a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225

General

Target

a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
Size

78KB
MD5

c01acfbac16f7b0dfe65e4e0de987730
SHA1

3aa00e3cccda677af540aa2cc7e2e55832ef0c0f
SHA256

a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225
SHA512

df7a34b01731aa452b1d68b6ece3f69c643eb3ea741f8336aecf24d56c36749d3218d8c92c3da3b737aca94605ccb00081a11b03750d08ca06657fe1b1995d81
SSDEEP

1536:8StHHM7t/vZv0kH9gDDtWzYCnJPeoYrGQte79/x1qw:8StHsh/l0Y9MDYrm7e79/D

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe

Executes dropped EXE 1 IoCs

pid	Process
3372	tmp8F4F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp8F4F.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8F4F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3620	a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
Token: SeDebugPrivilege	3372	tmp8F4F.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 2260	3620	a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe	83
PID 3620 wrote to memory of 2260	3620	a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe	83
PID 3620 wrote to memory of 2260	3620	a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe	83
PID 2260 wrote to memory of 4796	2260	vbc.exe	85
PID 2260 wrote to memory of 4796	2260	vbc.exe	85
PID 2260 wrote to memory of 4796	2260	vbc.exe	85
PID 3620 wrote to memory of 3372	3620	a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe	86
PID 3620 wrote to memory of 3372	3620	a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe	86
PID 3620 wrote to memory of 3372	3620	a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe	86

C:\Users\Admin\AppData\Local\Temp\a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
"C:\Users\Admin\AppData\Local\Temp\a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u-dydj_r.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9049.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB470D2232D464B7498E46F3CD22C396.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4796
- C:\Users\Admin\AppData\Local\Temp\tmp8F4F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8F4F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6ed1c4f65ae4a1ed34500868a744501a4bc84ad84612e154d1d6e41c606c225N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9049.tmp

Filesize
1KB

MD5
1d95c8a0e0b935e3319ff770d05cee80

SHA1
1e8dad027c308c89582bf56764c890c1d39a128f

SHA256
e19d68875c2a99d5a87e63180198bef8d5f4cfcd7e16c86abffe9e15e5926428

SHA512
a0aadcb6c1080165a5e1afede3578a83c5ca2678f92ec0b2df6b745ddd347623855c44d3396123b80d236e36ae656616005eb273b8cc549db74e3b77a67c224e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F4F.tmp.exe

Filesize
78KB

MD5
e843129e8b21ccb0208bce940eda0eb6

SHA1
a134ae9921691356c83fdf00e75874f0baccd5eb

SHA256
659ca8ecfcd4048adb9700bd624de881a8a51b6c3429b60a996d92d719ce6494

SHA512
4fdd324ad1f848edd8f38677452612780e2b7c7f9a688f214b31786756f42c971acab2000b6eb9f9874fe13131cd31bd81ed3295dc65a768ef13fa250095bd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\u-dydj_r.0.vb

Filesize
15KB

MD5
3ed23eb791ba093cf3652e0940a535ce

SHA1
39f37fc6cfd12cab0bca90491cc7230d710853e6

SHA256
1dcbb7822662d77534e7ad0627a9ad40fffcb9cce32320f3057283da2d32f79f

SHA512
e6a275808da3d0ee206daf0d98d624c86e25c2c94192ec27663d3af7a11b8129efc6db9908ee714caaf7f7df0d5baaeade8c62df557d70712755b5fe86b79b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\u-dydj_r.cmdline

Filesize
266B

MD5
c3452a0e2af6b37f7ddc630e6664a7af

SHA1
b51116b05e8b9b26dc8060e9bbbe796dc05aeb90

SHA256
32ba51103ac9721bb60794043124c3b760724c3285bee84bd738167aee75837e

SHA512
ec79fec96e923c932eb78bb6948bdaffcba3aee1f9645f0bd7fdbede4c14320d66bb2dddb36125c3477e3a5dbd4e8d14163a76a9b3eb6332f351178a2cc469ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB470D2232D464B7498E46F3CD22C396.TMP

Filesize
660B

MD5
d12b12ee8e2463aa9e06ffc403d04bb9

SHA1
94ecf627b71a047777661c7429d04cabf7ea1b17

SHA256
8381de3f8bd6985dcb780b9350d345465f4b0651a41ef5b4d0cd3b08a40a69e6

SHA512
97645255c2626ca4a0e724f7fe322cffbd89d83c9cdc527698ddad0f8071a90c967918f885666cfcddf601b8947deb669dd0e78a6b4af4a76344e947584eb31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/2260-18-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/2260-8-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3372-23-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3372-24-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3372-25-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3372-27-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3372-28-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3620-2-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3620-0-0x0000000074982000-0x0000000074983000-memory.dmp

Filesize
4KB

Download
memory/3620-1-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/3620-22-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads