0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212

General

Target

0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe
Size

12KB
MD5

ca5d26edf6e7ff89481ea62dc2caeb8e
SHA1

9a7b87ca52c33290b3ba82be0d7d35285efe2fa0
SHA256

0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212
SHA512

52dc39dfda468124e206459d80bc6acaefd6d98b7b3858f0ed4c82566e590d98a11913f079166a517ebe41e7618f0946de29518dd163d86b3e8fdaf88292c1cb
SSDEEP

384:PL7li/2z9q2DcEQvdhcJKLTp/NK9xajx:jFM/Q9cjx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe

Deletes itself 1 IoCs

pid	Process
4020	tmp3A0C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4020	tmp3A0C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 4200	3396	0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe	88
PID 3396 wrote to memory of 4200	3396	0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe	88
PID 3396 wrote to memory of 4200	3396	0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe	88
PID 4200 wrote to memory of 3972	4200	vbc.exe	90
PID 4200 wrote to memory of 3972	4200	vbc.exe	90
PID 4200 wrote to memory of 3972	4200	vbc.exe	90
PID 3396 wrote to memory of 4020	3396	0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe	91
PID 3396 wrote to memory of 4020	3396	0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe	91
PID 3396 wrote to memory of 4020	3396	0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe	91

C:\Users\Admin\AppData\Local\Temp\0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe
"C:\Users\Admin\AppData\Local\Temp\0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wikf2fka\wikf2fka.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6B8B318BF1042F5AADD798F74967DB5.TMP"
    3⤵
    PID:3972
- C:\Users\Admin\AppData\Local\Temp\tmp3A0C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3A0C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
81862501afbaaaa4a991c5d548bc880f

SHA1
e992de841c4c5d7c7e9d1394ea8fccbf18c6c5ca

SHA256
61d67df3a4f841f70e6bc23b988b6b3f9acbe7c1e33a785e43feb578f9e7e182

SHA512
94db3506aed50d62df54ed24ff64ba9a5aeb61109bc580030f03c24fb35a7fa3f77cbb5ce83a2828d4fc29c530b25c49c787cd42ec57a034147178e15ef446be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AE6.tmp

Filesize
1KB

MD5
233d2fa30ceb8820a7a7bb7f98e1352b

SHA1
b40ebcf2d7de5a2a6185ccc1807ff36889cbe560

SHA256
9dc8a3dda6c653c00ba6fb422e18be7f390701da057ff3a4a6d9a827d00e17b7

SHA512
3bc114f785f83191489ab511a4730da966ed2e281a0645581345fa2f190f390926363584a6edd38cd02bfafca3a69aec841898333a2c9b05baf70156db6b3d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A0C.tmp.exe

Filesize
12KB

MD5
83a114a89075e8ab33bf8c8d145bf260

SHA1
efda790701bb5ab704a49209057af2f51604856a

SHA256
786f4870dfcfb6697de77223aceda50b78b01964dd33b579dea063ee23ba02bb

SHA512
d99fe222f53c8fd42f5898715d63a4863b3839bbe13526ce51c067a603350bb620a3326aaf807b52c77de9f1695486e6317b13c132c7a3e4b0693e48ddef3315

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD6B8B318BF1042F5AADD798F74967DB5.TMP

Filesize
1KB

MD5
77d4babb64c6c9adde9ac48340184ccd

SHA1
600ad528687c9e05bb6c7cf76db8e5dc427d68d8

SHA256
3e84bc885d8e402bcb96edef1f0fd5ee3b7ab55fa2947060d1651f659c2d115b

SHA512
8967cfca8d4838c38598b7e5587262ad741a12f7a59cb564e77d35040bace96332bd758a7f6bb5807545ac8b2d8043afd1624be5c317c84e783f41e159b5cd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wikf2fka\wikf2fka.0.vb

Filesize
2KB

MD5
3db3f30cf3223a3fd96040c5d32d7ac7

SHA1
e3d46ead6d06bf6a88f14147352f041f55226c95

SHA256
a2f2964fefa043803de3d0d476cd49df84110e131b8be1bf9babccc9655f772a

SHA512
77215ab5721478342ed66dff52bcee37c044b03459fb18514cf06b5a80f59bc3ea186786f05638a2cf44bc4bd75264fffdb86fb7f7ee47fcf1ce01a5f6d4e612

Download Submit
C:\Users\Admin\AppData\Local\Temp\wikf2fka\wikf2fka.cmdline

Filesize
273B

MD5
2e9aef412c08b343112dd96c36e64377

SHA1
a231a96fce542b0a4dda8559c2883ae6993b8d86

SHA256
95baf11a3220932ed03aa1f7bb30eff8aeb07e07915d2c50b8bc7f5b3862528c

SHA512
a119d03a34b563c5bbc3b4c3eff69483b25d1301bc00fc5b3609cbb43cd6ba90d17f4589e4258fa187473438399289b3c5fda9bdd67b7715e7e6545836b91173

Download Submit
memory/3396-0-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/3396-7-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/3396-2-0x0000000005760000-0x00000000057FC000-memory.dmp

Filesize
624KB

Download
memory/3396-1-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/3396-24-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-26-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/4020-25-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4020-27-0x0000000005EB0000-0x0000000006454000-memory.dmp

Filesize
5.6MB

Download
memory/4020-28-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/4020-30-0x00000000752F0000-0x0000000075AA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing