bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950

General

Target

bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe
Size

78KB
MD5

4d9704de5b101cb7cb88871e0999c910
SHA1

7b0ae9dc38e3c2318e5fd1bff3c065d9bdd4a204
SHA256

bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950
SHA512

b320f18296d7794fda9f8d0d4bb2e849e0a8d1887a70a216ef8dc0fe83151e154e3aca0228500142b46e3a9170b702e05b0396fde5e5c8c7941c9c1ab3659a4b
SSDEEP

1536:XsHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtg9/q1zi:XsHY53Ln7N041Qqhgg9/t

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2280	tmpC13D.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe
2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC13D.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC13D.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe
Token: SeDebugPrivilege	2280	tmpC13D.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 740	2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe	30
PID 2736 wrote to memory of 740	2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe	30
PID 2736 wrote to memory of 740	2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe	30
PID 2736 wrote to memory of 740	2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe	30
PID 740 wrote to memory of 2924	740	vbc.exe	32
PID 740 wrote to memory of 2924	740	vbc.exe	32
PID 740 wrote to memory of 2924	740	vbc.exe	32
PID 740 wrote to memory of 2924	740	vbc.exe	32
PID 2736 wrote to memory of 2280	2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe	33
PID 2736 wrote to memory of 2280	2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe	33
PID 2736 wrote to memory of 2280	2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe	33
PID 2736 wrote to memory of 2280	2736	bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe	33

C:\Users\Admin\AppData\Local\Temp\bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe
"C:\Users\Admin\AppData\Local\Temp\bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-6oe_tih.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC488.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC487.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- C:\Users\Admin\AppData\Local\Temp\tmpC13D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC13D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bb69be9d8cbaf2ce72a3bc185ea5e8c4a8e4ceb5461814ca57a9ce33cd2ee950N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-6oe_tih.0.vb

Filesize
15KB

MD5
bf6ef3977f263f4587a2bbc02433559c

SHA1
6f7759117d814000c9c7d42c4cf2f1eaefd1649a

SHA256
0db9e8dd1f329bb0813c5d40745e6cf067f7cf0f86f2cb16a758cd707b476ca5

SHA512
d2b6b4e5e462b9505c7ee60971cda688f41fc2851e04e75d826221ffb7e6313fad15b631e7719fb8a24073d465674ea58c5e79296ebe062e7a2586e2687caa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\-6oe_tih.cmdline

Filesize
266B

MD5
c453a73b9d604289f351aeac293eae4e

SHA1
e2f9fb1953a7aaf9928aaa040ae889058f8cc4ec

SHA256
7ed9627042647dc7f5754001dfaa02f17841795e6e0b43a42455aa96ad8d16d8

SHA512
eb929637d536cf127cac6a5b1190731b76961154b451d32988b19b6b6ac42b2ae90ed014fec291999f245914d060830533169e84803736efb4e3d189968d889b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC488.tmp

Filesize
1KB

MD5
9e23842f3cb7039f12c002e355fe537b

SHA1
5279d05cbdf7c3b435facd49c99c156f7435cfbd

SHA256
4b4ed640848b514c33cdaaaa23bd9fa1697b097ba301b920fc095c809bba89be

SHA512
32f484a75a297d6e8b47802dbd4f47a5dcab47d74790c8432e327754b43f2200927d1c23b30003951a0881685235eb056071149d0062020d8dd6bdd9ac71ee3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC13D.tmp.exe

Filesize
78KB

MD5
354abf9914dc05921dca1bd0f5c58fc2

SHA1
45f1ddad46d5331f1ac1e584eebb2df74fa8d6ac

SHA256
9317e5dd0c674b0aa1b531520f006d3dfe06331e11c28ade17d817819ceb25ff

SHA512
e71012d65f1f6c6d9bf2459cc97dc7290bada8cecbaca14e3d3930c193a5970d9eb5ad2d5fd2fb6f58fdec09392b91c7f255778065ca5396e063bd77225586bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC487.tmp

Filesize
660B

MD5
0699e897dc97149a8f2b5a26ae5c8d5a

SHA1
99489a161263c37e4ce3496645f5996aec8b3160

SHA256
e7c28652dfcfa5b77c75ea71590f851421ac9771f58ca98b532b97d49397d56c

SHA512
51f644e92f0f171f0eb8a14c929cc890afeebb71f190f6bed7bff602c6c35ff68feb05201b9964f388f00c16ba8872de749a81945e0f8511d8036d2ed28877f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/740-8-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/740-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/2736-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2736-24-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads