aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7

General

Target

aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Size

78KB
MD5

733319b3eef1c7bbd30aa8dac6519aac
SHA1

fce2c55c1436a9d8ef0ab7dd25decf3fc2eb54eb
SHA256

aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7
SHA512

104309319cc30b3180e0148efbdcfa73b5319dd39d8206ef77f176110ed7a30f491c37c6108827fd356bcac1d5b15ff507c0d2011aee7694947f73830011ec6a
SSDEEP

1536:NPCHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtv9/M162A:NPCHshASyRxvhTzXPvCbW2Uv9/4A

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2604	tmpE3E9.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2604	tmpE3E9.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpE3E9.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpE3E9.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Token: SeDebugPrivilege	2604	tmpE3E9.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2716	2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	31
PID 2184 wrote to memory of 2716	2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	31
PID 2184 wrote to memory of 2716	2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	31
PID 2184 wrote to memory of 2716	2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	31
PID 2716 wrote to memory of 2704	2716	vbc.exe	33
PID 2716 wrote to memory of 2704	2716	vbc.exe	33
PID 2716 wrote to memory of 2704	2716	vbc.exe	33
PID 2716 wrote to memory of 2704	2716	vbc.exe	33
PID 2184 wrote to memory of 2604	2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	34
PID 2184 wrote to memory of 2604	2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	34
PID 2184 wrote to memory of 2604	2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	34
PID 2184 wrote to memory of 2604	2184	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	34

C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
"C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5uod2d-6.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE532.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE531.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- C:\Users\Admin\AppData\Local\Temp\tmpE3E9.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE3E9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5uod2d-6.0.vb

Filesize
15KB

MD5
922e1ee8c92f883c1af1b7e28b7098fb

SHA1
599a7ce40d64fc8f2f2b25a44eb5b90d985422c3

SHA256
76a3840d6d477181351cd545bfa4522ff8bdee1c15dd8a390ea774eccde37859

SHA512
a6f540f8c1cb69bbfda78bcee05f411e9a0b132f76e711999c6b15b84ef9f01a28d72207161e72ad303a51d7edca6ff56ce488318b337e271a5d738527bcab66

Download Submit
C:\Users\Admin\AppData\Local\Temp\5uod2d-6.cmdline

Filesize
266B

MD5
53544e7d90e1b5d109151b2af1613db7

SHA1
b92332d94c1ffdff13c461839ba125f50cb69907

SHA256
10ba12639d7ad3ea724fd59989930d44aa3dc1098e2db5e2176866aac7afe4e3

SHA512
4dcb4c5949b4064b483f8258a0067c6e8e5d038f5996ffc8926c8a02b498171691b255bb1c7816e4d7e0bec0a213e79764d57a6143d93d369b75225594211e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE532.tmp

Filesize
1KB

MD5
df48bc6d8afe88afcd61fe59a765898e

SHA1
7447ad95ed440b5d05fcf92b2fa21147a9b9d892

SHA256
9f57c284479ec3c9ac969fa2c3f71b61bbe4fbc32cd16664241af22a25f7383b

SHA512
d3fac7ebef27e4d8bd491f4cc7bb5ea1036955c9346d3a114c85963faa301fbc1e5df18306eb7ff777761614c458a9a977fb7206f170734711ae686db93dcc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE3E9.tmp.exe

Filesize
78KB

MD5
d2bb4599fbb93bf1309a01a060db30d8

SHA1
9ab4e3c856c55708053a75b4a7e2a001f931f4bf

SHA256
cf5a996b6ed832c2b9ce0c2dd23542a42b1f6b35679037dd00a8684418d70012

SHA512
b879ce3fb8601cc3afcbe81e817538994f7e26b3c035b227ed4fa5f80c7f9f2918040ee5730d8b6b76c2bec062fc9ee4773711d1e0e751ef37ce130d9841701d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE531.tmp

Filesize
660B

MD5
76bf699454e6f76d256e0dfc27558851

SHA1
4cd8d12b3d1ab82a24f248b0c4429887fadbef2c

SHA256
b533fee7a64f77de3182efc30746f01b2c800d887bc0104339df239f14217b44

SHA512
6c703a8c2061d81f6500c6e1a3409e949579b449fbcdc75d3e1fe318e0e4fcdba75391ec6b47b63fb3d69cdf8f192f41e55dc556ffb139d88f2fe638ad5bd617

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2184-0-0x0000000074DF1000-0x0000000074DF2000-memory.dmp

Filesize
4KB

Download
memory/2184-1-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-2-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-24-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-8-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download
memory/2716-18-0x0000000074DF0000-0x000000007539B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads