0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838

General

Target

0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
Size

78KB
MD5

8b1a90f924ea8843777efa6bb36d9a44
SHA1

b72b10564f5a9c7d6c5b26137746e641e8dadf8d
SHA256

0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838
SHA512

73c4f3c4cf864ba761acae2bfd7a75e054e629b4b575f4919b96ba73c95cb3cd6276bb7ba2d1830a39f859664948d6a6ad9ec365962b334f3f0782f3c4010dd6
SSDEEP

1536:V5jSAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6V9/FE1dAU:V5jS4SyRxvhTzXPvCbW2U+9/JU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
568	tmpD4DC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
568	tmpD4DC.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpD4DC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpD4DC.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
Token: SeDebugPrivilege	568	tmpD4DC.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 744	2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	31
PID 2328 wrote to memory of 744	2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	31
PID 2328 wrote to memory of 744	2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	31
PID 2328 wrote to memory of 744	2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	31
PID 744 wrote to memory of 2504	744	vbc.exe	33
PID 744 wrote to memory of 2504	744	vbc.exe	33
PID 744 wrote to memory of 2504	744	vbc.exe	33
PID 744 wrote to memory of 2504	744	vbc.exe	33
PID 2328 wrote to memory of 568	2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	34
PID 2328 wrote to memory of 568	2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	34
PID 2328 wrote to memory of 568	2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	34
PID 2328 wrote to memory of 568	2328	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	34

C:\Users\Admin\AppData\Local\Temp\0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
"C:\Users\Admin\AppData\Local\Temp\0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-udvd6ah.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD5C6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504
- C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-udvd6ah.0.vb

Filesize
14KB

MD5
4f99c5e23c9d151b41c99097e6095fb2

SHA1
d3f15284cf72e776617b1edb24962e00d4c3b382

SHA256
dfd0d5ccf82f71b35ea6358bdd9a262b33c150f74534e0fe8e0a752ed0cba2a7

SHA512
bef6bd207077a95ac475566ccf7b616862c6c27126f38db409749e8a74365781b0675eeed6f4be8e15ccd54ba189247a2c79441d690b2b41944df3e88d644999

Download Submit
C:\Users\Admin\AppData\Local\Temp\-udvd6ah.cmdline

Filesize
266B

MD5
a435510e05d4484222cb999d42bdd8a3

SHA1
b58c3c3873e41b5288abd424d261e309e8ed80bd

SHA256
d1630fe721110dceefef4be8c5a7860accc22e6128f6745089c2d2b53508f013

SHA512
da9faadd09e11831550cd2798dfce85a0e0ea91e6e571db1513738d4c828df271ea6c7872f6d1b08a274c133866389b0de67446067ec00229089957f81490f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD5C7.tmp

Filesize
1KB

MD5
7cb04c9e9adeaa8bf9db2f9e0a626800

SHA1
1068ceea05b8c26fd841a6aa40b9600e4c029c13

SHA256
0cd985c4d955e9e848b4e8998a85c5c50f09b0ab3ccdeb609e9cdc431d58e9b3

SHA512
ec6afd4701196321f83069ace01cca187643681ccc5e83ed80733fb5d2c3b0420dfd466948cf4a7250af7bc9d8aba6df87d2619962f0654988094a98798d1f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD4DC.tmp.exe

Filesize
78KB

MD5
1d45c371bc3244cc2da61c3ac22e5ded

SHA1
2e1ed98b321871b2dbff3b696cc6ca6168200992

SHA256
76da9cb81ceb998b1058a1dc8dae96c5b17e85d319f75607eed5a2af32c8c748

SHA512
973372f5e3fa7be52436602ebd84bcbdd05961fcc3a4ff869f06357986b7471273ca3537568818039a289619099805d248f268f4911e12b9a2aecfdc45c282a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD5C6.tmp

Filesize
660B

MD5
027037a54e3724526e94932b5eb7b75b

SHA1
1ea57ee91d540d505cd8266683d1c7f396baea53

SHA256
cfd4e1fb49f9d78143bbe04d469a023678ce7e23828e0d6476d807eea8138246

SHA512
c46e31b9e22a6fddc04f45739e62fed2d1ff12aa951d26208fb79c500376f47748ff11c86bfe8c322afae80bdb09a61eb3ecd5d1ffa01975bc7c1994fe78c1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/744-8-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/744-18-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-0-0x0000000074B01000-0x0000000074B02000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-2-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-24-0x0000000074B00000-0x00000000750AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads