dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d

General

Target

dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
Size

78KB
MD5

ad17443af685ea7bd728ada4dcfd3844
SHA1

3173d8adb196f463521133e38d08e78fab3674b2
SHA256

dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d
SHA512

5483d8bb622400dda41a3ded0026a754939913ccfedec4adca9370067a10ef83b0396b639a72eb77f2522f053c0eccda2142195870c6dc8a2706546a5cf34833
SSDEEP

1536:lRCHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQteA9/y1ADc:lRCHYnh/l0Y9MDYrm7eA9/pc

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe

Deletes itself 1 IoCs

pid	Process
4264	tmp9A8A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4264	tmp9A8A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp9A8A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9A8A.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
Token: SeDebugPrivilege	4264	tmp9A8A.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 4076	4652	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	82
PID 4652 wrote to memory of 4076	4652	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	82
PID 4652 wrote to memory of 4076	4652	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	82
PID 4076 wrote to memory of 3612	4076	vbc.exe	84
PID 4076 wrote to memory of 3612	4076	vbc.exe	84
PID 4076 wrote to memory of 3612	4076	vbc.exe	84
PID 4652 wrote to memory of 4264	4652	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	85
PID 4652 wrote to memory of 4264	4652	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	85
PID 4652 wrote to memory of 4264	4652	dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe	85

C:\Users\Admin\AppData\Local\Temp\dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
"C:\Users\Admin\AppData\Local\Temp\dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k6xo0ta-.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B84.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9B8ACB4F67174AD98C98B7668754339.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3612
- C:\Users\Admin\AppData\Local\Temp\tmp9A8A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A8A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\dfe2cd97937a37030cad9c96f37a5a93ac8b5806d687333083176718dae0442d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B84.tmp

Filesize
1KB

MD5
45de235ee6246b37df835ab42a588ee7

SHA1
40ed08ba6e550a5206bd4b1f3164e2eba4d7ba40

SHA256
aecbc6cf8cbf346f5a8548a66d90d108bf6036abd59b05b4c51f49ebd15547fe

SHA512
2d7ec17e4c1d330dfcf297746bf0d60da71ba9f9aec86db71816a2cb85286f677749882b66cb600bc7c7f0fe8526e23dc90aec91ef500f895cdbf4ea52c88713

Download Submit
C:\Users\Admin\AppData\Local\Temp\k6xo0ta-.0.vb

Filesize
15KB

MD5
b1992c5ae9ea9e1938d0b4c5373f15bc

SHA1
a20ca59314453cd4de0297014aa16af549263c3d

SHA256
23e422cb6af14b4e909651e3f7005170f7964d344bb5da723e751ace918db788

SHA512
4bebc5a98132fee9b942e7c9211e27ca4f64b1a5f77a3ab0bdf2a40c506ca30c36a7499e53d9cdda59f63e512b3b740c60c577bbe85931846b029a754a844114

Download Submit
C:\Users\Admin\AppData\Local\Temp\k6xo0ta-.cmdline

Filesize
266B

MD5
49eef5221b9bbba7394426beae243906

SHA1
017f5c72d050bc5915f3d35b8ed05a79528d38a4

SHA256
f140f45a4df6015a4a40bc38565027392e153d6f069dc48d9f7cccad9c0818ca

SHA512
8ac3f38fac84f75648cf537dd6bcac9a59e8586961df9fdded5d1c6cda0bdec5e0a51e7d0d83880ee2cb160987ff808881c5613a742ae8fbf5bd000d03e66060

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A8A.tmp.exe

Filesize
78KB

MD5
f3b851b5ace60b79c2b447a71f58b43f

SHA1
5687cc361a818cd758a773459e62999d283e0552

SHA256
0c265ac0480bd0f020a2ae3b5be2632e6e8735a069207e261a4ab2eed4ad9fb0

SHA512
86a1262e109141ff18404abb26ab9fb90399e7fec247a4c3b7f26761c441e6526bb1e466e6277a7dec69edbf595c2b0e9515c501f0a9d763c24fa0151321f497

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9B8ACB4F67174AD98C98B7668754339.TMP

Filesize
660B

MD5
91b54597266678e67d27ccc382f90f23

SHA1
a0967d2c649a50e2ba56acff6afe1f3f61f295d0

SHA256
cb2e9eb6dfafe47392bcc67622b6074b7cdb8695e9d6ebf59d82298a4327e9f0

SHA512
ec575c05aff533735e7503aa9c286d75f566dac77f49f042aa60ba66633215b082c8c6f6e3df02027dc3b7e6d60e7587e33f0e217b78fb22691a0c16e27e8875

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/4076-18-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4076-8-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4264-28-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4264-23-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4264-24-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4264-25-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4264-27-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4264-29-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4264-30-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4264-31-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4652-1-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4652-0-0x00000000747C2000-0x00000000747C3000-memory.dmp

Filesize
4KB

Download
memory/4652-22-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download
memory/4652-2-0x00000000747C0000-0x0000000074D71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads