1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19

General

Target

1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
Size

78KB
MD5

0c541636c90447f84b405665a7cbe1cf
SHA1

158060e809d81ec5157c0046d1ffbe49d831fef2
SHA256

1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19
SHA512

4c7f7950905160646a35c41f1b61e8f7176da98f9b8eb98eef09bb4bbac7ff3dae0ad68246a3c8a8260f9216de102de091ad81478096de99213b7830815b2688
SSDEEP

1536:+c585XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQt96r9/lpL1Gh:+c58pSyRxvhTzXPvCbW2Uk9//s

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe

Executes dropped EXE 1 IoCs

pid	Process
1168	tmp753F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp753F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp753F.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
Token: SeDebugPrivilege	1168	tmp753F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 3392	3736	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	83
PID 3736 wrote to memory of 3392	3736	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	83
PID 3736 wrote to memory of 3392	3736	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	83
PID 3392 wrote to memory of 3632	3392	vbc.exe	85
PID 3392 wrote to memory of 3632	3392	vbc.exe	85
PID 3392 wrote to memory of 3632	3392	vbc.exe	85
PID 3736 wrote to memory of 1168	3736	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	86
PID 3736 wrote to memory of 1168	3736	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	86
PID 3736 wrote to memory of 1168	3736	1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe	86

C:\Users\Admin\AppData\Local\Temp\1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
"C:\Users\Admin\AppData\Local\Temp\1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fi9jh-yz.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7772.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83EF3145E6C3423B86B47D326A537B5F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3632
- C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1d2e0833776f95677f9fd242ca134693877762efd11e801f03030c506e4fde19.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7772.tmp

Filesize
1KB

MD5
0231a8e5eaa55582df864db6191e300a

SHA1
4bf4e0587d8ad533aa2e455792a7a44ef8e37900

SHA256
433573a7cb9db1d0b3cd8db6fc46436dcf0e09ca3a850d5030db81129e3edb5a

SHA512
cd5b4d19669bac2feb659821f40027af533a5c54715384db5bbdd4a00713336c8d9566b12af2a0769b36c8793c718457c9a089a0226b26c6057065dc824cfd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\fi9jh-yz.0.vb

Filesize
14KB

MD5
8964ee233ee1ba31364eda46e2c45177

SHA1
089bcdd134d3b20ed9577af5d7fa7eb1306d1fce

SHA256
d52131b893eae2af4f42b1305cad23bb6a6e4860c3908010361b85cc85909c4c

SHA512
789fad25cb74bb2f48a9951d7468b606bdae9f337c07dd5ee2a99f0640fb7b55b178f83930a1a35cb39d19517d7ad79ae0a0c53a21a49741c252525b245ad399

Download Submit
C:\Users\Admin\AppData\Local\Temp\fi9jh-yz.cmdline

Filesize
266B

MD5
6421bba311b7d9f72929e169ef56037e

SHA1
369145e2519fa02d62356361773e82e1b24ceb16

SHA256
d56239a19eb1011394a1d8c12f6e3f251196bb5678c3c4e9ae9832c439beb4c0

SHA512
5e8b6f8ed046482251cfb72a7b2f55a89ba29528a048c392bcc15e86a6b88ff9a6f9513c337417f8c473758ae0821fd3b6a547379dc8f9fcfe2485bc296fd4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp753F.tmp.exe

Filesize
78KB

MD5
ed0260ea4de0a4059015f6e45e6dc02a

SHA1
797f6da2122f453e48853245e38620796b2ae1f8

SHA256
aa6149341a5739c08035fa862dc9340020cb3183c88ad1686a8a063b046a593e

SHA512
ff2645de1aec65cb496dfd5251e60910866126d7a23b142ad482e6ad981fc9f5195e861834d04aad8d9317199cf5bc8214ed91649937fecda6197c705b7dd0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc83EF3145E6C3423B86B47D326A537B5F.TMP

Filesize
660B

MD5
f0064135b8d8ce1d288e740281514c1b

SHA1
dc0100168b0e40455b7a8c927a70dc33bfa83639

SHA256
995d3d05bf1623d12bd56137ccabc7fa2afeba7bcfdede04d6d209b442348cb4

SHA512
596b2c728d9ca93e399ecdcbd908f46484f19f5734e0a5167bf715626e2facf97782aaadb7134a1f0d4410c22f2b6ce811927e516c893cbfa86aad487961cc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1168-23-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1168-28-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1168-27-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1168-26-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1168-24-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3392-18-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3392-9-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3736-22-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3736-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3736-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/3736-0-0x0000000074932000-0x0000000074933000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads