f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8

General

Target

f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe
Size

12KB
MD5

84c3cde186f5ce9e444c3080f4c02c94
SHA1

fa37fb0c8266c8576e68aeb756ba514b9361e066
SHA256

f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8
SHA512

6dcda0b1d97872d01ee00617406aa20197f75008b56f3975da128d22477bc72501503b04e95187b43c45c1a66437e220e35bda7ad7696678c1d8e8b77e3f5dec
SSDEEP

384:oL7li/2zHq2DcEQvdQcJKLTp/NK9xafy:WbMCQ9cfy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe

Deletes itself 1 IoCs

pid	Process
5052	tmp41DC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5052	tmp41DC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 848	2012	f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe	87
PID 2012 wrote to memory of 848	2012	f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe	87
PID 2012 wrote to memory of 848	2012	f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe	87
PID 848 wrote to memory of 3016	848	vbc.exe	90
PID 848 wrote to memory of 3016	848	vbc.exe	90
PID 848 wrote to memory of 3016	848	vbc.exe	90
PID 2012 wrote to memory of 5052	2012	f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe	91
PID 2012 wrote to memory of 5052	2012	f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe	91
PID 2012 wrote to memory of 5052	2012	f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe	91

C:\Users\Admin\AppData\Local\Temp\f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe
"C:\Users\Admin\AppData\Local\Temp\f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3h03szj0\3h03szj0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4527.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCEADDE315F4B4591867C9851849F5EC1.TMP"
    3⤵
    PID:3016
- C:\Users\Admin\AppData\Local\Temp\tmp41DC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp41DC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f60205ecb21a0989b2e7acc9bca276f58ae38d77ccb250b8059af4f46c5f36e8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3h03szj0\3h03szj0.0.vb

Filesize
2KB

MD5
afc03d66b8e41dc46e9df395efdd1eda

SHA1
dd9e5b5a502fba756a7e6631f0d09145031d4fcd

SHA256
1d4bdce518634a55140792ae304b2f45ea83bc1f4ad988ad7c701120da94c5b5

SHA512
a6c4bedc369df9631a82eca391639636c5a6fe2c58abd0150aa624a570be66a7cd23d4d61829996d2bc4521be376a1b5e1edb4fce6d309dd80f45c1ab3ed1d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3h03szj0\3h03szj0.cmdline

Filesize
273B

MD5
26d550ec364b67f286d5ea64e36c74b8

SHA1
503327f86823e12d2d035932a123235fa0b628b7

SHA256
d766ac9a62d5ec8e0accef84adc8553d2b7fd3a1f8738d5e202132d2b2ffcdb0

SHA512
eacb3daba060101b68ca039e029b445e2f6f3415a5ca8e8ccbafca50bd66ee46d782c12e9be9ac6d7e3794ffb48f9b9342b808b53e0b38d9782b65101bd3e1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ac6c0673ebaebb1c7827fd0f0cc929ef

SHA1
868e31597ff5eefb87e77470d91456dda7786a38

SHA256
efd884c02eaebc145c64b37826df09c9de808eab7d3edcc91e83f0c4e2ba9742

SHA512
24ddac0ea0918aba48e8305313f80e7cb20508918288890a797d4d0c811ab83da9eb325b2809a545470000b9bacd4ce203bc5353d5a24bb0ad7c870dd02ab4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4527.tmp

Filesize
1KB

MD5
42943424c4067cbb67814ae2ce206a2a

SHA1
2218735553765da8d9ac035a9b4d604786ded94d

SHA256
a3eeb0c907047d8453bf4116771b0ad9461cb3a70c89977afd5afc8d14a3f1e9

SHA512
1004cd74cfdb55b90fe84170cfe18011aba00c07afc4ec1e4b4d470dfde7f06398a9ee9047755d4301338b0e547e9b43381312acf23094d7ba4591a69df439c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp41DC.tmp.exe

Filesize
12KB

MD5
b61f83afb8eb7f0c1a127042d559c7fd

SHA1
1968a5ea18be304094e9d21bf0f2839509f3fdb3

SHA256
56f0dad2a58ba073bb47705d72474f801b71f3aef46018b2f672d34e30c3ba4a

SHA512
77af1801044cb73f32186323393af0c0ec1018cb67a3527541bc3bc51ab444b1097a1b2e8860587af61791c2b468422734381b00d319a8dc56a1892396450a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCEADDE315F4B4591867C9851849F5EC1.TMP

Filesize
1KB

MD5
0e3845ba1f752750c6c880f5b0c97836

SHA1
aac045ed3ce7418d4bc383e9651aeeeafc4e18bc

SHA256
eadf4a38fb286e90d996a1db20af25cbefc8d7fa362bd849a2df7744afbbf5dd

SHA512
b507210f2f0dda7c379d091c1a2007b5ec66b6b1762520155bb9d2bd1a9094427480d4c8472d7f7e2847997acc46aad2a8d003d36429a99554a45e671bf583d3

Download Submit
memory/2012-5-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2012-2-0x0000000004B50000-0x0000000004BEC000-memory.dmp

Filesize
624KB

Download
memory/2012-1-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/2012-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

Filesize
4KB

Download
memory/2012-24-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5052-26-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/5052-25-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/5052-27-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/5052-28-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/5052-30-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing