cc5933a763eeb7221f5580109125046de6e4f81b89b66705548d086f426fa056

General

Target

cc5933a763eeb7221f5580109125046de6e4f81b89b66705548d086f426fa056.exe
Size

3.0MB
MD5

d9d22a1e0d78ef5619038b14443491e5
SHA1

a1951b9da5b34a4238ddf90c4ca09656b1fc643d
SHA256

cc5933a763eeb7221f5580109125046de6e4f81b89b66705548d086f426fa056
SHA512

fe52ef7b8aa669bcee6d5bc7e83f0daaf3667b273c333f6e064e5535ce84c580324468e2b52ef5d09998388cf4105ef36e373f8c795452c14e73f1ebf8be0795
SSDEEP

49152:XgHl3lkZKMw+3tuF8BJU0MwjAypQxb5hoSo9JnCmnWMrxwI0AilFCvxHT:XgF3lzC3sgu0M1ypSb7Zo9JCmn

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
28	3228	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3360	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 3684	952	cc5933a763eeb7221f5580109125046de6e4f81b89b66705548d086f426fa056.exe	89
PID 952 wrote to memory of 3684	952	cc5933a763eeb7221f5580109125046de6e4f81b89b66705548d086f426fa056.exe	89
PID 3684 wrote to memory of 3716	3684	csc.exe	91
PID 3684 wrote to memory of 3716	3684	csc.exe	91

C:\Users\Admin\AppData\Local\Temp\cc5933a763eeb7221f5580109125046de6e4f81b89b66705548d086f426fa056.exe
"C:\Users\Admin\AppData\Local\Temp\cc5933a763eeb7221f5580109125046de6e4f81b89b66705548d086f426fa056.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zazcsvwr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES828F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC828E.tmp"
    3⤵
    PID:3716

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjIwMzE2QjYtRkM0My00NkY2LTk0RTktOERGOTM0OEIzNjc4fSIgdXNlcmlkPSJ7Q0IzQzRERUYtNTU0NC00NDI2LUFERDAtMjkwQkIwNTQzNzdFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUFCMkUzNkQtREUwNS00RkM5LTlDNkMtRDExQjhEOERGRjc3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODU4MjQxMjU3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES828F.tmp

Filesize
1KB

MD5
ab265e1cdd003109a08b3ca03991d24d

SHA1
5a670d5228f9b0f3ec101ee67e7510fdb3ed201a

SHA256
6fda8202711e24ba8ee1e2b09019493c269f844f18d9ce2e6a75a7774cf4afd6

SHA512
e9cfb95229460773add0ca8c0ec7cbc9ef2777559a9a5c00762f27f6ba3271172ee0f914fcd213e1e00e6ba9150881d79f6382ff29073513596a22b60e06b44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zazcsvwr.dll

Filesize
76KB

MD5
f0c76f0f13ebbb75f53925dffd2b8cbb

SHA1
d16f6fba968a236b586321c53902b0f55d86ecb5

SHA256
d84e8b988e948b540263d6aa9fc8b918f106674a432a7c52e0f0204432a00088

SHA512
9579284e41f152daa2e17e67e26f6c5d50b636b82af92805eece7b2abc8c3e7b775c73cd5a1b9dd2147d9f2ee8cadcd2bbb2602fe493b090e1cd041db3f1ba76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC828E.tmp

Filesize
676B

MD5
f4f724349c773eb43599452e048dd519

SHA1
9c053d03a25f4b43e98fc91486c2ecc4ca5dda7e

SHA256
71d75eaed8b3160cddcd6bc1b745d8d219d45b7c7621f1bcc4fd5d07cc05873b

SHA512
73935d6201e081499a9d4115e9d702ec81e26dac536576b3c3c3952de1b5451f26512ac77a21cba5b3c1f546778196e360de60d7496f68a9ddcacac4dad22bc7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zazcsvwr.0.cs

Filesize
208KB

MD5
057d5fe841528625548b9ead2cda0578

SHA1
9f4e900d63200bc2114ba4e205441c2268299d76

SHA256
2893522ca5fde8b8be44713669517794ea3d87de75ee4257ce18b98f2da9bb41

SHA512
7e8a78ca940e3de4977a1e1a55aac4c4f487c9de1735a9c7579bfeedbbd36bc04d101a591534313f967b27cdba30505a0fae1d0dab5b9e5a5139e98dadaa6d45

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zazcsvwr.cmdline

Filesize
349B

MD5
354c7635523ebb5ecac7eb5684c9f11c

SHA1
b334962ac82cd252d36e96717db69de70eab5aad

SHA256
bcd734680d6d60716575798e71c651538982dbb83311eb98fbf6b0876cbc5bb6

SHA512
a6a7bd2583e4c2ed4a7f860a9fdd9dfe29e47305a98ddac3b69c3b217d011207c13746506b316fc777af5c9185cff010b76085bf9ed119e1cc6fe83705b26df2

Download Submit
memory/952-3-0x0000000001440000-0x000000000144E000-memory.dmp

Filesize
56KB

Download
memory/952-1-0x00007FFD45E20000-0x00007FFD467C1000-memory.dmp

Filesize
9.6MB

Download
memory/952-4-0x000000001C410000-0x000000001C8DE000-memory.dmp

Filesize
4.8MB

Download
memory/952-0-0x00007FFD460D5000-0x00007FFD460D6000-memory.dmp

Filesize
4KB

Download
memory/952-27-0x00007FFD45E20000-0x00007FFD467C1000-memory.dmp

Filesize
9.6MB

Download
memory/952-21-0x000000001CF80000-0x000000001CF96000-memory.dmp

Filesize
88KB

Download
memory/952-6-0x000000001C980000-0x000000001CA1C000-memory.dmp

Filesize
624KB

Download
memory/952-5-0x00007FFD45E20000-0x00007FFD467C1000-memory.dmp

Filesize
9.6MB

Download
memory/952-23-0x000000001CA40000-0x000000001CA52000-memory.dmp

Filesize
72KB

Download
memory/952-25-0x00007FFD45E20000-0x00007FFD467C1000-memory.dmp

Filesize
9.6MB

Download
memory/952-2-0x0000000001630000-0x000000000168C000-memory.dmp

Filesize
368KB

Download
memory/952-24-0x0000000001610000-0x0000000001618000-memory.dmp

Filesize
32KB

Download
memory/3684-12-0x00007FFD45E20000-0x00007FFD467C1000-memory.dmp

Filesize
9.6MB

Download
memory/3684-19-0x00007FFD45E20000-0x00007FFD467C1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads