53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2

General

Target

53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
Size

78KB
MD5

b12baaddb7b59ca73b1b6b3c8b221da3
SHA1

66d88e761c4c42bf953f46fd83cd70438455b31d
SHA256

53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2
SHA512

d3cbbc2bbdb5e2d9e5520ba09506eee5069513387539cf1bf200f72081b1a6812cdab2dad85313de50bc57f85cf0658077c03d3cc4ceb0058412104c103593c8
SSDEEP

1536:PuHY6M7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtR59/uE1Rz:PuHYnhASyRxvhTzXPvCbW2UR59/H

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe

Executes dropped EXE 1 IoCs

pid	Process
4084	tmp9A0D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp9A0D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A0D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
Token: SeDebugPrivilege	4084	tmp9A0D.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 4408	2644	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	82
PID 2644 wrote to memory of 4408	2644	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	82
PID 2644 wrote to memory of 4408	2644	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	82
PID 4408 wrote to memory of 3568	4408	vbc.exe	84
PID 4408 wrote to memory of 3568	4408	vbc.exe	84
PID 4408 wrote to memory of 3568	4408	vbc.exe	84
PID 2644 wrote to memory of 4084	2644	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	85
PID 2644 wrote to memory of 4084	2644	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	85
PID 2644 wrote to memory of 4084	2644	53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe	85

C:\Users\Admin\AppData\Local\Temp\53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
"C:\Users\Admin\AppData\Local\Temp\53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gzo-njp8.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9AE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95C515488FAA4DD29BB664CB359EA995.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3568
- C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\53b3fffc98b84d90844020607bd363aa8615d7a236fccdb8b4138de111e2cef2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9AE8.tmp

Filesize
1KB

MD5
95825775c8b5a97ee3c3a970a6529a84

SHA1
d5120b22df31aac20d62740c471c8a9b0174abb6

SHA256
4e1addfefe278e6e505ab92f95a011768c7b7f40090de1e87b85b45eeef92508

SHA512
addc712521530c9ed163c809ca332b00752b5caefa09e322da3c9197e460390a4635a4ee5d6af587cda7dff495ae1fbe9fbc836cc4b8473ee476c2d3eed738bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzo-njp8.0.vb

Filesize
15KB

MD5
6861a42d763d060bd5ae8d3f2c5ad625

SHA1
777f4d6d5d1169ee089a1e2984f68301000a6cb7

SHA256
67e0a103d5e444e3aad737f7c6dce423db4939fb3c4afa646572d3b36e8e92ec

SHA512
7e4c5aa168d7bb4f1b88f18ba789781fa77133125cc3da4ecad99be2385b10c1b71198ea6c5699ca9767f58b1b88a6a4ec51e21638ff6b23ebeba2df37ccc3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzo-njp8.cmdline

Filesize
266B

MD5
0716bf0d404284f8db1c42d10f33e3fa

SHA1
bdba8a4468fad3ac34bc77b6e3d70b2e905f2d83

SHA256
457c0b561046d81838f6aab294815fd4e1ce75862ee9266cfa18fbb3567e5d03

SHA512
99bdc5c1a8d4e4f062baa21c63f2e58bc6902838d87dd51dc38cd6e8c8c75658a1477a0c9b60cdf8fe0a62baa0de5eca339b37fd235fc96aec73213c8f2f707a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp.exe

Filesize
78KB

MD5
4c5b642f9b460c90293b582278a54606

SHA1
7315cb17659f33abdbd38c22dccc841b831ae25d

SHA256
f9f035d556b311e57d471c050ea488abcb04d0bbd13b46bcec66c47b9c39a90e

SHA512
b78702438fc66381f67922b30e556125f353e7878b1c0c8d8ca04e99748ca2fa7d4f9f3abdb13511ac2a9841a1c2dd8115253538d0ab471cbc69dea47f93d8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc95C515488FAA4DD29BB664CB359EA995.TMP

Filesize
660B

MD5
2224814d1d01dd7a3f43c9ded920477a

SHA1
fcb5d03453bb50a5edf3c492ba0b458812a1b589

SHA256
9dc556caafdeb8f70b899d12de2be07dabcf5851ce227c720dd6e7bb838fdee1

SHA512
d51ee76d5c1605665658eaf3250845eef9c46b6972d006d93be6cebaa4ad407d12d1cdd703bcd6b69425030813c758133a7a5afcb708071921be23b6abbb4377

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2644-1-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/2644-2-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/2644-0-0x0000000075332000-0x0000000075333000-memory.dmp

Filesize
4KB

Download
memory/2644-22-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/4084-23-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/4084-24-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/4084-26-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/4084-27-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/4084-28-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/4408-18-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download
memory/4408-8-0x0000000075330000-0x00000000758E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads