45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21

General

Target

45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe
Size

78KB
MD5

9761291ffb92b05ed576697cbae4ca60
SHA1

0b5317cfeb8d13650691e9e7a67e1b85ccb8b250
SHA256

45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21
SHA512

01c8c79c73c38d20be6be8da63d4bca344354801fae1113d256ce6db83f972ce54c41727ee833fd4bf965528cd7566b0a7d97d674a2dff717cda6cae897a52e7
SSDEEP

1536:KmWV5jPvZv0kH9gDDtWzYCnJPeoYrGQtC67F9/W1BD:FWV5jPl0Y9MDYrm7jF9/W

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2052	tmpFB40.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	tmpFB40.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe
2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmpFB40.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpFB40.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe
Token: SeDebugPrivilege	2052	tmpFB40.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2804	2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe	30
PID 2644 wrote to memory of 2804	2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe	30
PID 2644 wrote to memory of 2804	2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe	30
PID 2644 wrote to memory of 2804	2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe	30
PID 2804 wrote to memory of 2920	2804	vbc.exe	32
PID 2804 wrote to memory of 2920	2804	vbc.exe	32
PID 2804 wrote to memory of 2920	2804	vbc.exe	32
PID 2804 wrote to memory of 2920	2804	vbc.exe	32
PID 2644 wrote to memory of 2052	2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe	33
PID 2644 wrote to memory of 2052	2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe	33
PID 2644 wrote to memory of 2052	2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe	33
PID 2644 wrote to memory of 2052	2644	45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe	33

C:\Users\Admin\AppData\Local\Temp\45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe
"C:\Users\Admin\AppData\Local\Temp\45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3b-av6ms.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC3A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- C:\Users\Admin\AppData\Local\Temp\tmpFB40.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpFB40.tmp.exe" C:\Users\Admin\AppData\Local\Temp\45c25bc092d33e6121bb38f8dfe4c04a960716541cc76c4c0d9d202561bdea21N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3b-av6ms.0.vb

Filesize
14KB

MD5
7bf6b197df9728faf10f192f94a1d3c5

SHA1
38f9ea738c9ea8f3a5a7b17c692fe9d93c8f7337

SHA256
5fca2198642bd6d95c85553d3a2bd54b8389a67bf3b912b72ea03fea9b9f5d01

SHA512
eb7f7c9369d69789ae98552831eac673ebd5e6930ee4c5faf9c66f051d29d3a3bb29f9902322e54c61ab55690e2ad4a5024e270611db1d4eb94dcbc6488c8e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b-av6ms.cmdline

Filesize
266B

MD5
903585e5a885021f840b5531c08a0ca0

SHA1
ee0a2a150fb69b796f3fa438b54711a52de84b85

SHA256
a8a7abffa40d198f8e85b3edfa95d36a2b4f657a6368b1e9bf9eb2d8eafdb53d

SHA512
7922a28b4edc93c885a700dba183a32091d721cba8051d27bd43c967e0bc30785964207612e28bb1bd677b1d3f223e322455f362ebe8b914bd40633f0814ed8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFC3B.tmp

Filesize
1KB

MD5
72bfd119fce50fe2f912543f41597be2

SHA1
0d2a4eaa2c55d46333b99305d7cafec50de7e4d1

SHA256
665ce3016fa31d3c3c17904b992da8d6f97de3b0183b047e84ce1884010fd6e4

SHA512
c4608c4ac69e6279a4f5695e93133cf8b8b663adf88bd8ea5a32c08ddfbb3f0ae79407e0ea1b38dd7563e2a744ccba2b6ad823586fd5343e3440d4887c2307e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFB40.tmp.exe

Filesize
78KB

MD5
312102425977f622bb806ffd9f38b447

SHA1
dc4c678bb8fd488c6724726b161381e19d6faede

SHA256
b95bcdc920fd269f35d6a9691b2994dc3fe91af40ec7b8c28b50552e0662e62d

SHA512
aecb5c66ac48d2b0b8fb345792579a113cdb080a38733a7ee7f3cbeb1ec90a58dfb89e0d7679244b9f9465297131404c63906da33a9e5d4bae8f9aa8d1cda1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFC3A.tmp

Filesize
660B

MD5
42cc8026b11e61ae631b92ded8d21216

SHA1
ff74f7f7dd710b1609948813c8672bdaa62a3d17

SHA256
8397b2e1b10422814dcf35d023f8e65f1084cdc4a86eed97d8b943dffe3a2eef

SHA512
70ac926efda01bb8179661f581652bd5a893c8428c7ec4710234c56436e85337708701e8eb04b05cf7108cebe14bd9a042c2b63d1daa9fdd47b640c288b7716c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2644-0-0x0000000074F51000-0x0000000074F52000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-2-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2644-24-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2804-8-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/2804-18-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads