6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d

General

Target

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
Size

78KB
MD5

abc3226e9fd2606a3a3d6568c2a717bf
SHA1

62d6486d7d04639445f90eb9943fa9b0a3e1222e
SHA256

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d
SHA512

f81bc5d0351603378ef52babdaa51571db6990bdd929cdb388e9c4a53642d6203619ca94f5144c8bda1b9992c18b8cde89de2a0bbd9bc327b4e1894a41d64438
SSDEEP

1536:g5jidy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC689/d1hM:g5j9n7N041QqhgE9/G

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp782.tmp.exe

pid process

1244 tmp782.tmp.exe

pid	process
1244	tmp782.tmp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp782.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp782.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exetmp782.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2364	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
Token: SeDebugPrivilege	1244	tmp782.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exevbc.exe

description	pid	process	target process
PID 2364 wrote to memory of 4844	2364	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	vbc.exe
PID 2364 wrote to memory of 4844	2364	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	vbc.exe
PID 2364 wrote to memory of 4844	2364	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	vbc.exe
PID 4844 wrote to memory of 860	4844	vbc.exe	cvtres.exe
PID 4844 wrote to memory of 860	4844	vbc.exe	cvtres.exe
PID 4844 wrote to memory of 860	4844	vbc.exe	cvtres.exe
PID 2364 wrote to memory of 1244	2364	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	tmp782.tmp.exe
PID 2364 wrote to memory of 1244	2364	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	tmp782.tmp.exe
PID 2364 wrote to memory of 1244	2364	6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe	tmp782.tmp.exe

C:\Users\Admin\AppData\Local\Temp\6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
"C:\Users\Admin\AppData\Local\Temp\6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dcs9vfbd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1165.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFEE200834C5F4CFE868083BEF79D98BC.TMP"
3⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\tmp782.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp782.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6a915f4d83626cf9f7c419dd57451f3c1f123f1eb82fce11b5bd62ab7c5dc94d.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1165.tmp
Filesize
1KB

MD5
bff054f1df6d70dcc9f55288741ef62a

SHA1
98f3b76b4e131acf28c8f72ab1c8174f72e3c344

SHA256
8cc6c56ee4d88053d13e5c872a330a33980ef6c1b20a0350cb6d6720c13b8d9b

SHA512
6dc4db4522df0f7179070a31af6e793999efeac8c36c0ee9cc0df4e6cf75fdd7bf23b1907229014926a66bfb06c65f1a4e45d1df3d34f15883c8b97ee35a4521

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcs9vfbd.0.vb
Filesize
14KB

MD5
100d312405778c1381ac0c1e96f52c5e

SHA1
6d364f370b62eeb6210670099319b3d2a4194ebc

SHA256
b93a6848e0ced40327ee93361f8f72cd2425f245049c70d9c79cd36d2806ed6d

SHA512
b0778f3d4ae22dabc4df305f207f2aa91f3296d66e22fb6ae2c1430b3ba91675d72a1a3ea303184c3d8d4c4c245c33c559c0abfaa7a795023184489ad456ca99

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcs9vfbd.cmdline
Filesize
265B

MD5
bd2ab52d3a63191a48bdf9c055e0418a

SHA1
53c823688ac3fda273478bf6c036208f04ebec11

SHA256
eb1fb776130b25715d24fffa1b28601b3530ede88cada60f6300be1df3fe2e76

SHA512
6c4a60f88f3564696f21e35664d3977dc97e84a5518a9a27f57e8a659deefd999e6348443ebfb2046b4f099f264ac706bc0bc13fd9bd6a9c5aed3af8e699f42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp782.tmp.exe
Filesize
78KB

MD5
f10d89f92f43db0b4d308f534dfd9608

SHA1
dbb0ff549def1a0578c0e2299b63f821101c85b3

SHA256
31c89a3896c9be5b6251acb01340d2365f2151e8ea514b459921c87d306530e3

SHA512
935c382fc7061d15ef0711743d55ae16d16eb49f032ab22cc3b149d46609e43c65f959a8327eaf8adaaff9c5748c7ad66079ec7a5d611be186f1e065e84be277

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp782.tmp.exe
Filesize
78KB

MD5
f10d89f92f43db0b4d308f534dfd9608

SHA1
dbb0ff549def1a0578c0e2299b63f821101c85b3

SHA256
31c89a3896c9be5b6251acb01340d2365f2151e8ea514b459921c87d306530e3

SHA512
935c382fc7061d15ef0711743d55ae16d16eb49f032ab22cc3b149d46609e43c65f959a8327eaf8adaaff9c5748c7ad66079ec7a5d611be186f1e065e84be277

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFEE200834C5F4CFE868083BEF79D98BC.TMP
Filesize
660B

MD5
e4cddf16c86c4d0fa4a67026fb5cbcb7

SHA1
247db333454e7e39c7bd3d0e37e88e02c6026993

SHA256
8de400630ececec89eac0be668fe45bbbf3b0136b5de40e73770bacbb812b583

SHA512
56d33534daa93b82acdd1ee2d617e3461703de9ddf26c92a321aecdaf3add16111a6bbe34e8881f71003e1386140e357d1d0855a600f3d7ee59c1e667f8c14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/860-137-0x0000000000000000-mapping.dmp

Download
memory/1244-141-0x0000000000000000-mapping.dmp

Download
memory/1244-143-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1244-145-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2364-132-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2364-144-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4844-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads