3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4

General

Target

3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
Size

78KB
MD5

6374b401c0df839391cf21aa30f7a247
SHA1

9eeeaf015204caafca8273b09fadb663553b7fe7
SHA256

3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4
SHA512

5bc6b7bcb28ec9809a6a113ce0f11fd2967ffbcfb819296b068d428d954cc6f6daba853142d3dbcbef13a76d5d3da519695514bbaff69e593a160bdc10a96785
SSDEEP

1536:0WtHFo6rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtLc9/w18:0WtHFo8dSE2EwR4uY41HyvYLc9/xH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2640	tmp6EE9.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp6EE9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6EE9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
Token: SeDebugPrivilege	2640	tmp6EE9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2540	2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	29
PID 2268 wrote to memory of 2540	2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	29
PID 2268 wrote to memory of 2540	2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	29
PID 2268 wrote to memory of 2540	2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	29
PID 2540 wrote to memory of 2656	2540	vbc.exe	31
PID 2540 wrote to memory of 2656	2540	vbc.exe	31
PID 2540 wrote to memory of 2656	2540	vbc.exe	31
PID 2540 wrote to memory of 2656	2540	vbc.exe	31
PID 2268 wrote to memory of 2640	2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	32
PID 2268 wrote to memory of 2640	2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	32
PID 2268 wrote to memory of 2640	2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	32
PID 2268 wrote to memory of 2640	2268	3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe	32

C:\Users\Admin\AppData\Local\Temp\3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
"C:\Users\Admin\AppData\Local\Temp\3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nn3m-mou.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc70EC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- C:\Users\Admin\AppData\Local\Temp\tmp6EE9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6EE9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3c5c99d576292d002e5dfdb683c285780c8dd6b6474e0f405b799f6d617962f4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES70ED.tmp

Filesize
1KB

MD5
b41a40cf14413414c4e5bbca741497f8

SHA1
bda3c077f5e314ac5761a034aae8351ed651ec5c

SHA256
4aaf83aa07a1338282454fb9bfa63b778c7c5897fda81728c417c33948bcccec

SHA512
a37f5b7aa382ba8b0156cc40a718c208d626f089158c06e118d33b76f08cf56984c8d5774d1aedd84af2e53badd2b5f380491532ccdb29e04443b4a177867fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nn3m-mou.0.vb

Filesize
15KB

MD5
a6808557f0fee1607a979b2147acfcdf

SHA1
eb0a7d7c5b691ced6c97940dae9248a8e4496410

SHA256
84c10d7540c23bbc5642dd68be40eb3d7658d91994cbf6efcafe3b67e0f39670

SHA512
7e3c6788f0c030e67927d69bb40a423a72f5c67850711985563955d9065e35142943c6d165148d2839d524c4cb93e1a3fc1fd95a6c9c4be80a35dd51182f9c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nn3m-mou.cmdline

Filesize
266B

MD5
79a3f0a1a612dea97dee1c5ff3515d08

SHA1
3772bc5f218a7e690bcef7d887f0870db449db2b

SHA256
c02287bf06100db6290a552eb5557bcdba3bf51021736d804ab3043a3df89fed

SHA512
1756a3f8e77ff0d689ab3a5363e857306ecf448549bfb752677a225ae880924e4d5a7149a710a3962c140882645a65635bca459ace3f464ad3e42d74105fc1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EE9.tmp.exe

Filesize
78KB

MD5
5a8545185b05d4016c91b853ef5021ad

SHA1
d294c251869bfe889920c23db7fc4bfcd08a71f7

SHA256
867c8369b9de508b16ecb147c0b649ae6967c0ea1d88ad5819925e384f798886

SHA512
cd402ee2adc5a1ef523bea7d2482126e721e5fd8d904734ad08c341148e6f65595a1a196a46b787af0d4b7ba7f613b04cfa3da6b9d64cc73c549ec8588d3e818

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc70EC.tmp

Filesize
660B

MD5
2b832845c9293ed2a66c93727e5405f6

SHA1
575e19685178e881cb4a4937f17dd6cd1857b5e0

SHA256
5f56a373482ec529d38ff79d177d5ac29b1107d227e7e12117cf595867ae4361

SHA512
ef9486a51497ba55afc847934e7cd2fad56790d2b307ee21ee5d542b06f37e8eb09254dd57d3516142bfa9b578384c6a96ab93679d32f89f2eea0e557f07359a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2268-0-0x0000000074D11000-0x0000000074D12000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2268-2-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2268-24-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-8-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-18-0x0000000074D10000-0x00000000752BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads