1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b

General

Target

1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe
Size

78KB
MD5

0af4f6be4d22097e9ccdd9817b460c13
SHA1

e552637da7de7854707f69e08563e0c2f4173150
SHA256

1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b
SHA512

4844f54f73b1c4fd60649dc4d9aa1cad9862504887e0ca119db976f67b6445c1f5a4d6e693d2030e6d819892f22bc75a9f44979794832974e4602244df32a1c9
SSDEEP

1536:OhPWV5jLXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQt961C9/yR1D1x:qPWV5jLSyRxvY3md+dWWZyGC9/Ex

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2672	tmpDD25.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe
1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpDD25.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpDD25.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe
Token: SeDebugPrivilege	2672	tmpDD25.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2088	1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe	31
PID 1128 wrote to memory of 2088	1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe	31
PID 1128 wrote to memory of 2088	1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe	31
PID 1128 wrote to memory of 2088	1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe	31
PID 2088 wrote to memory of 1956	2088	vbc.exe	33
PID 2088 wrote to memory of 1956	2088	vbc.exe	33
PID 2088 wrote to memory of 1956	2088	vbc.exe	33
PID 2088 wrote to memory of 1956	2088	vbc.exe	33
PID 1128 wrote to memory of 2672	1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe	34
PID 1128 wrote to memory of 2672	1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe	34
PID 1128 wrote to memory of 2672	1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe	34
PID 1128 wrote to memory of 2672	1128	1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe	34

C:\Users\Admin\AppData\Local\Temp\1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe
"C:\Users\Admin\AppData\Local\Temp\1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lilp-x8q.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDECC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDECB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
- C:\Users\Admin\AppData\Local\Temp\tmpDD25.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpDD25.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1a1c4c990762c5aef44db67efe75f746ee001b6ebade7c8ef7433f6bc56b4c8b.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDECC.tmp

Filesize
1KB

MD5
959b3e2e2227394d9c3dc596071ca3a6

SHA1
8454e5d60c6a4373c62e8b419431e5c3ca8f0294

SHA256
32f2068c2864a3ab71fc5d43808b0472888cbd7b59b7936daace89d03987ea7a

SHA512
c22a261f1c31d4603398abc42b2e9ff4a13d96a620f8b7a5d8df81aa58ec42f02d4db33e27fddca8e0c6dd1e0d4d639c31d4b6b7315ff39315e9c326f3dee0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lilp-x8q.0.vb

Filesize
14KB

MD5
96ee90cd94f3f2a182b3184ff0d13b09

SHA1
cad5f02120d1e4ecac5a60633cc71d2dcac64222

SHA256
abcc2ff02df6947cb74e46f966177e0c1f9c36b17ba025539422a227f27c918a

SHA512
ee460247100f9d9fa1a047da206bc0c1b2cad9878fc7be85fd125ef4ae34412782f8c11d4306a929dac8be8c36e986f723d6a0b6543f7d4badc71ae782573145

Download Submit
C:\Users\Admin\AppData\Local\Temp\lilp-x8q.cmdline

Filesize
266B

MD5
c1aee28b0b4045e8b545e12ae012f591

SHA1
96be0e331b258724ad39fc0641cb7af277c98853

SHA256
2feea1d26d2fd765a9f697a1a68328c4c5d1b6313feda2956eca25b8b46f1525

SHA512
400d21dd9ac5fde9263041be09adb337592d7a3d7fe09c04841b0f29f411678dd4f06abaab3d291bbbe642ccc1f8051e22fdd1172cbf085567296b69831d3300

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD25.tmp.exe

Filesize
78KB

MD5
c497f92cf21bf32d4146dd2d5bdb425c

SHA1
70d1db6cca0475982b757493c16524e1e57c71e8

SHA256
b434d6ffa7ac84f3129810ca4d644886f8c0597ec77e92e23d94a6ab6ff1384d

SHA512
010e5c51a5b1a1a6182afa436b8d8aec1b703a27b1ce0b324bea4873644f4cbef5cf0a92e85a7d30a5d2979613eb1595b73f09e6878ff44f2b2c7e45100d88c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDECB.tmp

Filesize
660B

MD5
62b42b1be90f52856ed8d7598c2c7476

SHA1
8e294cce7b4096650db20aa6fd9379b8a350797d

SHA256
ff25ceab542a906b98df51f3f6e0c75925d56429c220fdc7b82515e9982b9b08

SHA512
76673b2550c98884904ff22b581b93327e20679b144fd39ede17b6bdc3d9767b1888d3781b48be6cf77006592a4cd3ee08e6e91e4c3ba0728f855ebdf809fde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/1128-0-0x00000000746E1000-0x00000000746E2000-memory.dmp

Filesize
4KB

Download
memory/1128-1-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/1128-2-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/1128-24-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-8-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-18-0x00000000746E0000-0x0000000074C8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads