2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaa

General

Target

2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe
Size

78KB
MD5

789b3230377c8245eaa85d5519e7bb80
SHA1

95ba6ec298375f57eac684686ba70de90dff4a79
SHA256

2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaa
SHA512

c4642979039d054e7c0b3c9b4bf41144452c13df2edbc74e368588e17d47609d3e44b209119fb83aa1058b3913ffa2c36c22b4b409ec6f518b1146f862937bb7
SSDEEP

1536:MV5MXT0XRhyRjVf3hTzdEzcEGvCZ1Hc5RPuoYciQtx6tr9/Aw1b8:MV50SyRxvhTzXPvCbW2UO9/y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2836	tmpA8BD.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe
2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\""	tmpA8BD.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA8BD.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe
Token: SeDebugPrivilege	2836	tmpA8BD.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2784	2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe	30
PID 2652 wrote to memory of 2784	2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe	30
PID 2652 wrote to memory of 2784	2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe	30
PID 2652 wrote to memory of 2784	2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe	30
PID 2784 wrote to memory of 2884	2784	vbc.exe	32
PID 2784 wrote to memory of 2884	2784	vbc.exe	32
PID 2784 wrote to memory of 2884	2784	vbc.exe	32
PID 2784 wrote to memory of 2884	2784	vbc.exe	32
PID 2652 wrote to memory of 2836	2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe	33
PID 2652 wrote to memory of 2836	2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe	33
PID 2652 wrote to memory of 2836	2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe	33
PID 2652 wrote to memory of 2836	2652	2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe	33

C:\Users\Admin\AppData\Local\Temp\2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe
"C:\Users\Admin\AppData\Local\Temp\2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-duvegg3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA92C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA92B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2eabf47418e9e5f324a1a4642bec1d7c3ce7db46745baba5db44953c5499dfaaN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-duvegg3.0.vb

Filesize
14KB

MD5
6efb6f32b07a9066d24d39101368fdc1

SHA1
dba2d6f735506eae38e98334f605972474dd65c4

SHA256
b86fcf7a023274aecf0c1921608d92c3e84540ba05cdb0ccfd44acf0d4ca83be

SHA512
fd92d09bf36a4af11022999f5b83e605b39e4363f48c08ba12a377160b7710f69c26275966b2216772f8d633fa94ba8ff9a01addbd6d5c7c96b89704f8a7d0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\-duvegg3.cmdline

Filesize
266B

MD5
db3b34f609d4a9d09ded08f72432ed0d

SHA1
7b14e34cd769d1c9267c56a8b08287352adbf701

SHA256
7f8254106f6e7e35d9824a8d3b82969d1cbcbdca4bb98d3fce8b29936742614a

SHA512
5ac12f454d5234be0ec3086cab87d31de780a9fc658a9201e6faf653bc0d0e2973f5abc0a949b885a118427bcc58349c279c77515486e2d4474d406762c59ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA92C.tmp

Filesize
1KB

MD5
4cf0890f0ebb9b8cbcb0c01a4d45e4eb

SHA1
50488a6978c9986ca576e5c71cf4c44b57f6a0b6

SHA256
2cca39e9dacd66ad810fdd34e1e57b392f82b9630911aebea6c650045e93ef35

SHA512
01b351806402f027f8ef2dc4e213a7a5761fe6a90cf37201d7fc11caf5fab0544b43a3d2cbe667aa435e5eb9125cd3c4cc5f93fc2ed155584b261b1f463b9f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA8BD.tmp.exe

Filesize
78KB

MD5
704ebb6a1e57f9948657e32974e52eba

SHA1
b77254a36685247e876446660ef7a69f2773f33f

SHA256
691c2d339489ffaa5066f2274f63987d533204ff0a5f2e919652770be6b8179b

SHA512
650e273fed59a64d616c439d8092dde7caab8ecd238cf0d8e0fcf8b58166164b47f65751b090a35c7ccdff74b2fc284933576d9832eaf821294af87998269c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA92B.tmp

Filesize
660B

MD5
c9db4abd74b373179a87a09ebdc438d1

SHA1
d04dcdd2c8578cd700a4af430abd8556fd31bd7e

SHA256
cd5093ccf2f5e5d4dd00efd9950daf4d03c2d665760d68bfbfd8cbc569cb709b

SHA512
10527b87c6065a4d24bd4ad445a23a35ea660498deaf6fbd49ddc06c87bf654bd5511f11a2cbeafdd18a89c2344fc7f056ca94155843e5dd26723e0fc734ba89

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8fd8e054ba10661e530e54511658ac20

SHA1
72911622012ddf68f95c1e1424894ecb4442e6fd

SHA256
822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7

SHA512
c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

Download Submit
memory/2652-0-0x0000000074931000-0x0000000074932000-memory.dmp

Filesize
4KB

Download
memory/2652-1-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-24-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-2-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2784-18-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download
memory/2784-9-0x0000000074930000-0x0000000074EDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads