3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365

General

Target

3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
Size

78KB
MD5

7e46f3619f9f0bc6fe88549ff3f14860
SHA1

a66becb2b0984bf66091d26a7f6b7e9548d57ca0
SHA256

3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365
SHA512

cbbbb625fbcf7eb141f394f0b84ad37a6145d3c332dbc9c96bb7ee83aaabb7c35394334e0f97a87b74beb394439fe0f7c4644647c41dfeb6503288b3435afa2a
SSDEEP

1536:5mCHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtL89/n16M:UCH/3ZAtWDDILJLovbicqOq3o+nL89/V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	tmpE87B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpE87B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE87B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
Token: SeDebugPrivilege	2704	tmpE87B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2968	2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	31
PID 2636 wrote to memory of 2968	2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	31
PID 2636 wrote to memory of 2968	2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	31
PID 2636 wrote to memory of 2968	2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	31
PID 2968 wrote to memory of 2960	2968	vbc.exe	33
PID 2968 wrote to memory of 2960	2968	vbc.exe	33
PID 2968 wrote to memory of 2960	2968	vbc.exe	33
PID 2968 wrote to memory of 2960	2968	vbc.exe	33
PID 2636 wrote to memory of 2704	2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	34
PID 2636 wrote to memory of 2704	2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	34
PID 2636 wrote to memory of 2704	2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	34
PID 2636 wrote to memory of 2704	2636	3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe	34

C:\Users\Admin\AppData\Local\Temp\3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
"C:\Users\Admin\AppData\Local\Temp\3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r-ctdb1n.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9C4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE9C3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
- C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3964f1a5584de1ede6714423af1d8da89787c6e46a79a4d7fc1682aba2832365N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE9C4.tmp

Filesize
1KB

MD5
b9b4666c2335e539d9ee0a0dfc336172

SHA1
78db814f055823e128f50188551a389020980b1e

SHA256
ddd70c4f9946d3151c0fab6377869341a9bfab9cfffbc1c528d6865e2c6d576a

SHA512
fd281a632cb347b5a134ac706a2326524c1f9f5609158a1edd81d4f9804714d30f3ee139e48777b371abdf074128965e0a5d278b1e72f23e942671ccac854d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\r-ctdb1n.0.vb

Filesize
15KB

MD5
941c085630e1d2d5e3f69c09c5c84e89

SHA1
19908fc068eb6ca6eea5fa0e15c1b1e05f54e880

SHA256
e7e1df08d86e790ac498572cd28eff740c2bb67629ab8486ec6218deeb0f4054

SHA512
4000d27b0c2426e7154a484a8c7aa2914c169b0dcf2afc01461c724acd5098680f7acd18ac45e820fffe242d6936db05cb87dfc73b54dd08c7091191c36ad869

Download Submit
C:\Users\Admin\AppData\Local\Temp\r-ctdb1n.cmdline

Filesize
266B

MD5
1904c8c1601b8d6ad631c1888f455e09

SHA1
4ecfafe11b143d157a26f3288f0c6992a91cf3f9

SHA256
2991d327407a523cbc974814b569410734218f6fd1c08fd372219a9a51e6974b

SHA512
fdafe7709402e18bbc9f0185eaa2ffb7ae502320a885db57f9a5a5e7d8dc5b553dd9d13e3dfa65c0ff44d7e18e56427f7d1a5c8de2337d541dbf96285fe37e01

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE87B.tmp.exe

Filesize
78KB

MD5
20d63baddee05bb9e6e37367e2ee1b84

SHA1
9b875aff1556075e721ad6fbad97ce5cf71d6256

SHA256
016a01be0e6783fb7dde9857e96fa1e70e5aa0f6cbd6887a8a56769065ad685b

SHA512
34fc9b8fc7de03fd51b0244deee575115fda6895a8a33d0103960076cb7c7926ec41233aefa0d185021d0161b89da5a046e2adb505198d57f5af474186a07186

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE9C3.tmp

Filesize
660B

MD5
7c6bb724802574f85253ae6353ee2b0e

SHA1
c99300557ebe1d34e77a03ac6bce29537fe3c320

SHA256
25eb343d34585794aa3152c9ba7d0d1d3e0ba00d557634f647844c25e52dbff6

SHA512
4b16d10dbfab0bafa0317862727847c4871d00b288491b9b5aab368b9552371b67fc31f03809d9343a31d1b674f63893e77421bd3e29166d2504ac035a82913e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2636-0-0x0000000074981000-0x0000000074982000-memory.dmp

Filesize
4KB

Download
memory/2636-1-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-2-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-24-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-8-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-18-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads