510755ba53298b28033e7d27f2d06992552b40119f0552c80cab31be7d24890d

General

Target

66e48043907ecba24d751435d6cda970_JC.exe
Size

12KB
MD5

66e48043907ecba24d751435d6cda970
SHA1

14eed3aa0187f87e80701fa257cac48f8ac51796
SHA256

510755ba53298b28033e7d27f2d06992552b40119f0552c80cab31be7d24890d
SHA512

6691304fbfaf825bda69e00586dbdde347cda292f3b7053b9c6115c25599a0382b81de89a1ca43a5ba7b3bceac21f3fa5a795cb589cfe4a8435310734dbd399d
SSDEEP

384:UL7li/2zWq2DcEQvdhcJKLTp/NK9xaPp:C2M/Q9cPp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	66e48043907ecba24d751435d6cda970_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	tmpB2D6.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	66e48043907ecba24d751435d6cda970_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4212	4592	66e48043907ecba24d751435d6cda970_JC.exe	88
PID 4592 wrote to memory of 4212	4592	66e48043907ecba24d751435d6cda970_JC.exe	88
PID 4592 wrote to memory of 4212	4592	66e48043907ecba24d751435d6cda970_JC.exe	88
PID 4212 wrote to memory of 3808	4212	vbc.exe	92
PID 4212 wrote to memory of 3808	4212	vbc.exe	92
PID 4212 wrote to memory of 3808	4212	vbc.exe	92
PID 4592 wrote to memory of 1680	4592	66e48043907ecba24d751435d6cda970_JC.exe	94
PID 4592 wrote to memory of 1680	4592	66e48043907ecba24d751435d6cda970_JC.exe	94
PID 4592 wrote to memory of 1680	4592	66e48043907ecba24d751435d6cda970_JC.exe	94

C:\Users\Admin\AppData\Local\Temp\66e48043907ecba24d751435d6cda970_JC.exe
"C:\Users\Admin\AppData\Local\Temp\66e48043907ecba24d751435d6cda970_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5pl2c4xe\5pl2c4xe.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB508.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE93C6D2E4139489B931734722483E8CA.TMP"
    3⤵
    PID:3808
- C:\Users\Admin\AppData\Local\Temp\tmpB2D6.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB2D6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\66e48043907ecba24d751435d6cda970_JC.exe
  2⤵
  - Executes dropped EXE
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5pl2c4xe\5pl2c4xe.0.vb

Filesize
2KB

MD5
651b97417fd5b0f3a6e8409d5c708e73

SHA1
6816b139cb41cb0982e3d451ff15f87189b6a40b

SHA256
675fa94834708fc8b42bb57e403e991742294f10cc4d11d73d63a8f8c0c1e5c5

SHA512
547014f584e2303892938ab6c653dee2f514d92b33f4337adc3da77113ac3368c8ebe7d417e01b8dca91063c4043527b229220abb3b29cd8ff97581d1d5faeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5pl2c4xe\5pl2c4xe.cmdline

Filesize
273B

MD5
f9a9d368cef6a065790cf4e4ab3bb86a

SHA1
ffbc3db316b165d0782c7960dc516b4144dcdd2a

SHA256
1703ba7798ce30db26c927a702bfc51d6a98bffb6800b17bf8cc8e5b1919d23f

SHA512
e9f3997d6c975eb1dc23076957a1170fb15848269718a0467bf6f1009a87564e20f5dcd82308edaee9dd15fcaa8bbbc54c43389db76c5b1b6fe272a8f52c681a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b33ccabc633bbf3ca0cbaef4a5898891

SHA1
ae0a39533b5e4c368fbdbd2f20b4fc2e1137f179

SHA256
8bb1d475df6835304eae63362fd93a7db0f8c7d39df6999738df0c07ba5c1802

SHA512
d3f99637b16bf5b268de9c7565d557998c7528186afb4ecb1e54a163d10ca31b435d6351aac15f8b41ac3a62e779fda44298076115014aae286290297cd19c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB508.tmp

Filesize
1KB

MD5
82c5c7b43d7442650730dd3b2e1d9e8a

SHA1
b753108d7838362ca5c2b7153823b7c7c634819c

SHA256
07b71c2cef68eb0924e27f72a03a9da5af42e11dbdd0b9fa0d653efc09a7422d

SHA512
24cbadde00630e5c8e169a14b1e759e0a34a1dfa7c9dd68a6ac7d55a266854e8734273c99169b78a1bf36380d6ec42808dbdb6a9c921f9fbafe40f4adce9e1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB2D6.tmp.exe

Filesize
12KB

MD5
0d6997744229646ecdded72d67882206

SHA1
7099e4e0a9278c3ff0c239c3a714f1cd07a9bed2

SHA256
ef8d3a38179a9a2384c67cd71bfada1bfe8a0ea17a1e8cf12607308aa3911374

SHA512
dca912adb7c7b931ed57c7558b965a5b9af3750f7684860427626aec0152c41ae20341fcf689ae95219aee95ce4f5d1665d83b2451f8683355e89542823cbfb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB2D6.tmp.exe

Filesize
12KB

MD5
0d6997744229646ecdded72d67882206

SHA1
7099e4e0a9278c3ff0c239c3a714f1cd07a9bed2

SHA256
ef8d3a38179a9a2384c67cd71bfada1bfe8a0ea17a1e8cf12607308aa3911374

SHA512
dca912adb7c7b931ed57c7558b965a5b9af3750f7684860427626aec0152c41ae20341fcf689ae95219aee95ce4f5d1665d83b2451f8683355e89542823cbfb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE93C6D2E4139489B931734722483E8CA.TMP

Filesize
1KB

MD5
0f57d54d9336b83f71da8c1e15de464d

SHA1
53e5425298491640c5827868245ef21ce959a441

SHA256
029163425a248ae9b950cd639ef9c891f09bb9ba496a4e5691e48444e25e4569

SHA512
9c5a21bac830a8ed504b3af8f467cabe5f7f40d39a715885195fe33e56414b42037a8a5fea8cc9186630b38b0032e1fff0717de693f951ad2d11c1af94cbefeb

Download Submit
memory/1680-25-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/1680-26-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/1680-27-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/1680-28-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/1680-29-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/1680-31-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4592-5-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/4592-0-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4592-1-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/4592-2-0x0000000005160000-0x00000000051FC000-memory.dmp

Filesize
624KB

Download
memory/4592-24-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing