8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d

General

Target

8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
Size

78KB
MD5

f13f1d01a28fbee71a5c6a16f4122970
SHA1

606f92dfd349b012ec54f9912192ee6d4942c857
SHA256

8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d
SHA512

1fc59f8232612d5d3810aab9f0f259ac4de5ee0e72ce1e8b8a27f8ab4da9dae98e69d7fce3baf13a6dee65f3513a20ebcb1882581fab96224d10f5b72fed00e9
SSDEEP

1536:l+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67Y9/PC1aw8:I5jS7JywQjDgTLopLwdCFJzDY9/E8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2248	tmpE7A1.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE7A1.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1560	2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	31
PID 2328 wrote to memory of 1560	2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	31
PID 2328 wrote to memory of 1560	2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	31
PID 2328 wrote to memory of 1560	2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	31
PID 1560 wrote to memory of 1300	1560	vbc.exe	33
PID 1560 wrote to memory of 1300	1560	vbc.exe	33
PID 1560 wrote to memory of 1300	1560	vbc.exe	33
PID 1560 wrote to memory of 1300	1560	vbc.exe	33
PID 2328 wrote to memory of 2248	2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	34
PID 2328 wrote to memory of 2248	2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	34
PID 2328 wrote to memory of 2248	2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	34
PID 2328 wrote to memory of 2248	2328	8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe	34

C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
"C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7vjppm-2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8BA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1300
- C:\Users\Admin\AppData\Local\Temp\tmpE7A1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE7A1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7vjppm-2.0.vb

Filesize
14KB

MD5
e79990143311f7fa84bbd69e0f909572

SHA1
fc38a8d16e3d620b544b6b49a8801ea6ee46dfe2

SHA256
a1eb253261a2bc01d5b1e541f8f5ec765a424ae8851c5917c5d6ed1aa9c3b010

SHA512
adb6bf828700f4090e3a751668aad45a5a1cc8496a87b71926d289d502a2b4023c083c1f4a88c2f4bb0ec89ddf49151a86ed349df30ded4f8ac10c2694a1b68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7vjppm-2.cmdline

Filesize
266B

MD5
95c88200e49870e1968ceac42fc000f1

SHA1
def3bb70839f0074167ea0501eb5d491bc2304ff

SHA256
90b324f2a50d4b176771a7bdebe4eac460dc2d90f74b1308b6fca86224238802

SHA512
68b60be95dd9362d7a9186da2b904d572f56d8c98632e9856bb06930dfd789f9b44648e26fdddb5507e9336d39e9ed29feddc134bbd961634407a354e946b7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE8BB.tmp

Filesize
1KB

MD5
1039cc1ed278c66371aae44940335242

SHA1
aadb1dac83cc449883e1ebe50f8273f1ffc66fed

SHA256
99aa20ab5765713dde289d06a4a92c7874a3942d3bfc44cc9b19707e096d6430

SHA512
e01ec5ed1f87fbb21b24d06d9f30e26ac78b60b0d9257245a152179c5c6eb94164be908a62474222122b0a29ea1d1c442fd46d8e287518cf8ed9c6f66ccfd551

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7A1.tmp.exe

Filesize
78KB

MD5
3956d636a457ebeeea107ddb7be4d894

SHA1
0932d6ef06c0f21d8e9dcedc19fef8313533a97a

SHA256
ccc34ef73922ad9949b3f46793f5ac9a85c4651c1219521e59d8cac3d37edb8e

SHA512
56ef249f717352e5e861d418010b459b878b0b7f3a269cbb5e6c0e049f02e1404a3fafe49ce76370af79b184ae01c00f38cbad4bb10cae8b828c1cd977f74f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE8BA.tmp

Filesize
660B

MD5
2244345c3830043585d6032c785de911

SHA1
f0d99a983a4f719b60fb4ed8d0134e0762e734bd

SHA256
c45b0e372cd93692bf76acbe4533d986a1381d78b37767f057420427626ae5a8

SHA512
c42a37d8f82680f9a5c2bfe78a3c00154d507c38a6ddca95441cb5a73db2521962c0053055a3c84fa03d289a5546a93c9baf4c5c8cfdabd815d466c47f87fe1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1560-8-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1560-18-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-0-0x0000000074381000-0x0000000074382000-memory.dmp

Filesize
4KB

Download
memory/2328-1-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-2-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-24-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing