0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838

General

Target

0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
Size

78KB
MD5

8b1a90f924ea8843777efa6bb36d9a44
SHA1

b72b10564f5a9c7d6c5b26137746e641e8dadf8d
SHA256

0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838
SHA512

73c4f3c4cf864ba761acae2bfd7a75e054e629b4b575f4919b96ba73c95cb3cd6276bb7ba2d1830a39f859664948d6a6ad9ec365962b334f3f0782f3c4010dd6
SSDEEP

1536:V5jSAXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtN6V9/FE1dAU:V5jS4SyRxvhTzXPvCbW2U+9/JU

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe

Deletes itself 1 IoCs

pid	Process
2912	tmpDA72.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2912	tmpDA72.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpDA72.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDA72.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
Token: SeDebugPrivilege	2912	tmpDA72.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 3104	432	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	82
PID 432 wrote to memory of 3104	432	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	82
PID 432 wrote to memory of 3104	432	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	82
PID 3104 wrote to memory of 1512	3104	vbc.exe	84
PID 3104 wrote to memory of 1512	3104	vbc.exe	84
PID 3104 wrote to memory of 1512	3104	vbc.exe	84
PID 432 wrote to memory of 2912	432	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	85
PID 432 wrote to memory of 2912	432	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	85
PID 432 wrote to memory of 2912	432	0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe	85

C:\Users\Admin\AppData\Local\Temp\0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
"C:\Users\Admin\AppData\Local\Temp\0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cdcs-of1.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc84781BAA754A43FEB57BAEDD4F5BBD75.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1512
- C:\Users\Admin\AppData\Local\Temp\tmpDA72.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDA72.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0ca247bde07da3773d6ba4a62ba95dfc079923bf8079059fe64571ab25620838.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDBE9.tmp

Filesize
1KB

MD5
f73cd8054b7cf0343751abe530c2c74a

SHA1
ea0a6c0d71bcc9e594bd47ebaec0d2ad15afb1c8

SHA256
4c4ff50c834c92ea8430cbfc5deb85b2f29a032f06761ddb5e67fc014f7a5d01

SHA512
e1c243322adc4bb7a43437b266ad2687e0ef5d7620d70618c19bac2668aff2f3c59bc579f6c7d030f354d482456dbacc40fba883b761028ffc5c7f4bc410cbff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdcs-of1.0.vb

Filesize
14KB

MD5
9787ad800199a5f20259c8eccc33795d

SHA1
038677fe7db1c925d11dbc2d47ff657f922306a1

SHA256
edc8ba81467a5e5e5d6744bbec0eefe5d29ff2f84faf138278d303e30e66eb5d

SHA512
665d7ba02b26c8e8a34e7602d3e4737c33532605819041f0888c12dcb786432ffb5927f9c24710927891b8858422cfdc8989515e7480b68e5d16424b3570893e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdcs-of1.cmdline

Filesize
266B

MD5
949784c5236a2d707635579410439903

SHA1
b1d770c7bb5c0bfcdaac058eef0cea96d5b20884

SHA256
19b69f6bf2301646856f82e0052eecf1057340caf0f12fbf5308203c68030771

SHA512
2241f763c322ae974e9d3af0eb2f54fd6255e06d2d5cd3f283dbd3ca0d9e1a96a3b6294f7a9b450d409d6029ae90c3cdaf12886d01cf678f98fc30897630841f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA72.tmp.exe

Filesize
78KB

MD5
5108c9862d3ea232c20945f59994f69b

SHA1
224b8854d588fea79d3406d1ae05ec66aa89f738

SHA256
e17d54c9e6911fbe87d3c4b8350780d1126f42438da03b6642875a5d591fbccb

SHA512
a770f148d32e7d819d3a79386ea4393a8d9cf46f77ac90a4492af4275d01a30f01f8942c06b4c2527fe5eb7b9d87d2b481c834a9f33bbc11c635e9dcd0e340a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc84781BAA754A43FEB57BAEDD4F5BBD75.TMP

Filesize
660B

MD5
ed2a01e914b70e527c595f0d62f8efa2

SHA1
841eaa2f124b5bd49a25ea2c2771b5748900ad3a

SHA256
192e706bd3909175ac7fba1041740614555d4c992f08b15190445369af33ce0f

SHA512
6428ba06a68ca7aa3fa0615b867e75d5dea9c200edb47e8c2922bd8e66bfbad095c2377613b3861135c6a60adf564b58abf52be5ae457b9facb309cc5902edc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/432-0-0x0000000074E92000-0x0000000074E93000-memory.dmp

Filesize
4KB

Download
memory/432-22-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/432-2-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/432-1-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2912-23-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2912-24-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2912-26-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2912-27-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2912-28-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3104-9-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3104-18-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads