6d92740ea8ff05b9359a244696d4ef7b782e79037e2ad111768cedeba2b763d6ee8118540fc004c8d25b034ce2ee0721971da1f0dd4710d2fc9cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bedvx-0e.cmdline

Filesize
266B

MD5
8e21ded11ffc8ba87a8902baa89e4699

SHA1
0ccbf1d682bd50172406c46cc678e859dd1ad8c0

SHA256
08509c01ecddf55b36b09ddb5b349dc80ff19d497e24084babeda9e4508527a1

SHA512
a6889f10d901e36210c6ec7875bc056d85e52d2e9b5f602b3f8d30cbfe8a1d8a00bda54eadce975bca286302731dc13fb23d42df135624e6c825efd9f2daf15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC81.tmp.exe

Filesize
78KB

MD5
689ae29ed0f3d4c8ddd2f0f2d65a02b9

SHA1
ad5f6760f8bfdafa329ddee7e120e5c15ec34cae

SHA256
68d175866cf2742eb6bdc9316528180db51bf9e47645349818e891c375d29fa6

SHA512
cac30ddf9fd1353fdff5115b6016eafa7b3e2163d7e16f07420402ac0e8f3718cb899eaf65c6feb36c5dc24c598b66998bcb395cabcfb0c277c43e6562a19019

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEE93.tmp

Filesize
660B

MD5
d0ce4e2852b887cd1f1ec7615c9c4e44

SHA1
a9a8fee41a448a7fa6079fd3b74ff1fca3c225cb

SHA256
9d4156534724526631dada48d0a4643ebd1eb50b4877e9c0642a2dbbd6638e24

SHA512
6b0143d0ad091bd6740faf0b986454f649910527e827041c6bbb4cba18e0115c36da4ea8625ad4ff4688fab9fb500d365539f830ebe4c405e87ae685af6c6f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2644-8-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-18-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-0-0x0000000074A21000-0x0000000074A22000-memory.dmp

Filesize
4KB

Download
memory/2808-1-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-2-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-24-0x0000000074A20000-0x0000000074FCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing