aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7

General

Target

aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Size

78KB
MD5

733319b3eef1c7bbd30aa8dac6519aac
SHA1

fce2c55c1436a9d8ef0ab7dd25decf3fc2eb54eb
SHA256

aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7
SHA512

104309319cc30b3180e0148efbdcfa73b5319dd39d8206ef77f176110ed7a30f491c37c6108827fd356bcac1d5b15ff507c0d2011aee7694947f73830011ec6a
SSDEEP

1536:NPCHHM7t4XT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtv9/M162A:NPCHshASyRxvhTzXPvCbW2Uv9/4A

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	tmp82B.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmp82B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp82B.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
Token: SeDebugPrivilege	2816	tmp82B.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2880	1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	31
PID 1104 wrote to memory of 2880	1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	31
PID 1104 wrote to memory of 2880	1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	31
PID 1104 wrote to memory of 2880	1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	31
PID 2880 wrote to memory of 2488	2880	vbc.exe	33
PID 2880 wrote to memory of 2488	2880	vbc.exe	33
PID 2880 wrote to memory of 2488	2880	vbc.exe	33
PID 2880 wrote to memory of 2488	2880	vbc.exe	33
PID 1104 wrote to memory of 2816	1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	34
PID 1104 wrote to memory of 2816	1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	34
PID 1104 wrote to memory of 2816	1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	34
PID 1104 wrote to memory of 2816	1104	aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe	34

C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
"C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\efznpvhs.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA9B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488
- C:\Users\Admin\AppData\Local\Temp\tmp82B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp82B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aea5c984a32b4d05e468f70dab352b7edc89e788e1c11ec50175511cc8d304b7.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAAC.tmp

Filesize
1KB

MD5
871963cec5b6d5e6e02bab7162899012

SHA1
3640834faf61f3465c8ee7ffe6c7044fe3657e2a

SHA256
20ddc44ece11c1c10d0b79f3ee74674ace9d37a516d04c65ff67ca909c07358e

SHA512
cfcfbd6962c90e11d6aa6040f24fe870504e0b1f3bb40a2072df968d3bd13921c7c5492691534782008205392b89cf50bc090743c0f5f0e8cd8606d2094a1560

Download Submit
C:\Users\Admin\AppData\Local\Temp\efznpvhs.0.vb

Filesize
15KB

MD5
a5d43a6ddcb42c9c1dba159be9f53628

SHA1
66fcdc80f639b94bd2cab0e10cc2d3dd465670ba

SHA256
12675ed7362a9324244ab4fcdf6481dfb68d5c88da0254cd59bf4df6404e7658

SHA512
794b2f022f8f16e21990039461255153e7a0a848e61cef598efcfc1f563ad7c7e2cf27f1f3d4b0c3a07ad9045e036c17b15432dc03ad486dff365cda438c78aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\efznpvhs.cmdline

Filesize
265B

MD5
f6a0b3d1fc88ecd521975fbab3fa0056

SHA1
4d6f4cbc775b5d0a852ec75e684f56c248c54f9c

SHA256
30bd72fd7acc67375060155f5a739659cfdb1227829582f9d6a898586481eeb3

SHA512
a91e7687410fb76a738d65463ac0178246d7fa36a4f152a3388b98a96cbd3f799b75fa7da65d26c47a1698ed0be744a9f580a9f7891b843dd50049a022b7ae00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp82B.tmp.exe

Filesize
78KB

MD5
7a45521c6ed2e521ea1f7ec0986cde88

SHA1
bc58454e54398b13d0a8a75094037c62b5805cbc

SHA256
fe35d8cf62c965a20391c55f69d4dabcd6cbfa4dcdd00cc2044dda828f145383

SHA512
c441cc208b9e849bafb9fdf53185f4434c9556de893593bfbee40c4efd52452841a9415524be82bca25d7d7d0e2d2370356d2dddcbb39911bea3597c23a73b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA9B.tmp

Filesize
660B

MD5
c02edd1c636bf204362f9b29ab4bfbe3

SHA1
da52b2e4d529d905b70fcd2feb992d0ff5a0ea1b

SHA256
d152c7590a37d8653ff3f5f67ef24bcddedd8c625eaae21571c76e9071e6ee28

SHA512
874ab96bc75a3a4d47d6fdea6384aeaed3b16d82b137c2e61a0b4500cff8492a1848e47ed86612750516d1958f6f0efa318526e548bb1b54f66f21dd72a56866

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/1104-0-0x0000000074591000-0x0000000074592000-memory.dmp

Filesize
4KB

Download
memory/1104-1-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-2-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-24-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-8-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-18-0x0000000074590000-0x0000000074B3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads