2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2

General

Target

2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
Size

78KB
MD5

79fab37f08fc1e4cc0aeb2263a7bd6c2
SHA1

317efa5c6e28443a6bd79521cd2f433f1eab2666
SHA256

2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2
SHA512

2f613351a2ca49e615fd1cf7837fb8fbefe4f371d2858f02e3ade853b01e19e293a47f9c95081574afd2311b5af4d2f2358e480ba01d8f927a4e460e4af97aa5
SSDEEP

1536:KmWV5jPvZv0kH9gDDtWzYCnJPeoYrGQtC67F9/W1BDZ:FWV5jPl0Y9MDYrm7jF9/WZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2700	tmp54E.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp54E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp54E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
Token: SeDebugPrivilege	2700	tmp54E.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1056	2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	30
PID 2644 wrote to memory of 1056	2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	30
PID 2644 wrote to memory of 1056	2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	30
PID 2644 wrote to memory of 1056	2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	30
PID 1056 wrote to memory of 2768	1056	vbc.exe	32
PID 1056 wrote to memory of 2768	1056	vbc.exe	32
PID 1056 wrote to memory of 2768	1056	vbc.exe	32
PID 1056 wrote to memory of 2768	1056	vbc.exe	32
PID 2644 wrote to memory of 2700	2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	33
PID 2644 wrote to memory of 2700	2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	33
PID 2644 wrote to memory of 2700	2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	33
PID 2644 wrote to memory of 2700	2644	2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe	33

C:\Users\Admin\AppData\Local\Temp\2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
"C:\Users\Admin\AppData\Local\Temp\2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tv_oas9e.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F3.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2727b2e1e5b6a3bc865fa11debdd95b07c661f4335c3465a82478fcab12062d2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6F4.tmp

Filesize
1KB

MD5
e8ffa1795c6294370de8d64e25dc0d19

SHA1
d72b9126a48561e239533d0164b4a50f6e91d0e5

SHA256
0e414a6940632f58978be34d29bb60db74370849a486b18d493c17fec2922238

SHA512
388f339bf345826176ba2cce68b842c69c2311b5c37af15f50dfb53791386053fc2e271114757941f909f61d1decef51b5f75cf0bcc741af81e3f0a75755197b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.exe

Filesize
78KB

MD5
dc09f8546ded7c94077cf051eb0db1c4

SHA1
88fd037acf1c12a9901686994eb76b8331379def

SHA256
829139fdfa177579156dd265eba3ee9e72b67a826af896e990270d6a5ad4f01c

SHA512
a862b28cc2afdd8b8b8e961c606e49d4cb9375327eee4d6ffc61085c4ab38056eeb4f91909902454c18e63f1fdc46f789997748ecff3034e367b425cbc4eb652

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv_oas9e.0.vb

Filesize
14KB

MD5
2d13b27fd5bf7d531d0010248780d9a8

SHA1
17730493ef5cf4b1bb4b666edf801d4508a01f69

SHA256
4368d2712a157df6037c6f8df5cfb0119600f58a2c434825031c1ae15d9e6238

SHA512
fae7b69f204cd8dab8d7109833bf8b57dbebce08ecfea6c0520b5dc7499f9214a9a155b2af2d96039d6594dae7f217ee858fcf279207ca06ece6ed36766ad289

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv_oas9e.cmdline

Filesize
265B

MD5
7e33e140c3c790368924a7f901e98668

SHA1
efb547c8f4abb57408d3128589736665cb269438

SHA256
36fe5724e67c5a44a7261f1ae2c4ae5841f61c2943b9eb9d7f2e66880d1969e2

SHA512
24d23dff88a88b032db8641ad924575024fc313b1b8dd436c9f8b03f692a70ab2de3f17fea747c53412d0eae7e6eb55a905d4757c2dfe28e0aeae031e1a46675

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6F3.tmp

Filesize
660B

MD5
e7a91f98d4e6da0a16a4b9261e29cb91

SHA1
3337d3035764d0c0672db988ea9e84fd15aee403

SHA256
218ff786e6fb112e560af6761feeecece7b3bc90a4dca250e3efacb6476c9f0b

SHA512
bf7bbd1ba02111ba332597d5be1fc5012ed85fa8b17c8af71378b826b918172e76b4c280617a4188eb01eef77b0489878d09493ca932a5a8d2a2632151819de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/1056-8-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/1056-18-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-0-0x0000000074D91000-0x0000000074D92000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-2-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download
memory/2644-24-0x0000000074D90000-0x000000007533B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads