f32260a5c8b9385706c71753532e33e94f7cef1dfd8e536e6d2b26d23bc86b43

General

Target

f614a75662524ee632c20a41df3b3850_JC.exe
Size

12KB
MD5

f614a75662524ee632c20a41df3b3850
SHA1

21352e30cae283f3ef46e98927a91966ce9c1e12
SHA256

f32260a5c8b9385706c71753532e33e94f7cef1dfd8e536e6d2b26d23bc86b43
SHA512

e82ee827e21f79774ab1a8e46011b181b969a81a450effb294ce774eb0f42eefe1f73dd1846aa951556f3c2839603afc2ee61af74071371ad898ea4f5540e5ba
SSDEEP

384:OL7li/2z1q2DcEQvdhcJKLTp/NK9xaGf:YFM/Q9cGf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	f614a75662524ee632c20a41df3b3850_JC.exe

Deletes itself 1 IoCs

pid	Process
540	tmpC276.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
540	tmpC276.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	f614a75662524ee632c20a41df3b3850_JC.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4028	5040	f614a75662524ee632c20a41df3b3850_JC.exe	84
PID 5040 wrote to memory of 4028	5040	f614a75662524ee632c20a41df3b3850_JC.exe	84
PID 5040 wrote to memory of 4028	5040	f614a75662524ee632c20a41df3b3850_JC.exe	84
PID 4028 wrote to memory of 3308	4028	vbc.exe	86
PID 4028 wrote to memory of 3308	4028	vbc.exe	86
PID 4028 wrote to memory of 3308	4028	vbc.exe	86
PID 5040 wrote to memory of 540	5040	f614a75662524ee632c20a41df3b3850_JC.exe	88
PID 5040 wrote to memory of 540	5040	f614a75662524ee632c20a41df3b3850_JC.exe	88
PID 5040 wrote to memory of 540	5040	f614a75662524ee632c20a41df3b3850_JC.exe	88

C:\Users\Admin\AppData\Local\Temp\f614a75662524ee632c20a41df3b3850_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f614a75662524ee632c20a41df3b3850_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rbq12ioa\rbq12ioa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC60F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBAD41E96F54B46DAA99EC486C5A64998.TMP"
    3⤵
    PID:3308
- C:\Users\Admin\AppData\Local\Temp\tmpC276.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC276.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f614a75662524ee632c20a41df3b3850_JC.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0a55208ef24bf72b914417998353b664

SHA1
4531420c8d677ba0194783f253f202945a619f7c

SHA256
51725868ac8149d496a9590423bec8f83f3f92d48a91c453dea5be05fce2ebc2

SHA512
af5a4118552db4a882433f20f9a8c34a24696a0d0b29c0c3890732a551f6a30a08749b150b56cc64ee73304bda7168ed91e1a54a9353bee5c00eddda95ee069c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC60F.tmp

Filesize
1KB

MD5
685e466ebd349604911c3ec317b5a56a

SHA1
a068b185dbd423aee7e5b205970b126eea328135

SHA256
fd30b9dacc8838a5bb02844149892579245a2d4ebbabf83875cfb996199c72a8

SHA512
d0b32d9d997dbeaa12ec0e6db5d7ff14cebb5a75a65b115f3f2d72ae559805ad3147a563d03b374bf26c2ac3fc531d6c34b8c4f22880002f020c69388f0128b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbq12ioa\rbq12ioa.0.vb

Filesize
2KB

MD5
deedb6124ed64f947f0cb22af235bf2f

SHA1
45607a3f1db26ad2837e5066f63451e9b6cca2cb

SHA256
706d8e8e3ebe0f0bebdd5025872c5337489883c0d7e12ed61628e94962af7c2c

SHA512
32bc68ce790ccd52ee6e0d23a5889b0841a8586d84884e4b854d440e9bd9e185550637e7ba68a478325a1653595148edf80a31ed7b49f20f4924020081ec27c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbq12ioa\rbq12ioa.cmdline

Filesize
273B

MD5
7d78693061c94c6543bb741816b73aad

SHA1
a6fa8b560b2cb289e13fbc2bf31e761494fde234

SHA256
83189d7a348195e6931dd07f593684db790160e860fbac4fd2192aa2f57f279a

SHA512
1281758cf81f0fed844d596b7f694525fb8e90f23ef93168dcea8248fe5b1d42a0ff1b85cb03b0bc028e5663bc859e21dfa51507e735605a7cf6c686228020bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC276.tmp.exe

Filesize
12KB

MD5
4b83792f6391a4c5338bd3cb79ee2546

SHA1
07df83f8a5159884e38ddc153209f03688bffd6a

SHA256
362b60936ed54dab7ac3248270c9c89bd91f0789918dd280a2b7a6cefc82ba18

SHA512
93f39b174af0f1aebf8f7b6f5a4cca95b0f34123b1e8a114ea3b1cc89223e383184f8f28957f3d8ee0e89688699df07a701a0c7a148f4f9eaa0874d495a43356

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC276.tmp.exe

Filesize
12KB

MD5
4b83792f6391a4c5338bd3cb79ee2546

SHA1
07df83f8a5159884e38ddc153209f03688bffd6a

SHA256
362b60936ed54dab7ac3248270c9c89bd91f0789918dd280a2b7a6cefc82ba18

SHA512
93f39b174af0f1aebf8f7b6f5a4cca95b0f34123b1e8a114ea3b1cc89223e383184f8f28957f3d8ee0e89688699df07a701a0c7a148f4f9eaa0874d495a43356

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBAD41E96F54B46DAA99EC486C5A64998.TMP

Filesize
1KB

MD5
0467ef730914a81a3818722895fe632c

SHA1
f4c108720aa667d9ff0c08edae842dd9c3aca292

SHA256
ecc2432ba6c85a3e4c797597760842324668020b89cdd5029244a6024a402ef0

SHA512
6f7d06e12f5fe96954f109f46ff4de2296287f4cf38905cd00455d9948ce8473b3213a7709d834004494b0e321ca6045cb03542f3f0bdd678c58eeeac6d1bfff

Download Submit
memory/540-25-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/540-27-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/540-28-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/540-29-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/540-31-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/5040-6-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/5040-3-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/5040-2-0x0000000004E20000-0x0000000004EBC000-memory.dmp

Filesize
624KB

Download
memory/5040-1-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/5040-0-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/5040-26-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing