6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec

General

Target

6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe
Size

12KB
MD5

72108d3d739b47036826de38114cec36
SHA1

4398dea1908d4c261a93acc7e54b9fefb18b2bf8
SHA256

6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec
SHA512

63955858fb994217e5608dff612caccfacf87638039a650bcbf2a8ab5f7c0d4a95314ad7e8c23a44ce028603b45723be6234795b8d99cfe353cbda45346d4e12
SSDEEP

384:xL7li/2z4q2DcEQvdQcJKLTp/NK9xaS9:xUMCQ9cS9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe

Deletes itself 1 IoCs

pid	Process
4780	tmp4C7B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4780	tmp4C7B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 3764	3156	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	89
PID 3156 wrote to memory of 3764	3156	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	89
PID 3156 wrote to memory of 3764	3156	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	89
PID 3764 wrote to memory of 2204	3764	vbc.exe	91
PID 3764 wrote to memory of 2204	3764	vbc.exe	91
PID 3764 wrote to memory of 2204	3764	vbc.exe	91
PID 3156 wrote to memory of 4780	3156	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	92
PID 3156 wrote to memory of 4780	3156	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	92
PID 3156 wrote to memory of 4780	3156	6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe	92

C:\Users\Admin\AppData\Local\Temp\6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe
"C:\Users\Admin\AppData\Local\Temp\6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\avgfdr3u\avgfdr3u.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc553400BD7374D69BDB9DF2B6CD28633.TMP"
    3⤵
    PID:2204
- C:\Users\Admin\AppData\Local\Temp\tmp4C7B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4C7B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\6e1f70a4c1de629631545d9367aec365c0b962dc8e09c5d937189fc9f55a47ec.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6e6e62186045093acf112d5ac7cafe49

SHA1
d45937d00769c0c90e0fedc9496817a31eb97b57

SHA256
5dd9c0491d782678d5317abcc2af9aeac734ea117d304a00605c7c2e73f75341

SHA512
2400f5080af08094be9586135cee75b9829f1177b1e45383cfe01fa0fa0fcc9db61f7737d4d25e7c28a9d9df4d6c0dfb67261fe63c7d69c70678bdbba75ec7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DE1.tmp

Filesize
1KB

MD5
7427902c76f7f9e20fd84d291b73f77f

SHA1
f7dbaf226224cce2f35950447a06d363e381a712

SHA256
9f424dc580d61430e7d63896eaf17bd98b78af99252123b4df1c2295ce53b78b

SHA512
844ee286d39bec40e11672a39465cf3741854cc625c7b94ec8d0bd15e23ce8cdf6c330e11b23a4f2b66c07fcb6b899feaa80a3d47ae3fb515f4ad19dc9d509a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\avgfdr3u\avgfdr3u.0.vb

Filesize
2KB

MD5
4d429362d1b7717b3b695ac5b431f730

SHA1
08b6c722c21a9c50c059d13391f0354bde5bcdec

SHA256
d32733c517b55fd58c2f7912cae59b6434172380d9d1de5af886ad7bc2dbc272

SHA512
f3adac5585cc357366f6bdb16f376183bf89b7c0343b980594ca91d7f39b25577ef5b5a6e1c584e230f3ce2fe7ff2e58568bb64b4a87ac87a4182fd04fef1ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\avgfdr3u\avgfdr3u.cmdline

Filesize
273B

MD5
dac15a4e0f3db3f81f9164c33354575c

SHA1
d3ad00b667d77e531544d8974c2a5e0c294135fc

SHA256
183e021ba47ea716fb7544554950742f37ba17625f34b03f1f95702555b56365

SHA512
246709be657c1e160acf67b39c29f8ab64470d6c3e4d31efa5765fb552f7db8cc13abec6d391f8993c63d75a1d2d1f1dddd7bd8a4d9ff35aef58f7441ac4b6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C7B.tmp.exe

Filesize
12KB

MD5
c6c051d7d79372f7be1af7cb732a761c

SHA1
db02da5f5083fa05d5d79d8e4b169c917fec4232

SHA256
e51fe361e789903ce508846989ae28de8cf50ec38b87039035d5191108de120e

SHA512
13c6ef8b00b531275b0fcf0e601a263dd3b41a16a61c264b7502ed4c23687cf9e590038deb47a0cc59be31e21d896f91e4fa03eeb84cac1158ef7ceac272e994

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc553400BD7374D69BDB9DF2B6CD28633.TMP

Filesize
1KB

MD5
33e77e634ee6c7fe83db90da261b3866

SHA1
39daa4f35acc8218e0d04a01f976a1a973117084

SHA256
0771275415d3ed744ff2c65d1a1cf63c40f01f7e67370f950119637280323486

SHA512
748bf381ee92ec83865f43f43f07ab3b1b689763683d12b466813c5bb2a305e70abcc7d1853a48aa1f83f599179c02454cd64d1877c3c69ed2fcc3508c843f5a

Download Submit
memory/3156-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/3156-8-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3156-2-0x0000000004B40000-0x0000000004BDC000-memory.dmp

Filesize
624KB

Download
memory/3156-1-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/3156-25-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4780-24-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4780-26-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/4780-27-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/4780-28-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/4780-30-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing