62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e

General

Target

62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
Size

78KB
MD5

0c1c80a18b85a2d6f381559023794c7a
SHA1

0d537b5d08445d14aa82bfa1e398bcdae4da0468
SHA256

62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e
SHA512

8429c8878358fe650a8dffeceabda19b0fcba99e60686bd086f3096e8634fee1de507c176c1159aca05dfc66b7026160ed468fdd408aa3e29f418b057ab6ee46
SSDEEP

1536:4ACHF3uaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qt89/V1sr:rCHFP3ZAtWDDILJLovbicqOq3o+n89/6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2012	tmp10F2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp10F2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp10F2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
Token: SeDebugPrivilege	2012	tmp10F2.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2748	2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	30
PID 2648 wrote to memory of 2748	2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	30
PID 2648 wrote to memory of 2748	2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	30
PID 2648 wrote to memory of 2748	2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	30
PID 2748 wrote to memory of 2680	2748	vbc.exe	32
PID 2748 wrote to memory of 2680	2748	vbc.exe	32
PID 2748 wrote to memory of 2680	2748	vbc.exe	32
PID 2748 wrote to memory of 2680	2748	vbc.exe	32
PID 2648 wrote to memory of 2012	2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	33
PID 2648 wrote to memory of 2012	2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	33
PID 2648 wrote to memory of 2012	2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	33
PID 2648 wrote to memory of 2012	2648	62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe	33

C:\Users\Admin\AppData\Local\Temp\62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
"C:\Users\Admin\AppData\Local\Temp\62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n5utq-4p.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES120B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc120A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- C:\Users\Admin\AppData\Local\Temp\tmp10F2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp10F2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\62ecd5b821cee8a83b99d332c7e72dc679dad8ba4991fd923d61699eebff699e.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES120B.tmp

Filesize
1KB

MD5
a5533a0fdf50cd25950739fa88f20288

SHA1
ff7095367ec69758599f7dc52d5f65995713d9d6

SHA256
bc0938e5e62656b92068b57ef34fff2b9ffc97cfc814469969a318b56a0d0ad0

SHA512
cd492c2818f4edbe410ecc5654f544dd958a72b28768d2ce96c56463dc84f005d791e4a382de5d24f31910009fad1827a6c2ec4fbf657cc84167180ff0caeb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5utq-4p.0.vb

Filesize
15KB

MD5
08fc0bc5a58e1fccb96db01ab431ffd8

SHA1
8df3b80ec27076f5347ffcfee5725f11395239cb

SHA256
71ebc27e65c4f87ba9026399f6b5295831e511129f60976244f4903713674052

SHA512
1b3c3eee36cf02842e181cc7e5615cdd27e659e69c009a39c45aaede3964b8b8c6ea320eb80c3e79da30d8be337ad606279788b32de503fbd0b8c34373926428

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5utq-4p.cmdline

Filesize
266B

MD5
6f880c12b04129bd58fd855b23e015f5

SHA1
9a869c0c32076f53e01b81126b2f0ed3260f6301

SHA256
bcaf06f2129b5fde87e0a49cb29fe119a5e2bd6494953b3be3cbddffd187faca

SHA512
22abc83a228dd77cde4bd33b6a24a59b597203b8b1a75958e9c2202124599339fb9a086a17a1a82b87285666ac1a80d74732cacbedc88420905e78a96f482afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp10F2.tmp.exe

Filesize
78KB

MD5
75c15f5e5d3631006d1427b23d36dc84

SHA1
a28f8ca6f0270ecc3d10a72b835add6699eb609b

SHA256
331a00d70afabf1acf8af1fafda578a5a9aeee10aaa736dc3e0228be84dd1565

SHA512
7c907081c56061d7f6e4bffbb22f68aa843b1def68153f481672c588cc63f96f142cc25ec01c76f74c042368b07fa76348b9424ae205af22c0c0022f07a7a5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc120A.tmp

Filesize
660B

MD5
459a8be9efb887b10f9421fb871ed3a3

SHA1
360c5319652cda1688181a3e6ca71e6e84c493aa

SHA256
4479035742e554b695705eb80980cdfc6d49a83c8f293d3e09be57c3058f678f

SHA512
92e764568bd33ad81b3fd4633e0f050cd12db0a9092588d1a2fcd1e4f85a84e580fdcd0f97dd450e0f8383d34cf517d37a5ecfa45a8e0ecf33c6711997b1f77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/2648-0-0x0000000074551000-0x0000000074552000-memory.dmp

Filesize
4KB

Download
memory/2648-1-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-2-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/2648-24-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-8-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-18-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads