30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc

General

Target

30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe
Size

12KB
MD5

1b59285a477fe4b5e68f12d1bc1c616d
SHA1

10c30c963d87cb973edf66ec53c60785ca217b7d
SHA256

30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc
SHA512

c057c09b5548b75806aac743c0680095a0b6898dd60f54cc861603b64af43d43f8bad37d7cffd1c3297611bc2f080fb260854bb0e4f031bc3f289619812aeb8c
SSDEEP

384:kL7li/2zADq2DcEQvdhcJKLTp/NK9xa2E:y87M/Q9c2E

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe

Deletes itself 1 IoCs

pid	Process
4664	tmpCCA7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4664	tmpCCA7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 1600	3404	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	91
PID 3404 wrote to memory of 1600	3404	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	91
PID 3404 wrote to memory of 1600	3404	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	91
PID 1600 wrote to memory of 4852	1600	vbc.exe	93
PID 1600 wrote to memory of 4852	1600	vbc.exe	93
PID 1600 wrote to memory of 4852	1600	vbc.exe	93
PID 3404 wrote to memory of 4664	3404	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	94
PID 3404 wrote to memory of 4664	3404	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	94
PID 3404 wrote to memory of 4664	3404	30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe	94

C:\Users\Admin\AppData\Local\Temp\30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe
"C:\Users\Admin\AppData\Local\Temp\30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kank5cyi\kank5cyi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc860447C394CE425094FD8AA946CFB90.TMP"
    3⤵
    PID:4852
- C:\Users\Admin\AppData\Local\Temp\tmpCCA7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpCCA7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\30a8c6561a2532715fd397a2522d9c5f07645412d6768c99325be183059b57cc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
71e8058d0b11022fae70f208cf97a269

SHA1
ca8361d7ec20acd03548279154ae7c095cad4a4a

SHA256
8ad2191926ce70477def640c71c4c358b6a1be887082fd19641d1cbf608b160c

SHA512
e45d3a591a63e03574ef3a1f1ca5465adce028a44acc60e2c4c8d4280632b9b27c0e3a0c939791dd57820bebfd21a3340123428c7600196090c5bfd459676c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC18.tmp

Filesize
1KB

MD5
d954bfd9fd1e55fe508b42c5789520ee

SHA1
103586b00f6e74f1943433752528efd931e22c25

SHA256
b2996a587670b1abf52e3c216be4f0788bf83fb4f5c1d8f094077e8c46544a27

SHA512
40dfb4d745ad5ec58adf32189c71eee45e74f492d153b8e1d0577f199546ec2aea08954fd62ce27f974f15467b271180c67aa72e1b464516be9a9ebf8b34afea

Download Submit
C:\Users\Admin\AppData\Local\Temp\kank5cyi\kank5cyi.0.vb

Filesize
2KB

MD5
08504a83fc0fd86f4c1141da8a25b68c

SHA1
396af98f8194a07c66b22c6148a946f4e6045baa

SHA256
400d46e91d3fa56ac810b11910be42f5fd7cd578dc1918ee81fafe437d66bae7

SHA512
cfb6549beef58829da0f74cd75f4f2e2e3e43828a79b8f3a66d8aa4e3ed57687ed293b276bd0a664c712c6becec6d8f19f68b74b0c75111dca6cff4b8b616005

Download Submit
C:\Users\Admin\AppData\Local\Temp\kank5cyi\kank5cyi.cmdline

Filesize
273B

MD5
316c48c8c84e9258b6132fc9386bc1d4

SHA1
5a14d033d5dda274e75a1fdaff348066e8463831

SHA256
d6fb5fb0df1257862caeddad9fb2f9ccf2dc6781c96c579879ceab9e2ca1dbdb

SHA512
1f5252b8d200f8c46992a2298d16a585e7f00b96c4c67b5aadc807eed896f021bc0e354c8726795870b3fc7e87bbc9336ff5477f3dce6c6bea89117eb45d756a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCCA7.tmp.exe

Filesize
12KB

MD5
d0ce4c7df296838880cb897eb0f42693

SHA1
bd87fe025d3782a001405641ee7aab63dea19870

SHA256
3851ae7b118f7561b21cb11a3cb6331cd72748199279d8af786c45b82d9f443d

SHA512
7e3e6bf2af1eecaeae4dbd5e7db5f3159c8ce8ae4156208b7deb3634a89b2907178c68e32ae13950f8fe909337c9d459cf92a69d0d32f25556c231cc51f96b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc860447C394CE425094FD8AA946CFB90.TMP

Filesize
1KB

MD5
5bb46e5530cd972a0fcbc9fe7ba72d1a

SHA1
56cce182bbac1ff30e8b0679f4a6a519a5c34a16

SHA256
1b0c88363144d992a1ac8e51ada2c236e6c572241f58d8cc602d34ad678b81a8

SHA512
b34433c7a710518f498d26aabda3942361ab0644145f37cafc54aecfe72a7f444d5c54af424f28551ebf5f8f5d5ab0313a4f5a71a1c9fcfa8bc14dd79e474ef2

Download Submit
memory/3404-0-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/3404-5-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3404-2-0x0000000004C90000-0x0000000004D2C000-memory.dmp

Filesize
624KB

Download
memory/3404-1-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/3404-26-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4664-24-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/4664-25-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4664-27-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/4664-28-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/4664-30-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing