93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3

General

Target

93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe
Size

12KB
MD5

835dd4a0f7c36f148e6736905de16eff
SHA1

6345c0f8d3306e96e0fbc74a9fbe438abb8e2420
SHA256

93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3
SHA512

61d7f02b7fca63c6ce2609ca2dcbf5bd4ea502ffe9135da11ea4a4376581436ac7909dc928f8ef849692efdd9c0705c1f7ac38a85f64e54419f7328d24c62bbf
SSDEEP

384:bL7li/2zDq2DcEQvdhcJKLTp/NK9xaRuc/:PHM/Q9cZ/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe

Deletes itself 1 IoCs

pid	Process
3920	tmp4BEA.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3920	tmp4BEA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3380	93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 1104	3380	93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe	100
PID 3380 wrote to memory of 1104	3380	93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe	100
PID 3380 wrote to memory of 1104	3380	93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe	100
PID 1104 wrote to memory of 2152	1104	vbc.exe	102
PID 1104 wrote to memory of 2152	1104	vbc.exe	102
PID 1104 wrote to memory of 2152	1104	vbc.exe	102
PID 3380 wrote to memory of 3920	3380	93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe	103
PID 3380 wrote to memory of 3920	3380	93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe	103
PID 3380 wrote to memory of 3920	3380	93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe	103

C:\Users\Admin\AppData\Local\Temp\93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe
"C:\Users\Admin\AppData\Local\Temp\93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4leivme4\4leivme4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E38.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc122ECB7B3EC44E84BC159CD9C617C230.TMP"
    3⤵
    PID:2152
- C:\Users\Admin\AppData\Local\Temp\tmp4BEA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4BEA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\93c1fc1e22baa39160d67bbb5b2cf4205757ae651b96ec59193c9070fe0411a3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4796 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4leivme4\4leivme4.0.vb

Filesize
2KB

MD5
0d1d6fac6de7dbc18f17afc938cd1fa4

SHA1
2ae43f22236768008876228294c18552b8cfe182

SHA256
00fbfffdcc639b09a10c5e3be067e23213513d64e9d366b64b4586840a102b22

SHA512
9ff777253caa1e804c89d866f7b496044b30ec2f68c1cc9bb8d03537936e390a91ca29bcce9f4bd0338c6cea07938d352c8cf932f864da05d212e14fedacafdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4leivme4\4leivme4.cmdline

Filesize
273B

MD5
06b12bb4107080fe206ac4add82f1474

SHA1
f02200844c909a5818defa9bafe69d1d35c52188

SHA256
bc39e82efd81aac49ef478661f2593f6b0e9ca5277a72eae9470b974dbd917e0

SHA512
86c75769c3c803eeac6ac06753e9529c8f72172b5b5050d59f28cd95285b9c3f5567aaae0d0161369ab251c0916bd04c79c57a9e5f7dccb5c9362f12e9ace891

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a1527c67f9483e90a3e12f80f8147fb4

SHA1
cda9b38d937bfc7a761c6fec11141511a4d4d175

SHA256
0e537e1f1179455803cfc4b22f3626167aa7dcb115e7b8cf94855d03f6ea348f

SHA512
db57795c9085218ee0ddf63f12ab071509724a19a296c9cff17a12f0a1d45148e8c6dbd1686369e529a72916b5fb410d74dd14bbad36f3812c1d72102968556d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5E38.tmp

Filesize
1KB

MD5
1e514ce1cfe241f5d6da629143143baf

SHA1
940de30dfd082d36e1fcebf825169f66f50a40cc

SHA256
3483fc81dee722e5eab18fd227fd13d1327dd3cb4249de84178ffe4408251018

SHA512
6707a7587ba0c234e2e5f71f27c17f9a8808b564ab633813c2bbbc3aeffa1ab07dd3d1e921278732503768d007dfd7297a9116a2b996c5086208a2c75f762837

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BEA.tmp.exe

Filesize
12KB

MD5
e1df4c7b4ddcb3062ae15bfe4f178cdf

SHA1
04670c5358c276ef66a32398b466246d57518048

SHA256
ca091f80d6e73eb87fb9c964550b8d300c19c19c7ddb535c3b171ec02cf17603

SHA512
d3988ce18093d0c93edf3ede5c0ff1d2629cd79affaf5335bddb191c5af1e89cdd4564c74c4ec60d84f82652c141fb7e9010bef76f0996911a6345d1c9a15617

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc122ECB7B3EC44E84BC159CD9C617C230.TMP

Filesize
1KB

MD5
2adc1a6b1433db6fac0b1e9f06f0148e

SHA1
f87de4d700dc4c2b65ab531edb1530677e749b20

SHA256
eaec765df20376169e9911c9d1a9ac546f0912d147e2fb38326f33f624940c09

SHA512
39bf09def3a382107fe059f6133ddc8f06907ca2010698585535e6c8542b900320b92eecad43797f100af36f221605b1312997ec75720312cdc64ce46dc777e7

Download Submit
memory/3380-5-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/3380-2-0x0000000004E20000-0x0000000004EBC000-memory.dmp

Filesize
624KB

Download
memory/3380-1-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/3380-0-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3380-26-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3920-23-0x00000000009A0000-0x00000000009AA000-memory.dmp

Filesize
40KB

Download
memory/3920-25-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3920-27-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/3920-28-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/3920-30-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing