5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8

General

Target

5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe
Size

12KB
MD5

654bb6eb55d613bf3d91b448eaa473a4
SHA1

fffeaa09369ed614a787528d63e80b174fa955f8
SHA256

5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8
SHA512

95d9971db036ff91c6c2fa9be7be74aed5e8b77ecdeb2559ef7d72958ba54d70d1420a44f7b92f4bc828c0c691b45fb618aa9239ccc20846ae79b3a7a548e75b
SSDEEP

384:zL7li/2zHq2DcEQvdhcJKLTp/NK9xaZp:XbM/Q9cZp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe

Deletes itself 1 IoCs

pid	Process
2728	tmp4046.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2728	tmp4046.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4900	1280	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	86
PID 1280 wrote to memory of 4900	1280	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	86
PID 1280 wrote to memory of 4900	1280	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	86
PID 4900 wrote to memory of 1696	4900	vbc.exe	88
PID 4900 wrote to memory of 1696	4900	vbc.exe	88
PID 4900 wrote to memory of 1696	4900	vbc.exe	88
PID 1280 wrote to memory of 2728	1280	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	91
PID 1280 wrote to memory of 2728	1280	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	91
PID 1280 wrote to memory of 2728	1280	5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe	91

C:\Users\Admin\AppData\Local\Temp\5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe
"C:\Users\Admin\AppData\Local\Temp\5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nymng3k3\nymng3k3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41EB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF3F2DFE084DB4E5792C47EFE2D9D4E5.TMP"
    3⤵
    PID:1696
- C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5a0e0ed4d552f366b2bfd6497ebba2d6e5ef62d5dc956c6b9bb9a27906dfc1e8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6e6e62186045093acf112d5ac7cafe49

SHA1
d45937d00769c0c90e0fedc9496817a31eb97b57

SHA256
5dd9c0491d782678d5317abcc2af9aeac734ea117d304a00605c7c2e73f75341

SHA512
2400f5080af08094be9586135cee75b9829f1177b1e45383cfe01fa0fa0fcc9db61f7737d4d25e7c28a9d9df4d6c0dfb67261fe63c7d69c70678bdbba75ec7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES41EB.tmp

Filesize
1KB

MD5
4b2979b5312e815fe386adee2caf8efd

SHA1
94e840fd9d9f74d429acfc87868246fa93d87400

SHA256
a40c30405f225dbce1e2c42cd4dbf7af2672b262b580df0eb630669c27f8a5dd

SHA512
ffa7ed5aece10ac31d5cef2066bd67793e5d2ccdc25409e87ff8c99c82a6b4f6d96b36bb5cb3ca0f2bf2c86db67e39ae1dc209c3ce04a76779ad311c1b8a4df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nymng3k3\nymng3k3.0.vb

Filesize
2KB

MD5
4d429362d1b7717b3b695ac5b431f730

SHA1
08b6c722c21a9c50c059d13391f0354bde5bcdec

SHA256
d32733c517b55fd58c2f7912cae59b6434172380d9d1de5af886ad7bc2dbc272

SHA512
f3adac5585cc357366f6bdb16f376183bf89b7c0343b980594ca91d7f39b25577ef5b5a6e1c584e230f3ce2fe7ff2e58568bb64b4a87ac87a4182fd04fef1ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nymng3k3\nymng3k3.cmdline

Filesize
273B

MD5
eac64fb51990adb8714e4426a5c413f5

SHA1
de66a5ca3ae8b900c9655907bd42ce7fed6c6a49

SHA256
95449f36ad26f1d53e849891a0644e493350e96c70e624e2883ca9409ee2a459

SHA512
a1e6a2d19105f925773b59473ccc59743ca20f3a004c04e6fa200eb6e03ef5e35df629547d750e63c1f95b552ccdd79e02aea8484c5754bec04a8cfb6a964546

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp.exe

Filesize
12KB

MD5
ed1f66f30edd3285facfcd16d9ef8d88

SHA1
4e7d9e11ee62ff9aa19cc9f2accab1a6f2d5a35d

SHA256
df017d81319e4e8c10489c77e63ec3c103056681f0b386055ebe9d39b8063541

SHA512
a1371f30702cb96d16b12f9e9055f66b9255baaf8f1d7a69d6d6de21f407032d349f5f9b51a53ab04f53117c511064f92c92a578e6521c720d8ee5314f0ce1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF3F2DFE084DB4E5792C47EFE2D9D4E5.TMP

Filesize
1KB

MD5
ba920f14b8cc5ca9993c849d37058a6e

SHA1
7e15a4a8f28481bd1b21b3c11399ce6683d43fd2

SHA256
f20b6e104fa76cc79fc047362630feefc7906caec7c2a0abf045ec83625e1bba

SHA512
e9063f2a170f2a6973580fbf48d9fdccf88f062be8f43df051129b0d58f0cea55d83df115e3828358e0e69800cb90231f415f07b2d241660e54c8f232f0455b0

Download Submit
memory/1280-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/1280-8-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-2-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/1280-1-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/1280-26-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/2728-24-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/2728-25-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2728-27-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download
memory/2728-28-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/2728-30-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing