3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12

General

Target

3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe
Size

12KB
MD5

b0510443d664e0b905d0eb0d437c8b26
SHA1

47695ccc9af844332e64308ee00d07610a885153
SHA256

3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12
SHA512

e8eeacf9cb65da281db439daa1bc472d29e479573da3992fdf458495037f630779c3bef7c77867d7f6bdc9a89a2e09392b469292d8adca685c6ce3f4e5a4207a
SSDEEP

384:XL7li/2ztq2DcEQvdhcJKLTp/NK9xaUv:bNM/Q9cUv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe

Deletes itself 1 IoCs

pid	Process
940	tmp3951.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
940	tmp3951.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 3140	1068	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	85
PID 1068 wrote to memory of 3140	1068	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	85
PID 1068 wrote to memory of 3140	1068	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	85
PID 3140 wrote to memory of 1980	3140	vbc.exe	87
PID 3140 wrote to memory of 1980	3140	vbc.exe	87
PID 3140 wrote to memory of 1980	3140	vbc.exe	87
PID 1068 wrote to memory of 940	1068	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	88
PID 1068 wrote to memory of 940	1068	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	88
PID 1068 wrote to memory of 940	1068	3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe	88

C:\Users\Admin\AppData\Local\Temp\3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe
"C:\Users\Admin\AppData\Local\Temp\3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\korbwb3n\korbwb3n.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AD6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9C793112AAED4D1DA9249CA540DFD169.TMP"
    3⤵
    PID:1980
- C:\Users\Admin\AppData\Local\Temp\tmp3951.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3951.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3389d69cef7002a79cfb00279134d1dd459103cad074b4dcaac9657db01d1c12.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7ea8d937cb7e4eaab202d52672906da6

SHA1
72e5e20cd4827bb3eae5f5e851949131e4f5f574

SHA256
aeb4ddaaf80a32d61c11e2e9f6ff194b7ce5261c8d5b9a7a536f650a632ae22b

SHA512
38cfa4f10b1608cbb3e20a310fdb43a115261b13f9afb858f2810e1c06f31664a66209c2440efd827e2470a63e268de5c6e92d05329ba570ecb75c3cd2552d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AD6.tmp

Filesize
1KB

MD5
0bfdfbf4446205a60ada4b9d13069d9e

SHA1
e0d85585211102b1a3a44bef07a5a22fbd86202b

SHA256
8972da6e5c7e549a71d7536e9e609886130e5b7d02916e09351dbef7e0690be9

SHA512
4b73a6de3259458b602cd78e88c7915c43e50277e4d372a734d5224eb10c39b7ff528df0261d67a9b9cdda96bf53e0862d0ecbd391fde7870be4e64122df812c

Download Submit
C:\Users\Admin\AppData\Local\Temp\korbwb3n\korbwb3n.0.vb

Filesize
2KB

MD5
fb1843c503af9b1903f7d8459f265fb5

SHA1
8bd5c0546351820ab71f87f013c3e07dfd4bb61b

SHA256
ed8bae3865832c1c3445bcb709220d3f9fc37e8cc1589de386719247a63e0455

SHA512
3f776b494482cbb25c763b8d1a8e48c0efca21330e7f517dfe7c93029c2d35258c1c7ffe3290a102028398db1376ad2deac4405a649ef4f25351e56f5a67e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\korbwb3n\korbwb3n.cmdline

Filesize
273B

MD5
907be97cb95deca9d420a5578b4ca9ca

SHA1
1b9fe517580eb52a67f2192bb95c75df3f8a7ee9

SHA256
68286f4cceb9fbff0042f4b6954e2ccd86fd40fe5f59e383a1d26706a250a0c9

SHA512
81a86253c01caf3b4f059b6cab0791e96f36cf3e6e72f010d3a2569fc97b366185c6e0bd7982c16542fe43ca545b1dfacfb32bb9c4a21c15b361222e5d7845f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3951.tmp.exe

Filesize
12KB

MD5
b49ef5cf4953c040e744240715dec8f4

SHA1
4e0f16473ddf1329fc5aa81a0489af1ebdb3dd99

SHA256
700edf2f0779634192a75a6c968510be508560bc18f26620326926d874967245

SHA512
41a755cb17bb1809e602912d495262c704d2f501775c90eaa6fd23fa9367248e337b9a8cc2e2a2c12b0641384f2bdde8958e558f592a69075c0fe8f73d74f02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9C793112AAED4D1DA9249CA540DFD169.TMP

Filesize
1KB

MD5
2615f66313719e7442f33502789bfea5

SHA1
6f3b220cd850c218922b20a861e490adddba7d07

SHA256
3db851c8bf2b9bd3e61e869f9e9cb8fa7ec71b55008deb35147b5c0086c4e48c

SHA512
51ffad56b892cd392f7a20d09b7e8a246feccfa4935f170adaf204bf55f86df2b847b76345c6cefc5de42054982db2e0d75afde3303dda778a9435c9f9a08049

Download Submit
memory/940-25-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/940-26-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/940-27-0x0000000005060000-0x0000000005604000-memory.dmp

Filesize
5.6MB

Download
memory/940-28-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/940-30-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/1068-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

Filesize
4KB

Download
memory/1068-8-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/1068-2-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/1068-1-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/1068-24-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing