af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31

General

Target

af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe
Size

12KB
MD5

13cfc27ba2a7fcb26c537c9c613e6f0c
SHA1

660c977f4d56f736362f37741789da57c704c2e3
SHA256

af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31
SHA512

5c7074ed4d4be795c0df07468bfd795574bfb96c75397d84d135b2c2a437da4c684650c6f3149ad81a240cf7dcca8a4fe9da74a998b6f970d2d265f29566a804
SSDEEP

384:mL7li/2zpq2DcEQvdhcJKLTp/NK9xa19:AxM/Q9c19

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe

Deletes itself 1 IoCs

pid	Process
900	tmp63CC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
900	tmp63CC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 2496	3180	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	88
PID 3180 wrote to memory of 2496	3180	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	88
PID 3180 wrote to memory of 2496	3180	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	88
PID 2496 wrote to memory of 5052	2496	vbc.exe	91
PID 2496 wrote to memory of 5052	2496	vbc.exe	91
PID 2496 wrote to memory of 5052	2496	vbc.exe	91
PID 3180 wrote to memory of 900	3180	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	93
PID 3180 wrote to memory of 900	3180	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	93
PID 3180 wrote to memory of 900	3180	af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe	93

C:\Users\Admin\AppData\Local\Temp\af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe
"C:\Users\Admin\AppData\Local\Temp\af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aouio1qq\aouio1qq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65CE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc472035F569E54C5391C3FAB94DC2D7DF.TMP"
    3⤵
    PID:5052
- C:\Users\Admin\AppData\Local\Temp\tmp63CC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp63CC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\af9715190438181bcc3942dba4a52c28642cb546e3289717872f29f4fa150b31.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
decb923236bcea3241e9c84f5b0b7f3b

SHA1
ed18a94af162af0e76620e524c99fca18ecc4ad5

SHA256
58b4d10709c8c7f2fb31654c35d80b183438fe61bfe65298636b9553bcdfe1bb

SHA512
35fb90b789a9044a4296e89b3d12951cb4f25fbb51022d9cc8658ed1122f12a9dd67ca20a44e429f1af62abdd816c34e38f8fd4092fb767e0cb01b2e60708ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65CE.tmp

Filesize
1KB

MD5
952c0ae2f75fdbc62af7aeb2277012e9

SHA1
301960dfb34636832b31f46dbceb37d6cd8e3d52

SHA256
67b90d1d19d82531c43aaddc89df6af89db56271bf93557219e23bce31f4dd79

SHA512
6dc06bb58455ede68c86cb22533fd461e7f92f96467a8204a295588edc4b6ff5a517f6665e460683aedebe409bef1a6f05b05b039b83496b1436c6239213121a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aouio1qq\aouio1qq.0.vb

Filesize
2KB

MD5
322784e9c3cdc836fb1fcb3bac6dd039

SHA1
97318b196e8d24236034758535e5d6c38dc009c9

SHA256
70a951d98e20f8ef59cf1cb19794ab154c54bd1d9ef904402cc21e498b10d128

SHA512
29aedae0b576b88eef7c385a3fb0745eb2538273510bc2bc40f838ade816eaddf1accdebb711d800a995ef7dbb3a11ce27d23394c6af7847168b5f94386556c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aouio1qq\aouio1qq.cmdline

Filesize
273B

MD5
7b7ce074d7a5c13a99db9d6841699dab

SHA1
b21c97174ce549122b363be1d2d65fb49a44ecd1

SHA256
07a2efe70d1ef64fdb538b9679fb92c72ca822988b5c079010f9063f2bf1dfdf

SHA512
cabc1106e801a927828cade114146271c7d523455837e83e38af51b33a9a9f7e6850af79c403ee3f5aed393531f5bfc7df8fa3b0c9c053bc06aa100e27c2dea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp63CC.tmp.exe

Filesize
12KB

MD5
77a8ad526ddd531f24984d84ead1d0fc

SHA1
7c998ba968f5b4922ee94aed92387f57e695ecad

SHA256
506ef17eb2f8f111dc3480267d4ba4e485587ad31fee0fc726817766bb5802b0

SHA512
bff990c5d3d983499628272e523633ae26a1de6ecaaf9eed770af796e3b72b4fb271353e47e6c774bf778eb29dbe559a2c3304cd2e84c112f0194cd981f8d20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc472035F569E54C5391C3FAB94DC2D7DF.TMP

Filesize
1KB

MD5
04dfe8f909b105b8b45ef60e84fee906

SHA1
dfc44b8adee5231cf015aa618dc5a042fa9ba287

SHA256
d4fb96610a0f3621dad2f311f3f95f0fbab3c327de14b1c181969cb74b04ab8a

SHA512
bc3eb422468c18aebdc05ff89a51225255e79a7f3a6d4b9aae9330065ebe27719885cec5f2c38e1c036b7169c854a42052be9a0b4ac3ae22d975d3aefc0fbac6

Download Submit
memory/900-24-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/900-26-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/900-27-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/900-28-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/900-30-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/3180-0-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download
memory/3180-6-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3180-2-0x0000000004C70000-0x0000000004D0C000-memory.dmp

Filesize
624KB

Download
memory/3180-1-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/3180-25-0x0000000074E80000-0x0000000075630000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing