1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0

General

Target

1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe
Size

78KB
MD5

7b4b36ee8b8dc68f31653e1b914cd9c0
SHA1

2b20f69b37060b272e4374661deeba18b17bd7b0
SHA256

1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0
SHA512

31eb2bbcef6f4dc8e128ad4c57fd9f809b727c50bda05e9d8d010ce98a425e4e45327648a2b3681c695f4827b9dcaf7ede5a356dcd86cdbf0dc076e7c9fea299
SSDEEP

1536:/y5jIXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtC6m9/q1tV:/y5jQSyRxvhTzXPvCbW2UO9/0

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	tmpC2F2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpC2F2.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC2F2.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe
Token: SeDebugPrivilege	2700	tmpC2F2.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2464	1460	1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe	83
PID 1460 wrote to memory of 2464	1460	1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe	83
PID 1460 wrote to memory of 2464	1460	1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe	83
PID 2464 wrote to memory of 4552	2464	vbc.exe	85
PID 2464 wrote to memory of 4552	2464	vbc.exe	85
PID 2464 wrote to memory of 4552	2464	vbc.exe	85
PID 1460 wrote to memory of 2700	1460	1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe	86
PID 1460 wrote to memory of 2700	1460	1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe	86
PID 1460 wrote to memory of 2700	1460	1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe	86

C:\Users\Admin\AppData\Local\Temp\1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe
"C:\Users\Admin\AppData\Local\Temp\1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-iro0azh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3D8AFA1AF8CE47EA8C43E98F5C4985C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4552
- C:\Users\Admin\AppData\Local\Temp\tmpC2F2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC2F2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1275704c6fcb4f3c5a7debd7059fb0744b9ab5d95f0a408e7f47b844e3cdb5f0N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-iro0azh.0.vb

Filesize
14KB

MD5
378084de8ab5eda8cb360e280fd88ea0

SHA1
2321034c2aba8cd280bb0a204038551d5f008369

SHA256
ca4d0e3af159264bd0f805bf68b731d8de3a20d93fc1db88f2e7caa22696607e

SHA512
1c06c0ed9c0a4093f20514cd4fc2c364344eec0ebb24319c699277430470c5e62ccb6833e583d219091e82b8cf5c533d4ff9032ab1ced6604adfbda49d51ec8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\-iro0azh.cmdline

Filesize
266B

MD5
700d89ddae9756b512092a8514aa36c7

SHA1
de0245204ebe7928d0b5f24c107cccf30f857306

SHA256
cd3ca2d445552c12e25c7a9de177f3e035def853c99027d34e6d2f29fef03ce5

SHA512
3f81aefe896f33bff066639dca74f5137a9ee4a8ce08ae5e8626d043e80f954303c050f2d95160f2fbfca9b3122142fac39b1beda7eaff644f61f05665e58080

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC4D6.tmp

Filesize
1KB

MD5
54da3e72dfd147bcf3c9fa0adf5c8c27

SHA1
157cba4f42948ca23868c1dcb2a9aa019b74be29

SHA256
2772999398e1d5b5326a2c6a8c977cd6faaa4de1b13f7c595b34952152366ab1

SHA512
9de3ae420cb7ade1a9838e59ddae72f6dc24e8a5deaa2e434832cfff5b0232f347e306e4ee21a93313cbf08dfac26c4007bfb33380daf56d332691a4a90c0380

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC2F2.tmp.exe

Filesize
78KB

MD5
6f513ef8a3d36f0af90a494c5a87c25e

SHA1
bb133281e8b31e85b073dc7a8cec706c819bc4d1

SHA256
92f816fe5ae5404bab450c29541336a5ff874859d8b7eed293f5762de67b2f4e

SHA512
85b5a2737508b306c721a991e93f604021ba73114a89d5c568af93cfdacfab28c9e4be66d223fa73da267604457a795192d4397e7e9873241726a223ce50764c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3D8AFA1AF8CE47EA8C43E98F5C4985C.TMP

Filesize
660B

MD5
62350a2d5c04b866e7b3f5d6bd7bd92b

SHA1
87e3ac5f586593a3ccbe4ecd4b8de544b4ff3ced

SHA256
b300e2101ad56fc138f535bf254b689cebdbc27141b1cce069045d2c13ee62ec

SHA512
d4a0a56d7c3c1fd321e0fb888efee6da9a92672dde9c1a81e04eb36028eb2e3880c60e72e0d225fcffe04c023c3f3476fb3009fd3019261d57fda35ab9b8ac31

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1460-1-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1460-23-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/1460-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download
memory/1460-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2464-18-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2464-9-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2700-22-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2700-24-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2700-25-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2700-27-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2700-28-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/2700-29-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads