2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b

General

Target

2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe
Size

12KB
MD5

0839abe90f40c7d5b5894494df0b2bad
SHA1

74d620cd9190d865c7fb5c39dd69ac2cfcb32e52
SHA256

2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b
SHA512

6ff671ba807057b6a140aea48f8007313cbca05128376f274846525091abae8bb2b4b3339e8b9b50880ea29d11c5a7cfba4e6dc3844fcb10bccb4e80c59c7202
SSDEEP

384:pL7li/2z0q2DcEQvdQcJKLTp/NK9xabd:Z4MCQ9cbd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe

Deletes itself 1 IoCs

pid	Process
2804	tmp5E5D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2804	tmp5E5D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1720	1072	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	92
PID 1072 wrote to memory of 1720	1072	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	92
PID 1072 wrote to memory of 1720	1072	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	92
PID 1720 wrote to memory of 2848	1720	vbc.exe	94
PID 1720 wrote to memory of 2848	1720	vbc.exe	94
PID 1720 wrote to memory of 2848	1720	vbc.exe	94
PID 1072 wrote to memory of 2804	1072	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	95
PID 1072 wrote to memory of 2804	1072	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	95
PID 1072 wrote to memory of 2804	1072	2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe	95

C:\Users\Admin\AppData\Local\Temp\2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe
"C:\Users\Admin\AppData\Local\Temp\2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2og43jsj\2og43jsj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES606F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC8743F1DCB9441B9673462DC2DC822.TMP"
    3⤵
    PID:2848
- C:\Users\Admin\AppData\Local\Temp\tmp5E5D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5E5D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2b6e9550fc7ff487a373010936375d9c21147d91eb8bbe120d8e9c30e20d936b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2og43jsj\2og43jsj.0.vb

Filesize
2KB

MD5
0a0272f463e1edfa08a6cb20c2868c57

SHA1
0b6a78e086f65d05a59f203ffeae49b1f04eb870

SHA256
51b73e371321c2f70a871b54dd2e97be76cd7005427d9331cd9b43165c55a34f

SHA512
8520d68cdc5b54c913d45eb50a9d646837c435bdb4266b171f5b0bdc9a6da200d96522a01360532026cd00f8070b7d06d21a214d21ed698de73e27e6b4234ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2og43jsj\2og43jsj.cmdline

Filesize
273B

MD5
2072da55281cdf15cb3de178ac7555e1

SHA1
a6193b9a3941ec866e07ac55e3d3fab681add48b

SHA256
ef761076e4a658fd14f08a04987c9537468df2b88866c64a6192cf197c44672a

SHA512
c8429e07756d65be26dc65d3a3317070580ade8f9c6a4938311fd63ced2d6d24d347219c9c64fa7ede857884879df226a03429a5d7d864ae1451e6da66bc87c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
507b7a3423d21c48cf075fe17e385256

SHA1
2fd8e4f388b1f2afe559e9bbb080e52abd946ac5

SHA256
efeccdd0122c3fc4cda7874a20c78e70135f35c476e3531ef746b01a7e722935

SHA512
23cf74478e267d2f975f6586468dc1492e10b51190ad80cb5fe7d7ee0836d77ed3f3a0b363fcd6679f3c829defd6bb6ced0fabbabd9145d55ff9b669efce85fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES606F.tmp

Filesize
1KB

MD5
af9238afa2b8e8c9f65cad35829a5c7a

SHA1
b39a8fea5e455b5d72c17f08e2b9880fab10b045

SHA256
abb587fcc6fad07209f1fc7a08bcc298dd3c4401a505af8bb80c64db01cc05b6

SHA512
2510f786306c5ab6bc7efb3baa687dbe80acd3a46da991861d72306ba57113a35a045a4e41a19117001247e0d62ff1b5050d7dba3f071d496c31b1c8d6a45b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E5D.tmp.exe

Filesize
12KB

MD5
087a1eaed87423c5d98de5803a767783

SHA1
eb81491e188e2e28e940a02b98e7df264bd33776

SHA256
0ad4884bb35d5a179e6d1483af35ba4611625b7680149a909d97e06854f4e214

SHA512
a01b2c772445d4103d6f50b4596cb448878b10bf443c60d9252c1320e160e377172d14cc97c12be1f97122e5899501b2c697e8953107b6e3a7b4c4a057ffae54

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC8743F1DCB9441B9673462DC2DC822.TMP

Filesize
1KB

MD5
e03c61fe48d08755ae18766c79660585

SHA1
b553c26fc1cfc6b1694badf4ad5273f50963901e

SHA256
643ee09888870fa8739ba63497323347ca3408b08f66c0c456d8e91570319ea7

SHA512
79fef5e0f27b00b6d047fd40116dd0296af799f50bb53cf6b6e58284ba7f6703cbded425f0acf27dd4d796ef1a4538113ce273b096dc15feb4b6206e35a33603

Download Submit
memory/1072-7-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/1072-2-0x0000000005570000-0x000000000560C000-memory.dmp

Filesize
624KB

Download
memory/1072-1-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/1072-0-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/1072-26-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/2804-23-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2804-24-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/2804-27-0x0000000005510000-0x0000000005AB4000-memory.dmp

Filesize
5.6MB

Download
memory/2804-28-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/2804-30-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing