579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5

General

Target

579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Size

78KB
MD5

99617f3bbab569387123948643b7dd63
SHA1

70bed73665101de3b8f6d511e8caff2157b312e2
SHA256

579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5
SHA512

2126c520f4bc5ff3d3bb895329241feebcf35ae7a2b0caa2fe5292eb3d039184359a49354b334844e35d07023f4c647a6c3490b56a7aabed9330f0bf0c1bcb6c
SSDEEP

1536:Do4tHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtI9/51qT:k4tH/3ZAtWDDILJLovbicqOq3o+nI9/c

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2980	tmp85A.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmp85A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp85A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
Token: SeDebugPrivilege	2980	tmp85A.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2408	1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	30
PID 1504 wrote to memory of 2408	1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	30
PID 1504 wrote to memory of 2408	1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	30
PID 1504 wrote to memory of 2408	1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	30
PID 2408 wrote to memory of 2732	2408	vbc.exe	32
PID 2408 wrote to memory of 2732	2408	vbc.exe	32
PID 2408 wrote to memory of 2732	2408	vbc.exe	32
PID 2408 wrote to memory of 2732	2408	vbc.exe	32
PID 1504 wrote to memory of 2980	1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	33
PID 1504 wrote to memory of 2980	1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	33
PID 1504 wrote to memory of 2980	1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	33
PID 1504 wrote to memory of 2980	1504	579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe	33

C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
"C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\29kw28ek.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES926.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc925.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\tmp85A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp85A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\579332e260629dd32d6afd18c991ec480e4634963e90bb29dae2fd346fcf58f5.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29kw28ek.0.vb

Filesize
15KB

MD5
c0ba775516e2521d248b69c76983b7e9

SHA1
ea25288853e000d34a4a9b87b19fab234521e1d5

SHA256
68419f043f655f71499b699e9398fafb9ed60ce0271541459a4eabf67abb3a1f

SHA512
019dc1bbb6f48a525308445e56d7bedcef0b006b8a48f37124e3f7951bfc753711419a0f3f519166d824efbf9b6000e422246322bcead8ab4a54aed7aa107bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\29kw28ek.cmdline

Filesize
265B

MD5
9341141c58a7fe85a9874b19bd240f44

SHA1
f56744cff1ccb218b72d991b25a36a314791bfae

SHA256
654c764af9731a18aff26606229ac5723a47606a904accd9653d10469290d83a

SHA512
f42c7a0f5238d8abdb84b684eebf9150be4ad6874f65e463a2767d254a727f5d32c46461baa71b2feffcd663d5b9c9593a5dbff69361d8f4447ccecee1ea2daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES926.tmp

Filesize
1KB

MD5
27038e6a213d9af5006ecb6d66b8197e

SHA1
c946feafdcf5ebac6eb22b96d12cc380df78b79a

SHA256
378304c819feb9080ebad8c270f5be53970effbf124a99c864ce4dd29bcf03cc

SHA512
755fe0f61006a607e2da39ee57b36a7998c2bce974d5e15838f444495cb915fbb92d9f6953117dbca89556b3a9ba3dab001246aa2019bc0bd04328b9c925e9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85A.tmp.exe

Filesize
78KB

MD5
3aaa1a2b5ad00a431a87644ef7a8237c

SHA1
7fee6fdc2b7a2ddc4454cf5867ac8ebfeeff86f5

SHA256
2cf89e5300b5516437c7ce4140989bc56ac93ccfb4a12eeb0acf279ae3fe5cfa

SHA512
df515cd9fc8db011db2c686460657b6981df8f20b8241c696c80d7cc1f3c801e72adf4640d1295e926afe833fa374c74d56e24ad62b4f2c8e47aeb60eae08d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc925.tmp

Filesize
660B

MD5
e6f6eedfe077ac740edfd04fe55e62c5

SHA1
36906a79b77d564118293b81278ca6162168b1c3

SHA256
8b3895982808fafd6fbe3fb3a1fe4d23c4fb418a3f2f0795e00c264485a13ab2

SHA512
2298697d99820caea09a4aa8c5592e9e50c36b55cf1fa2e45218ad817992a38b0b863cc43123c7b23db00dd15b0de7c9d03eacef408ff8bb8973faac131d52e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1504-0-0x0000000074A81000-0x0000000074A82000-memory.dmp

Filesize
4KB

Download
memory/1504-1-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-2-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-24-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-8-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-18-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads