88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201

General

Target

88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Size

78KB
MD5

54238da5a72ed01d7db296cf40b3340e
SHA1

fc6b5244a5d5dcdde315e875a85a905aacf07d32
SHA256

88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201
SHA512

243750bc65586b57dc0c5fba7111f407f0ecbad4192539f6b800e1f396f9eacde398a9c5c2aa73ba1291cfb604de74deb4e16405eeedacb88be613d490cb3dbd
SSDEEP

1536:aCHF3M7t/vZv0kH9gDDtWzYCnJPeoYrGQtG9/cc1o3x:aCHF8h/l0Y9MDYrm7G9/sx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2768	tmpFF65.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpFF65.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFF65.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
Token: SeDebugPrivilege	2768	tmpFF65.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2844	2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	29
PID 2604 wrote to memory of 2844	2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	29
PID 2604 wrote to memory of 2844	2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	29
PID 2604 wrote to memory of 2844	2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	29
PID 2844 wrote to memory of 2888	2844	vbc.exe	31
PID 2844 wrote to memory of 2888	2844	vbc.exe	31
PID 2844 wrote to memory of 2888	2844	vbc.exe	31
PID 2844 wrote to memory of 2888	2844	vbc.exe	31
PID 2604 wrote to memory of 2768	2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	32
PID 2604 wrote to memory of 2768	2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	32
PID 2604 wrote to memory of 2768	2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	32
PID 2604 wrote to memory of 2768	2604	88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe	32

C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
"C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\noxwdkep.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES291.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc280.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Users\Admin\AppData\Local\Temp\tmpFF65.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFF65.tmp.exe" C:\Users\Admin\AppData\Local\Temp\88ad6e20cc8c09eda6fb6507b4111e496460f0ea37189aee0e90e2894c80f201.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES291.tmp

Filesize
1KB

MD5
af6d3f040ba592807902ca2b3289aab7

SHA1
7ad9aea24194b8e37feabcf7cc05670a2cf1c58c

SHA256
3aff1d9b5181e9a80a419d2f6776a4ac975a8411e7f88c5f55cb6100384dae5e

SHA512
e95729d02fdcc7994746368ae64003769354822ae454481718f156e59e8d12faecfd7371aba7fbb31b4db553b9919c50a4f4e23a6205df838a46ae93ad0bf59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\noxwdkep.0.vb

Filesize
15KB

MD5
c3578ef0d35d1736f2a959581af131a4

SHA1
cff687edf2ee319d15bee8ffb6367d59050ff298

SHA256
3f479f9bd59e838aaf9755987e949132224ca1f94215ab39bf159bfc252bfa8f

SHA512
253a9e06660941c3a9598a967a89b282a94c909d087388b003a657e00021e6c15e0092653a44ab22215362e53cc1f8c6f0906ab9374276bd34b4c7391e5b9a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\noxwdkep.cmdline

Filesize
266B

MD5
2232d60668afe8ebfc0072e68f4dc82a

SHA1
c730422096095ed7b7827c55a2b5a554ad8cc84d

SHA256
4dc7560ef3bd645314a19836798e2d86eea97f878d9e950a381097258827390b

SHA512
b521329d900771e12860d0a192434b3034440f1dd3359f865ef3747dcd8378542e61eab8e11c1d66a5f3c9a25168a7c723dc0b6a48d3355325b14f3ce6be3c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF65.tmp.exe

Filesize
78KB

MD5
78af5e8b654b25140830379b20ecafb8

SHA1
606fd7a26e17cb4b49a3b17117b2c31cde51fe8a

SHA256
33ab894620ce3971a0525bf23660b1664cbac6e5e5ffb49cfe0cc939a64a35c0

SHA512
2bb24b44c657d410b3a65cba4f36d07d043b37b1128ca0944708a5f8b47514311a25244860da9d73891d6908896a047c63e32cccb165022d70aa63f10bf27418

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc280.tmp

Filesize
660B

MD5
99d1a5248cc5eae5d743929cd63b83b5

SHA1
fc0b5d1c86d488b7a3eb7ef9d52aca9d78bc623e

SHA256
674f0e43c52fd196b73ecd53b6c62b668a34dc6d29e192cadb627616b37dbac2

SHA512
49492c4f73a83ec33aa07dbd5e41fbc26f9debf2746ba9d4b96d1730998c1fcc1a4a17a249e654d9e56f9613a10517004c5e4a17a74aee4b98a95d73aea05ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2604-0-0x0000000074201000-0x0000000074202000-memory.dmp

Filesize
4KB

Download
memory/2604-1-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-7-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-24-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-8-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2844-18-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads