1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17

General

Target

1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
Size

78KB
MD5

ae002c0f52fbeac0cb03c901b537c38b
SHA1

d2f3f8527b33e67a8079b2fdce154eff5e883ba7
SHA256

1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17
SHA512

e0cc49dcd2e9870b9caaa638809f1e42fc0a04cd24e4e150f04daf396f92a9a375dda758e009c8991f9d8e30d27e43f5c1a5cd7fd85d51faddb2980c65b7782e
SSDEEP

1536:zCHY6JIfpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtS9/A1dJ:zCHYOIhJywQj2TLo4UJuXHhS9/+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	tmp85F2.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp85F2.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2780	2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	30
PID 2168 wrote to memory of 2780	2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	30
PID 2168 wrote to memory of 2780	2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	30
PID 2168 wrote to memory of 2780	2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	30
PID 2780 wrote to memory of 2820	2780	vbc.exe	32
PID 2780 wrote to memory of 2820	2780	vbc.exe	32
PID 2780 wrote to memory of 2820	2780	vbc.exe	32
PID 2780 wrote to memory of 2820	2780	vbc.exe	32
PID 2168 wrote to memory of 2860	2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	33
PID 2168 wrote to memory of 2860	2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	33
PID 2168 wrote to memory of 2860	2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	33
PID 2168 wrote to memory of 2860	2168	1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe	33

C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
"C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-nlywent.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8769.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8768.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\Users\Admin\AppData\Local\Temp\tmp85F2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp85F2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1a9172bdc22386b93dbf244876ca31bc64b1675de3b3d4770c78f15a99d6ca17.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-nlywent.0.vb

Filesize
15KB

MD5
9d2d676a92d84d70444533df66a253e8

SHA1
fc89b961c1749c330e55dd6039cdc13406e94412

SHA256
453c0ecd01f34a444544627d1d407159aec63f5e7ed45b65e5aa40465703e1a0

SHA512
1b7664a2605ebe6e565149f03c29c4724f1222dfef39c386ae1a41cfeca7f2e2e1556d9cf0beb5b9db1cacadda47fb55beea170be28d11efa755c641956d3123

Download Submit
C:\Users\Admin\AppData\Local\Temp\-nlywent.cmdline

Filesize
266B

MD5
66484073668a391563f826cd4c03d1c1

SHA1
5b2f5b35ae9b65a6ed34310d92b6ce87eb72f8e5

SHA256
ad893db7918b8e414eaa328e4989497b969b4f551f7608775dc07578db996363

SHA512
4e03f87b497d5e0c8c46dd2b04e32b11d321a49baafb4f89e3e395bb9e0fe45a9ed60c644f56b814bf28777bba19e8f99dd0dfca8ffd0a1e8fe667c35f3416b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8769.tmp

Filesize
1KB

MD5
ff332518f21795b7ad0290cfe70d36d3

SHA1
6fcdf0705109f4147bf164b4ae4b83164f430ac5

SHA256
c561519b17e6122ede30399654224b929e85fde43c54293f02e0eaa4952e9aa5

SHA512
65645de923536583f05e157e1ce9f3dbba8a8a0c7e0ca4d862b9fb2acfb6405315d1630daa647ec3ed39e2a30e7173a09d760057349656a67a55279d030237fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85F2.tmp.exe

Filesize
78KB

MD5
9f71f71d8fa1f4d4c392a63b15198dcc

SHA1
e4151cd54ee7b794b95a4f0b2c14efc6e3ab7d50

SHA256
b8bd696a2f2d652c20151502bc05cd99d2d1330aa95eb63b6a8f9eeba382a371

SHA512
cfc69d8cdad7c0e326d7de992c671e3ee50b300839412380bb6924f1c3cd631b13cb030bfdd83d847d9afee3779b18b3aea2542b6787d109c3d9523b591efd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8768.tmp

Filesize
660B

MD5
034efaf12edbf662760f184d572e8980

SHA1
b58249112b1ad90985c063c9529cdf015f01a833

SHA256
99cfc15d031bfdbfd9b3fdee7485664bb8088416061f35c6106b0ab73298e5fd

SHA512
28a3941fa73db06b5e045469b2de897318cf119534d24529767296c4a6d943d6a23c43b5eb0dc8f46feabbdc4ea9fd2790f978fc9c1d5a9a8c378e76ebed13a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/2168-0-0x0000000074051000-0x0000000074052000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-2-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2168-24-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-8-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download
memory/2780-18-0x0000000074050000-0x00000000745FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing