cef0620d142766b03cb7735a3b327ff6e63eeba7f5006165eb8af23044e64a9c

General

Target

55e6db225a3e2029b912d254e0f914f1.exe
Size

78KB
MD5

55e6db225a3e2029b912d254e0f914f1
SHA1

0e788e1ce1f2434271aa3a7d5a4296d572fdd626
SHA256

cef0620d142766b03cb7735a3b327ff6e63eeba7f5006165eb8af23044e64a9c
SHA512

8f1c6f36ca13a2a84f09110797268e4fb2784e1e8085bbfb010004fbd5933065081e1c7e2f7da749fb7beaf47b785ba8b234a91072c19d21b960ba05299324f6
SSDEEP

1536:SPy5pXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtC67j9/Lu11a:SPy5ZSyRxvY3md+dWWZyjj9/L/

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	55e6db225a3e2029b912d254e0f914f1.exe

Executes dropped EXE 1 IoCs

pid	Process
4512	tmp4DE1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\""	tmp4DE1.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	55e6db225a3e2029b912d254e0f914f1.exe
Token: SeDebugPrivilege	4512	tmp4DE1.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2944	816	55e6db225a3e2029b912d254e0f914f1.exe	93
PID 816 wrote to memory of 2944	816	55e6db225a3e2029b912d254e0f914f1.exe	93
PID 816 wrote to memory of 2944	816	55e6db225a3e2029b912d254e0f914f1.exe	93
PID 2944 wrote to memory of 5028	2944	vbc.exe	91
PID 2944 wrote to memory of 5028	2944	vbc.exe	91
PID 2944 wrote to memory of 5028	2944	vbc.exe	91
PID 816 wrote to memory of 4512	816	55e6db225a3e2029b912d254e0f914f1.exe	90
PID 816 wrote to memory of 4512	816	55e6db225a3e2029b912d254e0f914f1.exe	90
PID 816 wrote to memory of 4512	816	55e6db225a3e2029b912d254e0f914f1.exe	90

C:\Users\Admin\AppData\Local\Temp\55e6db225a3e2029b912d254e0f914f1.exe
"C:\Users\Admin\AppData\Local\Temp\55e6db225a3e2029b912d254e0f914f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\tmp4DE1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4DE1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\55e6db225a3e2029b912d254e0f914f1.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wy-oksjd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E6E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2A04D5CE96044C09BCFD198B53C65E.TMP"
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wy-oksjd.0.vb

Filesize
14KB

MD5
7f63d25537f83c0e02190e3c14495a8e

SHA1
0c6ddfb6767623bdf9dc2239784c403eb3eefd44

SHA256
1eac0d313df0af461909f78c5aaa9f40e28bb82f46282a52dec66141d5ac1b54

SHA512
669091a818e8978dd1a98a679ea2c4fc9e7a46bf3ae91ee23b1d2545af8e524785292af4b5afcf9a1cb20d4b4d74726af150b96532d77a5794200e115bb62f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\wy-oksjd.cmdline

Filesize
266B

MD5
131e9074fae07411bf98676c77def8af

SHA1
08f98d724ccedecba1a969dcabe1c54c9abdf174

SHA256
869625adebfff2648623028a6c2e582f4f23b4c7fa0b990ccff2410bfe05b1f7

SHA512
90a67ad26c4a7da99cc21cafd3434a6727a3658c9aea1cfa0557978165b7d6e243589f8c7c916c8857e074e63fb338253975fa232f426008fdd2e65a24e7ff3d

Download Submit
memory/816-2-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/816-0-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/816-1-0x0000000001930000-0x0000000001940000-memory.dmp

Filesize
64KB

Download
memory/816-21-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/2944-8-0x00000000025E0000-0x00000000025F0000-memory.dmp

Filesize
64KB

Download
memory/4512-22-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-23-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-25-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/4512-27-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/4512-26-0x0000000074920000-0x0000000074ED1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-28-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads