b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c

General

Target

b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe
Size

12KB
MD5

67e81f88bb14393c53ed7b9054c35ba7
SHA1

a21010018af879adb5af4069d2b2e664fd9c670d
SHA256

b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c
SHA512

462a8796cdeb967f9bfd4eb92a637b266708df6654f969197f2332477a2f6d59ed44644c3f1a2217ec3016220e161b13e8e3def6051acc849c10fac1af3f4020
SSDEEP

384:BL7li/2z2q2DcEQvdQcJKLTp/NK9xabr:hmMCQ9cbr

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe

Deletes itself 1 IoCs

pid	Process
2620	tmp3A89.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	tmp3A89.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3084 wrote to memory of 3232	3084	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	86
PID 3084 wrote to memory of 3232	3084	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	86
PID 3084 wrote to memory of 3232	3084	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	86
PID 3232 wrote to memory of 3060	3232	vbc.exe	88
PID 3232 wrote to memory of 3060	3232	vbc.exe	88
PID 3232 wrote to memory of 3060	3232	vbc.exe	88
PID 3084 wrote to memory of 2620	3084	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	89
PID 3084 wrote to memory of 2620	3084	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	89
PID 3084 wrote to memory of 2620	3084	b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe	89

C:\Users\Admin\AppData\Local\Temp\b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe
"C:\Users\Admin\AppData\Local\Temp\b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ulzariic\ulzariic.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7E81B172D9F04DDBA575EAC3D6B6F381.TMP"
    3⤵
    PID:3060
- C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b98e912f79ae55ec2632dae6236d273ff980256198380c7040a9df6c8d7b3a5c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ec5a42f2c4b2b14ed037b68a22e717ff

SHA1
4d843951c157ce945d7da2b1329274d652e7facb

SHA256
44f67769b880eea97b602280ab0b14115c6931ca71961fd2954f1a73af036e05

SHA512
2ff06d8201573b4d7c560b262142e8a588f82d96dc00c27290f4cacd501a4adb524c44db51fcbe12b34939475a6fca88db98bd948f3a8a811a72eca1adfb023c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3BF0.tmp

Filesize
1KB

MD5
9696e441b8cf60f09b82d11e516cf1f0

SHA1
06d6878dbd1e77e01fdc676dc577f362dd47704e

SHA256
fab6a8c292764386576efda9acf4b20d6f96cd79e6d8300c9e181e5b90c90d3e

SHA512
f658dcfcbb58465b8954b3c0a2988274ce78f03a9bc904cbc32ea5f13a1c0148b6d2f7bb47806b9ac42f066107324e3b6d740259500ad5aef672f9a3da78ed73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp.exe

Filesize
12KB

MD5
6afe37438105b1509e9d8c4a8c0c37f7

SHA1
740d2fd2bd193a3c84d5ecf66ce8e2e04b4feeab

SHA256
80526ff2de748401c8adb1dc2cb4b0a088bcd629fef4b49e4a5842fb61d7dc91

SHA512
74f2ca3e6add0de1872bf6ecc582798f6fabb3b9673e507e617d78237f07fa0cbcc775f3ccaccf95a37aa608c014b01843de79b965c38ba51612f39d2c10b26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulzariic\ulzariic.0.vb

Filesize
2KB

MD5
a5804d90f99c38d4755893fbc2a942af

SHA1
32f2d4d498955536dbc1bc871bd0272ec9c49610

SHA256
ccaf4c3a6d08526bc58a0917df0095af4edbb3a625f3f471f3f6f6cba531da0b

SHA512
5e50f4e056c885f6209103def0619c5927de6f34aa490660d02ab64c223c2d69ed4bb6c9697c3673d82bbbbdf66c107d75d438da79dd696ee21259986ee7ad48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulzariic\ulzariic.cmdline

Filesize
273B

MD5
6108be424b16c80d0fb08e10bb22eb67

SHA1
891f3f7589ff333c03e90bd5599f54cdf1823c63

SHA256
32179fe29001126c307eecb7bf9b9d1eaa9bb901034b653dc8518271144794e0

SHA512
7f02564e09d7a82dddc040cb4ffd265bef615b2f2514dcecc5ffd0d5e8e36f731f102f169df8aff743df93acde06c3a21c7e05e09cdf9f0f51ba9aea0f640ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7E81B172D9F04DDBA575EAC3D6B6F381.TMP

Filesize
1KB

MD5
36067e06d39fa2b270b2d79f283a3809

SHA1
4d02a29b8dbecc64b9d30901bc3f13859a9837ef

SHA256
25a17ffd5c4b0cb158c0be6e6294d9b26d8753bbf8a0cf9b5f1b6e32c5b9d41c

SHA512
aa0e60d05b5669fcb8b4ebe70eaa2ae83a474ac99898a6a77bb0ee1a784e268bd15a87edb612c6ebc34c7726469db42c4b09e6436917b2f654c41e00a441fc17

Download Submit
memory/2620-25-0x0000000000F10000-0x0000000000F1A000-memory.dmp

Filesize
40KB

Download
memory/2620-26-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/2620-27-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/2620-28-0x00000000058F0000-0x0000000005982000-memory.dmp

Filesize
584KB

Download
memory/2620-30-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3084-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/3084-8-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download
memory/3084-2-0x00000000057C0000-0x000000000585C000-memory.dmp

Filesize
624KB

Download
memory/3084-1-0x0000000000D60000-0x0000000000D6A000-memory.dmp

Filesize
40KB

Download
memory/3084-24-0x0000000074E10000-0x00000000755C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing