15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8

General

Target

15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
Size

78KB
MD5

06c8b813e05563d88783ac17ddf078a8
SHA1

44b860c38f565f0d6be43832b2e793020fe7f611
SHA256

15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8
SHA512

22687eedd4218c8ea03b1cc9e898c6e5e9048fdc2ee0973f016c22b4421d35956161c399dbf59117af39522e8c6fa9f28ebdb59bf0d45f4e01b46d433249f5fc
SSDEEP

1536:DPWV5j/vZv0kH9gDDtWzYCnJPeoYrGQt9629/5R1gmY:DPWV5j/l0Y9MDYrm799/lY

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe

Deletes itself 1 IoCs

pid	Process
4464	tmp757E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4464	tmp757E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp757E.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp757E.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
Token: SeDebugPrivilege	4464	tmp757E.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 516	1116	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	83
PID 1116 wrote to memory of 516	1116	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	83
PID 1116 wrote to memory of 516	1116	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	83
PID 516 wrote to memory of 2060	516	vbc.exe	85
PID 516 wrote to memory of 2060	516	vbc.exe	85
PID 516 wrote to memory of 2060	516	vbc.exe	85
PID 1116 wrote to memory of 4464	1116	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	86
PID 1116 wrote to memory of 4464	1116	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	86
PID 1116 wrote to memory of 4464	1116	15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe	86

C:\Users\Admin\AppData\Local\Temp\15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
"C:\Users\Admin\AppData\Local\Temp\15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tiqdw-gb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7678.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCB48CC7890B44B41B6F6CCC9B0787CB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
- C:\Users\Admin\AppData\Local\Temp\tmp757E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp757E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\15ec19f68e9851b6858a4aa80908254e01c4c6f49eaa47a72bec20af7a03caf8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7678.tmp

Filesize
1KB

MD5
177158ec4a21d562edf868debd3a8ad1

SHA1
bb97a87e11c35aeda6d5fadec83b56a3bb5117fe

SHA256
c0de3d0153ed65f658445d3b7795b237c5e691933d2dd31282fad75323ecde1f

SHA512
3be385db4feb1c0183364b4d7104cd4e0ab12d207d8d4fc4daca81b26664892ef03c65b471c17939bd06ec43ea313f7d924605f2175b53f7e8d2f58c0ba57308

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiqdw-gb.0.vb

Filesize
14KB

MD5
7f5ece06f537e7202f7972a30bc31ba7

SHA1
9b33661f09ca1138c237cee794a7d85c29c47095

SHA256
4054015b0b263391410dc70336e49ecfd0d522e27d7dffb8a816450aa7cf09af

SHA512
171f82ebcd14cf346cfca1b042efe8a3b03b9bff45950a62ad1fc5af72e8d86aeef4ea4b46a7e152f9d7c76b04c1ad875b11180a7c0342fb436472c0d55f5b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiqdw-gb.cmdline

Filesize
266B

MD5
acb188926fc58207525dd517f4e96758

SHA1
b972fe786f28fcb142fe5b48899cbc7253317780

SHA256
441fccf7765a62a799644688162cf54d2eea1fd4794831fe6f900b77f6319351

SHA512
b7f360518bb4fbb71713febb8605750c3c9b882f167e100095f332c808e4d6cfd3e8826980816ca3b37cdff1de495252412be54a68102c1ed341775258c6e941

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp757E.tmp.exe

Filesize
78KB

MD5
ef1c8293b2a9ea550a233096fae55ea0

SHA1
d41c1ce3a5838b6b5e08905a1c03f3a84413f7a1

SHA256
a8e2975a86ec28632e7564c33770d606c37a7edb24f820542921b68111ec4be4

SHA512
434ff31393c9aa5ab7ed7237c79ac6429428c2ffa320bdb6096e4c2e2cbef8e4a404f7fdb033f27a22240b62f502119b36ba9c5dc0ac739907f989d896fb6eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCB48CC7890B44B41B6F6CCC9B0787CB.TMP

Filesize
660B

MD5
d90f82e2c0db057c17e16a6801895a80

SHA1
3f345f8e5f38b60813d5e852ff83b19bd1468733

SHA256
34b0fa7830c7c2c75c3d0a9aa5065064f69e59dd97e110c428872b725410b2f3

SHA512
dc8a8d018c9934d2c796f7f8eb0591eaac8d6e2640fb6acd9152ee753fccf65aa8a5495b62d082843bec375a0267b0e8576e32ada9c717fe228ab8c4144be4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/516-8-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/516-18-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/1116-0-0x0000000075082000-0x0000000075083000-memory.dmp

Filesize
4KB

Download
memory/1116-2-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/1116-1-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/1116-23-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4464-22-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4464-24-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4464-26-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4464-27-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4464-28-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads