395fb8930edd7a8fe7d26546d4a6ec6a1b04dc80832751f48e834af97a00bf6f

General

Target

7f743bf03266282eddbe781afd0e49b0.exe
Size

78KB
MD5

7f743bf03266282eddbe781afd0e49b0
SHA1

b875eb4fdde070effa1d6c548690cbf88e11b0df
SHA256

395fb8930edd7a8fe7d26546d4a6ec6a1b04dc80832751f48e834af97a00bf6f
SHA512

3b4f252d6f229e30b68bb2735c3ac57956b7417aba0ac235358ab6e17764f7637ff6825bda126128b1d380b33df34784036d932fb355ea2740e467695f6c570b
SSDEEP

1536:+5tdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC679/I112e:+54n7N041Qqhgz9/Ih

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7f743bf03266282eddbe781afd0e49b0.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	tmpB26.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpB26.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	7f743bf03266282eddbe781afd0e49b0.exe
Token: SeDebugPrivilege	2596	tmpB26.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1320	2012	7f743bf03266282eddbe781afd0e49b0.exe	83
PID 2012 wrote to memory of 1320	2012	7f743bf03266282eddbe781afd0e49b0.exe	83
PID 2012 wrote to memory of 1320	2012	7f743bf03266282eddbe781afd0e49b0.exe	83
PID 1320 wrote to memory of 4836	1320	vbc.exe	85
PID 1320 wrote to memory of 4836	1320	vbc.exe	85
PID 1320 wrote to memory of 4836	1320	vbc.exe	85
PID 2012 wrote to memory of 2596	2012	7f743bf03266282eddbe781afd0e49b0.exe	86
PID 2012 wrote to memory of 2596	2012	7f743bf03266282eddbe781afd0e49b0.exe	86
PID 2012 wrote to memory of 2596	2012	7f743bf03266282eddbe781afd0e49b0.exe	86

C:\Users\Admin\AppData\Local\Temp\7f743bf03266282eddbe781afd0e49b0.exe
"C:\Users\Admin\AppData\Local\Temp\7f743bf03266282eddbe781afd0e49b0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vmihzwkt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1CEC2480B1614999A9FBD4E32DB81B.TMP"
    3⤵
    PID:4836
- C:\Users\Admin\AppData\Local\Temp\tmpB26.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB26.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7f743bf03266282eddbe781afd0e49b0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE24.tmp

Filesize
1KB

MD5
d20a30f1434d17928e80e3ba94d1601d

SHA1
486809560d970585ae7d180052bacead0f4299c6

SHA256
ebca9fa4bcba1d9c1d671760b8c2cbedac47dc5b0eab775fe5482851d9bc1a7b

SHA512
0b6b2ea560a1a4d61ebbe3ccb45b902c4a894a54fb70a05d5be0d0556c0bdcacdce7b347ca8b71def2e9e6d6ad66302f424d7b5fad4818bb9b5bf564fdfad966

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB26.tmp.exe

Filesize
78KB

MD5
447b639622bb01cbcd3c8486f9479f19

SHA1
26eb8b1ede23b8aa2a6e7691fd651bb84e9f3469

SHA256
1de8e6e9a195ffe097e2bd217587399767a4242d5194cbde5869fd9afbbbb972

SHA512
8c294ab73c828062e2d42733aa3be938b97538d2707a301f9e7e9b1b9348fecad0f3caf3ff381578ac0bd5f8e2472b76d96fd23ec5231077a86841215f22759d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1CEC2480B1614999A9FBD4E32DB81B.TMP

Filesize
660B

MD5
9d80e92c4001247354e8ae5c0ead22c5

SHA1
68163865a5e279639c9674c5a3b8ebcaa2073c5c

SHA256
9aa59aa43d668eed4222ab481d55238a5bf60591234df5b56145dc23628bf658

SHA512
9c25a7d56b8408348c08ac66211f9ff263412cf8253e3e0744a3ac54bc731ee7b372c4f07155da2e1e343cae2b341ffcd269662d4b5610dd341b64db30c5fd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmihzwkt.0.vb

Filesize
14KB

MD5
37c42cde32272d3e5a5d0265bcf9ad91

SHA1
de30f619f4352748408eab8fea59232f08909df2

SHA256
0be9e829fdf8a95397c7a09e8e5e58491d429a415cfdc470ad94f1996f2bf3e2

SHA512
76ca62c36d85b446d097fb26f991aede8020244a34685785a2128fa5b02790c75cf7ef7608fa343d7c2382eee8da711ef29261d252e388e7fa91422b8342bf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmihzwkt.cmdline

Filesize
265B

MD5
4c009b779d526e2b1098aa8b957d54e3

SHA1
9734342b78577edaec8dbafb07ab7845bf1c6e6a

SHA256
584b7ecfcde0229dbb77f43e8ccb77cdecde64c769d120d95743d3ea1eae6bed

SHA512
e2b64ad697428710506029d0fcac4c30d454e9ba5047e1890480027cff7cda44779dc3cd1b4bf931b50084ad3ed86c88e137f2869ae1f76f7894fb659079f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2012-0-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2012-2-0x00000000012A0000-0x00000000012B0000-memory.dmp

Filesize
64KB

Download
memory/2012-1-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2012-20-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-21-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-22-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-23-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/2596-25-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/2596-26-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-27-0x0000000074CF0000-0x00000000752A1000-memory.dmp

Filesize
5.7MB

Download
memory/2596-28-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/2596-29-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads