c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28

General

Target

c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
Size

78KB
MD5

fcfee62d15bc1020b62d0c2d96eefa68
SHA1

6e0716eb02b116df6775a11a44bb9d749b611c02
SHA256

c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28
SHA512

2dc97692ea3506dca80a0ae8d2b9a18e25532fbc517cf6f1d12d0fdec8e6451f860c8652650975ea61e76847c91b56a8f7fddf6b927e5e3901570a1ac6390c14
SSDEEP

1536:9PWV5jcXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96Z9/Bc16XP:9PWV5jESyRxvhTzXPvCbW2Ua9/BFP

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe

Executes dropped EXE 1 IoCs

pid	Process
4572	tmp7FBF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp7FBF.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7FBF.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
Token: SeDebugPrivilege	4572	tmp7FBF.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2416	4044	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	83
PID 4044 wrote to memory of 2416	4044	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	83
PID 4044 wrote to memory of 2416	4044	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	83
PID 2416 wrote to memory of 3020	2416	vbc.exe	85
PID 2416 wrote to memory of 3020	2416	vbc.exe	85
PID 2416 wrote to memory of 3020	2416	vbc.exe	85
PID 4044 wrote to memory of 4572	4044	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	86
PID 4044 wrote to memory of 4572	4044	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	86
PID 4044 wrote to memory of 4572	4044	c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe	86

C:\Users\Admin\AppData\Local\Temp\c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
"C:\Users\Admin\AppData\Local\Temp\c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bme9-ipe.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A17DFF349B04C4EA6AADCC342AD6DA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020
- C:\Users\Admin\AppData\Local\Temp\tmp7FBF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7FBF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c39a9070ea9643502d925d813e93d4f65b0055fdd8b610c2db07acd0bd741a28.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES81F1.tmp

Filesize
1KB

MD5
be356de8a3e5a94fa400c122acb50a8f

SHA1
5b2df3fe1bb6d8331e5d978c0b0a8ef603df9632

SHA256
fc59078b4a7afd44a8fbaa329780392f6bff5da74f8005da9fdf7cb320f958e0

SHA512
b0b119149d7b2542e3ce5f8bff64e17e76b332ea4aa540788555e2fa7b46320cfdde0050c75d15385ff71445ace2f67d46b9472c5604bd103c2a9ee8eaf79d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bme9-ipe.0.vb

Filesize
14KB

MD5
da8bda58a7f18d15110bd43e85afde74

SHA1
7a652d507478283ffb61e9bb6ecbd67353d2150d

SHA256
eea2728b5ccc939f436f2a78d840545477cb57d1f4a76232bc6942f88038a729

SHA512
5deeffa3a791151b77c6f1bf164793e3adf4f79ecedbf485193f9bfdc703f9c3540382cf9e94709a85961d4734e74b30fe726f607fa9d469320fee7cc6e274f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bme9-ipe.cmdline

Filesize
266B

MD5
c5f4b4d0551b9aad1e03745b89a061bd

SHA1
564658219f059a731d5fd95155992051f27a4a59

SHA256
e423c14924d7a9eb8d83d01a241c2176bf85bf4ab7d5d5a691aa4145127bd105

SHA512
da8c6c3e7172e771d208235ff8e89c1c6a7e404dbf72eb30acdb9730a1d7ff49b442f31722f30fe40e5468606445f9aa5ac7fee8a63aecea4886f13565d757c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7FBF.tmp.exe

Filesize
78KB

MD5
4500bdfcea12f4892493d2775b29cf32

SHA1
01dc3d95ddbe9ee1cc6d16b0cdeba227d9bb5f4b

SHA256
aafe411b9baa0b77756009f6ab7f742eb42fb6971eee2e1e64c5097c6517c609

SHA512
d1353b7ae171e0ad94f960295e7a394b11cf336311f02dbc91547ab87efe38619dcbae84267ad384aebf977ebacecf7d690180567457cf60967160d3471a6fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1A17DFF349B04C4EA6AADCC342AD6DA.TMP

Filesize
660B

MD5
4cdef1ae23beb1a4ee3f3225a4539fdb

SHA1
ade6d603aefb7c532e593995060529be639a016d

SHA256
fa159734af7279eac4d29bc1d5def6c0ae9a02e1bb6c993f3b3a22bf5dfcc64f

SHA512
25367f05236ebfed3be6daf76f3a0cc11573af1658c0ce9e76bbaaa9976a382be689a5603d9d66ccb5a7638e6f4f275a08dd2b362dd4c3b38b211f84783436ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2416-9-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2416-18-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4044-0-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/4044-2-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4044-1-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4044-22-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4572-23-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4572-24-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4572-25-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4572-27-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4572-28-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4572-29-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads