ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64

General

Target

ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe
Size

78KB
MD5

0bd9c5a615518309a2c0bfa4673b01e1
SHA1

dc97b633713e5393bc316871909729b677b33bf5
SHA256

ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64
SHA512

f955139da46d7bfba3d6df03bf1b48766fa7c5e54913e487e4886b8a3386ddd27dc176253b62d24e5aa1e5e989201a4afe3465d7f13b9d54c8c9f22585670e8a
SSDEEP

1536:VHY6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtv9/wW1u+y:VHYn3xSyRxvY3md+dWWZyv9/wOy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2944	tmpB47.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2944	tmpB47.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe
3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmpB47.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB47.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe
Token: SeDebugPrivilege	2944	tmpB47.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2860	3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe	30
PID 3020 wrote to memory of 2860	3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe	30
PID 3020 wrote to memory of 2860	3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe	30
PID 3020 wrote to memory of 2860	3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe	30
PID 2860 wrote to memory of 3016	2860	vbc.exe	32
PID 2860 wrote to memory of 3016	2860	vbc.exe	32
PID 2860 wrote to memory of 3016	2860	vbc.exe	32
PID 2860 wrote to memory of 3016	2860	vbc.exe	32
PID 3020 wrote to memory of 2944	3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe	33
PID 3020 wrote to memory of 2944	3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe	33
PID 3020 wrote to memory of 2944	3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe	33
PID 3020 wrote to memory of 2944	3020	ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe	33

C:\Users\Admin\AppData\Local\Temp\ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe
"C:\Users\Admin\AppData\Local\Temp\ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_80cbubs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCFC.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- C:\Users\Admin\AppData\Local\Temp\tmpB47.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB47.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ed027cca8a7d43d537d626bf02e9a79ca9d5ca79a763b8a2a5fd575a1cc2da64.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCFD.tmp

Filesize
1KB

MD5
1b2d5fd1686b39cc6e16c1220716d17c

SHA1
672118dbb49521d3d1f9cf68e212c628664df465

SHA256
3bd51184cb10c1795558d62d8b65b5f4ff98bc5c48c458cc43596739c3f6e7d6

SHA512
a6f02a56051f4a8292de0930b8e8a4ff1c5648c3dfa01af04a1b3430616b9605adfccf4d007c5fd7f9e6c8282fb5725f8ebdf7a45401bb8f644c80a384e24ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_80cbubs.0.vb

Filesize
15KB

MD5
2d20fb8d7df0914628e0f8d6693583be

SHA1
1c11e9e5a196c15e3124ead47c2ff0ef77239dc0

SHA256
127496b4cb71214df4fa6078c3c42fc0cd48246941cbb3bd37caa1bed8e59c7b

SHA512
b7eaa8bc62f9da0d6f735a2844fd25bd919d305a83c6d1bb24edf7499b5283d2e233e217ac735a21e18bc5ea3dadb59bdf7b8a2a98b27933a53b111e54c6616f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_80cbubs.cmdline

Filesize
265B

MD5
c1588e38db0073fe3512adf307aaab11

SHA1
2691c6608bb3d4ff360e0d8233b442a4ac343096

SHA256
cd9a57e77d76a7f81943796e297a6c9ff334b1965d023b55032bdd995809da8b

SHA512
87b3009dd0c9eea1591a7df1d94a00b6d6a7467019bcb991864dfa3d5db7eaaf5d65fab04a0c8ef19e65d5f872591ce448ef7b0c3873bfe0dd0ac0dc4957cf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB47.tmp.exe

Filesize
78KB

MD5
b56d54591d284bb4b7ea7c056a97d6ad

SHA1
2344d3a1aefe13d127639b123835e7ae7c555597

SHA256
9a80d816dc6401594f07f21a7f1ae1f22faee83d03e7c9f231ad5f0ea4aae8f6

SHA512
537fc16708665979ed91756e30ae21634ec00e2cd74267dd67c02a16e9a13669d461157bcec6b4fe0acf3abf5498934078ba287a533cd42c9de47430f4bb0031

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCFC.tmp

Filesize
660B

MD5
39ab1438b9deed58e8cde837af3d7db8

SHA1
78e0783ac0a745783206fe7320d4609ec30af549

SHA256
e21e9ee5a061cc186015c146b66f31f8380851037fcd557f1ec3cc5a088cd84b

SHA512
a8ea8c9f08733c3167ea42776e4fada2332fdb16e6f8f5202de15faa1011ce963315cba0a631326a7490ae6b3e0fd881391409913a75d2c59450c643c4bea1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
4f0e8cf79edb6cd381474b21cabfdf4a

SHA1
7018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4

SHA256
e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5

SHA512
2451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107

Download Submit
memory/2860-8-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/2860-18-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-0-0x0000000074451000-0x0000000074452000-memory.dmp

Filesize
4KB

Download
memory/3020-1-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-2-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download
memory/3020-23-0x0000000074450000-0x00000000749FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads