2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553

General

Target

2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
Size

78KB
MD5

6b709ad2185c3c7fc61787f7c57461b0
SHA1

4e61434781c9ed46da9ba52fd297c036cbe418a4
SHA256

2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553
SHA512

0170f9e1ecb27311e0955af2080fd5793f2656c1f72de7faaf71bc10abd08dd565c23e5a89e85c88fdfceba1405b7a3ceda697142b2bed75cda41c608fbfc116
SSDEEP

1536:PStHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQteC9/jX10l:PStHF83xSyRxvY3md+dWWZyeC9/O

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	tmp739A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp739A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp739A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
Token: SeDebugPrivilege	2644	tmp739A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2416	1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	30
PID 1800 wrote to memory of 2416	1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	30
PID 1800 wrote to memory of 2416	1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	30
PID 1800 wrote to memory of 2416	1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	30
PID 2416 wrote to memory of 2852	2416	vbc.exe	32
PID 2416 wrote to memory of 2852	2416	vbc.exe	32
PID 2416 wrote to memory of 2852	2416	vbc.exe	32
PID 2416 wrote to memory of 2852	2416	vbc.exe	32
PID 1800 wrote to memory of 2644	1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	33
PID 1800 wrote to memory of 2644	1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	33
PID 1800 wrote to memory of 2644	1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	33
PID 1800 wrote to memory of 2644	1800	2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe	33

C:\Users\Admin\AppData\Local\Temp\2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
"C:\Users\Admin\AppData\Local\Temp\2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\betyg1j-.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75AE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc75AD.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Users\Admin\AppData\Local\Temp\tmp739A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp739A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2a946bd4bc274b95d75bc57fbb23fa1296518022358dc7312fe95d30e81b9553N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES75AE.tmp

Filesize
1KB

MD5
5e1530183db88dc9053a2181fcf395cd

SHA1
3b7e2574ec5ef942a28d79314d7d49dc80d750fa

SHA256
9023983231484daa710aa3b6c3ada58d1e83d7e0eda6002dfbe6aa42892682f7

SHA512
897026d051affb96d268f3a3fa1e02070dfcbef996fad3085b20fc9aaff06490dba8d1c242d461a8ca7bb8b9938fc7a07efb47cebbb4980cb3e7b8313de14ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\betyg1j-.0.vb

Filesize
15KB

MD5
9962c7df6523373bcae3e922355d3434

SHA1
55f270f8f5c075839ba17e413aaca7f85de28502

SHA256
8c3f44f41a4b5c360ffe5b20c7fbac916ab72ef053617dc7917835dc09fe41df

SHA512
8d296dfe1afab2b5bca34b3377e5c0869f5386614d351cf5e7751ee8f63afbc6a0719279bfac37f2fe184791bab5b787177c6c0e78e654f377913fe35848a2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\betyg1j-.cmdline

Filesize
266B

MD5
e2e03a822c909f713ad170b770745a48

SHA1
b4a473ed014bf9698dfeae38aab69da41a554fc6

SHA256
41011ef5873208cb35a6f865847a9c3341f529772136b989db796b33d8d218bd

SHA512
98726ebbe3717257b5025c4536cbd4c904b25f6a68505a445b7bce45080dbfd240762238a1c7003c9eeb3b7bef05cd5e71d3ef52eb8624e1b74b59313b7ce779

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp739A.tmp.exe

Filesize
78KB

MD5
8b29401284e52eefbf415dc643b5501b

SHA1
2dbfca844a03a2b5975a09bdc02b36a9de5af68c

SHA256
de5a9b74f45d725a588177b70ee872b45f38b596a80bb5f23abf44dd5992be22

SHA512
fe1c3ed99a35de7c23094754c9d83942ccf97c28ac5047713da44a2c185108ab1bdead0e532c83c81dba187deea2d8118ddad1f6e36be4f41322f2c15399feb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc75AD.tmp

Filesize
660B

MD5
e8faf6c931a2164b3c4707eeed8c6e1d

SHA1
a49dbeffc02e75b1a95b66aa2cfb13a73390467c

SHA256
0bde799e163bace434c3eb064962efe1422a5983988bcea3a9c16702efa2609c

SHA512
08e055219c42362aeb1081aec1fee9420394bb012c197dfa1f0b07d9cbe65d8f81938760f0fcfed04a960246883ca5894fa797c79f4b6301291a9c84896ccce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1800-0-0x0000000074D91000-0x0000000074D92000-memory.dmp

Filesize
4KB

Download
memory/1800-1-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-3-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-24-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-8-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-18-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads