78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f

General

Target

78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe
Size

12KB
MD5

113d39619618d12156042dbdf1e85198
SHA1

8a52ee431a00fc6a0553335620b91c7722e3110c
SHA256

78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f
SHA512

41c136aeafc19706d7e9a4c72a1d1baec69d080b4f65eee61bd340e8120a253afdcef4248944eca350aef14474a22341226b1d0287b761de979d5c68f56de01e
SSDEEP

384:GL7li/2zKq2DcEQvdhcJKLTp/NK9xao1:gSM/Q9co1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe

Deletes itself 1 IoCs

pid	Process
520	tmp5005.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
520	tmp5005.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1472	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	86
PID 1068 wrote to memory of 1472	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	86
PID 1068 wrote to memory of 1472	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	86
PID 1472 wrote to memory of 2904	1472	vbc.exe	90
PID 1472 wrote to memory of 2904	1472	vbc.exe	90
PID 1472 wrote to memory of 2904	1472	vbc.exe	90
PID 1068 wrote to memory of 520	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	92
PID 1068 wrote to memory of 520	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	92
PID 1068 wrote to memory of 520	1068	78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe	92

C:\Users\Admin\AppData\Local\Temp\78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe
"C:\Users\Admin\AppData\Local\Temp\78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0upu0jnp\0upu0jnp.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5217.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1C0C3FAD84904BA4A38817F1B1AD640.TMP"
    3⤵
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\tmp5005.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5005.tmp.exe" C:\Users\Admin\AppData\Local\Temp\78a9521b6c7634c9cf7879d29d12506be3430c23a0b33988df713db04ed9c88f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0upu0jnp\0upu0jnp.0.vb

Filesize
2KB

MD5
015de1b039da2f6db35ac94d83290bcf

SHA1
478d1eae654ab1c2a84b61fbf5b93419fba6ce21

SHA256
263423d2eb78bb9b41b127006479d3022a6f6f55eafce009e55453ed0339bbe1

SHA512
7f821806b344704dbbc5df5c8a514bf49081a4a8078de67e159e690cb8a050576ddfb389e7f21840aa759bbf6b4a8b82a4f3050ce3040e7355874809cc8a0ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0upu0jnp\0upu0jnp.cmdline

Filesize
273B

MD5
118f6e7fc0367ce8df2daba62871e030

SHA1
0ec363cbf6399559103baae5eb15ad1ab7a1fcf7

SHA256
683dfee3857bee5c86f8c9050b1a204e3a322c9f92a0c53186dc74034ad98115

SHA512
e852a25ed953e86b71c32993a6948bd862c096bdde85826c7ff484b57e9460554d8e07468e64b3c64b978facb5b89d8bdb0cf3b16d126a768933a25014961096

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
82eefbf2f80eb2224c65493e7847dab9

SHA1
ee1f67ccd6e69d424bee459d8aecd7a27c40e954

SHA256
d812b8d44e1ccbb7ca9afe7250547e6c57b26e7da47cf76138bef3446bdda116

SHA512
f5ed9c5b917bfb31396082cfca0ae9f1805e6c27e1afb389f0d1be67cd79e694efcea743aee9a5da81043430f86244777a1700024b87cec9f2d590d64a8063ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5217.tmp

Filesize
1KB

MD5
7ab931176a9bb0889e21e58712c9edf0

SHA1
f20a45c680daf3e26b266e26e81ed2217c4c0dbf

SHA256
302f375cc30d940d8c760b2ca1aa4bac7d785373cae79200a2b0168864156861

SHA512
6a93ad84e4638eebcc33b79a40b92854ffa18564e005a351a6c2720ac40d26aceec105c3718d01fb454251b3d583eccf953134d820ecf0acd50a723cfdc140e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5005.tmp.exe

Filesize
12KB

MD5
f8d85d1b57af7849617a6531ff0c4cf0

SHA1
274430422b5329a23bb91540eb119bb5672e3db9

SHA256
863bcaffa42d8737fe69bf0a6d431d5939077b0d649e9bd32784ad173eb08a50

SHA512
37d307ae234cc0e1c63e7fc2bf296f56ff672e6a171d66be0b4f69881deeb559568d45643f3cf09f6ce4ab6b3e029f432fc50d0dc78549729a6d6be4e842e696

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1C0C3FAD84904BA4A38817F1B1AD640.TMP

Filesize
1KB

MD5
f8138aef0e63a4ed002d677273c33182

SHA1
203c37f1b3e06656996c6247abf73d46a7a7d2a2

SHA256
cb1c5e32f2795bbdc294c876f3a50b0995691552435261259c18cc26ce089cf6

SHA512
9b87f74f13c8af6cd1da74b271ab8ff2c9230028e2c60d26c58f74a0eab639134539bb7aeeea4aa8d36e748081afe04a637e1841d7c7c7495bed1c7e04f55f9b

Download Submit
memory/520-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/520-25-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/520-27-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/520-28-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/520-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1068-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1068-2-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/1068-1-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/1068-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/1068-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing