fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba

General

Target

fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
Size

78KB
MD5

6e65dad7ec0f24894c45295ca9d84639
SHA1

e0212066ee7ab4c70ccdf6e3e7fe147d1727f6d3
SHA256

fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba
SHA512

e876f82c11b2183bf1ee71b77e1450a1e69ec6989e2fc926e9d0c3526fa7a37c6036389a27fb68424e17751f555542fff4236492bec6e26dae526b94c2b10501
SSDEEP

1536:VHF3M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtz9/l1QXFl:VHF8hASyRxvhTzXPvCbW2Uz9/4Vl

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2636	tmp3F.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp3F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp3F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
Token: SeDebugPrivilege	2636	tmp3F.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2548	1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	29
PID 1780 wrote to memory of 2548	1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	29
PID 1780 wrote to memory of 2548	1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	29
PID 1780 wrote to memory of 2548	1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	29
PID 2548 wrote to memory of 2544	2548	vbc.exe	31
PID 2548 wrote to memory of 2544	2548	vbc.exe	31
PID 2548 wrote to memory of 2544	2548	vbc.exe	31
PID 2548 wrote to memory of 2544	2548	vbc.exe	31
PID 1780 wrote to memory of 2636	1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	32
PID 1780 wrote to memory of 2636	1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	32
PID 1780 wrote to memory of 2636	1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	32
PID 1780 wrote to memory of 2636	1780	fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe	32

C:\Users\Admin\AppData\Local\Temp\fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
"C:\Users\Admin\AppData\Local\Temp\fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vnyherkz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES272.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc271.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\tmp3F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fc476cb3675fd20ad30db92c1e9401c0a64ada552270e806f9df85069876faba.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES272.tmp

Filesize
1KB

MD5
2ba930fd9253deeb20176920791b9014

SHA1
eead0f8153910305441086631ff4b9e70ddb6b28

SHA256
1c513c97323b8132358f79747e9ace5d1dbc877e75d2fb168821eba6048b725c

SHA512
f4ea7b29f0680dd947d12ea963c9caa853e49e63af98aee8f40081365b2fb1988294301cf139692beb77de1240b61533c7d4acb57b595152621ceb4a439e0362

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F.tmp.exe

Filesize
78KB

MD5
d106da039226bbb399a8f90e5f59365d

SHA1
e494fb176fa5248cb2658e92bca09bf35336859b

SHA256
8fbe3b0499f2baa843a19efef9d0a6e3a23e4748ab2badae6c6925e44af9bea4

SHA512
34b17dd0d88cc8997cb746acfae9ee37e815ec9edafcc796ae43929a39611c5e2ffe3e86042b3412edef143b84e1757791acfd0aa7a8229da7c1e6d341e37df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc271.tmp

Filesize
652B

MD5
953f99486b366a941063fdaaeb2a08c7

SHA1
63d98ba7918f462dda538b5ed22d1bc1a0047208

SHA256
2f0abf056d485b156ca4142d68b07fb22a4725c1013f9cfc32bf6c036720e396

SHA512
4f2525549c98634676d00abc80828f8beb615dea77fbba077f75d3855d8276e9dc75d2729bcf82056ccb8f548eef98fdbdb762849ce30a9e0b80a2f34c409930

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnyherkz.0.vb

Filesize
15KB

MD5
492ed7ed6cf555d8176a99e8d4fb670d

SHA1
7d8b418d89b3d2ea34441e115b18079296cdbd3d

SHA256
36c925b63ea69d61a8f22dd76c95f2882977fb5e8787ef23b4ed92245172e33b

SHA512
3c9ba788c3405c3ebd143cf8ab1b3ae38a1060024505357ce3874cb0ead4aec221d5a08f5d4f30025b57ae0319aa7e40aa876ecff79119d3f1aa1e6c58977555

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnyherkz.cmdline

Filesize
264B

MD5
afbd492fdb2c32263b576b66142dc8cd

SHA1
091b153dccaaf9422cd901208ed023c3b35f8d5d

SHA256
f3224761846e52f4a120ed5b0dca24c74ccff755302557fa524ba798fd5ed0ad

SHA512
f1d230a31db75e5a2c703af68b6692fce102ae6bfa5451120ed05225798379a81a7f1745fc1feb88dc5766b58c508aa4138552f665518da85559fa872b709c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1780-0-0x0000000074571000-0x0000000074572000-memory.dmp

Filesize
4KB

Download
memory/1780-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-6-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/1780-24-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-8-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2548-18-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads