2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9

General

Target

2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe
Size

12KB
MD5

d5156d6021e93fdefbbf8bb3d1efe6ab
SHA1

81870cec5a4bbaf1d6e082ab3e299aa3cfdd1c21
SHA256

2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9
SHA512

e15383135836e00b07bd3095e4fe534e3492026632f6a830b7c0950d00362a49ac81c1558558e6a8e70da89aaefd0c5bee21dd919b3d7ffe1ac5b60f7a787f16
SSDEEP

384:JL7li/2zkq2DcEQvdhcJKLTp/NK9xa6a:5QM/Q9c6a

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe

Deletes itself 1 IoCs

pid	Process
3176	tmpE679.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3176	tmpE679.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4084	2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 2184	4084	2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe	94
PID 4084 wrote to memory of 2184	4084	2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe	94
PID 4084 wrote to memory of 2184	4084	2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe	94
PID 2184 wrote to memory of 1652	2184	vbc.exe	98
PID 2184 wrote to memory of 1652	2184	vbc.exe	98
PID 2184 wrote to memory of 1652	2184	vbc.exe	98
PID 4084 wrote to memory of 3176	4084	2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe	99
PID 4084 wrote to memory of 3176	4084	2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe	99
PID 4084 wrote to memory of 3176	4084	2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe	99

C:\Users\Admin\AppData\Local\Temp\2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe
"C:\Users\Admin\AppData\Local\Temp\2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\enimys1t\enimys1t.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE87B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92EC24CEF44046BE8CEEB195D38FB031.TMP"
    3⤵
    PID:1652
- C:\Users\Admin\AppData\Local\Temp\tmpE679.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE679.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2f5f773b2d4e6c020571c07204159784f17c84b99b66085f56f73a2e34517de9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
3ee75ab6c06f911690cf80ea7735a34f

SHA1
a356850b1948c567d779a874880b0589083a4e74

SHA256
e52ba1ad767ccf638f182f6ee44e1ddb505b9b3e09abd4e88289fd879c9ac772

SHA512
9401667b0213a67cea7028c02a25238d0496e725212f70b88fcb7bd207b180d59a17db79e8a043211cd0cdf6d1eadaefc8eab73e037ffeac06892fd7654260b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE87B.tmp

Filesize
1KB

MD5
1164aecaebfe03cf95df39b9b109b9a2

SHA1
54b0340b852a37f17e13516147baa50f70f4af5b

SHA256
c209a8fbb3180f4a6bf21e8fd2c3d7f15a541e2c4d40a17e67b0fcdba8ff4864

SHA512
bc59b7fad9025867a8c3dd38b5ba5f37df851fbe5c4fed9ed6accec9d81c72fa1f6fa4a7bf074dca329388cafa9fa2dfad8fee8fc3ad57b032410b9bf08ef796

Download Submit
C:\Users\Admin\AppData\Local\Temp\enimys1t\enimys1t.0.vb

Filesize
2KB

MD5
5f37b37d9b05dbd56583ae5aebf70026

SHA1
7bf9a3ec5d3542d55be045365cf5819ca3d5f9ef

SHA256
6f6c7359ce6361a6690849821926921e15aa4a688aaf62b1816cc8cb5280b0f4

SHA512
145f078e834bba646ef65fc9a515bff5c23b20518f4cdfbf401baa1ec23187e4134ffe139631371e50dc0cc59af2d5477d9f66d9bce62c5eee5eb616cc31d179

Download Submit
C:\Users\Admin\AppData\Local\Temp\enimys1t\enimys1t.cmdline

Filesize
273B

MD5
5d0134c844c0c274d0dbf5684f15b322

SHA1
2968346d92f223075ea016717807c17eb3ff1b52

SHA256
d60a1d2dfe6eb1394fbfe193c9d5067418e0bce4300136474050f81bf1e92022

SHA512
84895bcdd6619e00038bac1444e6040a81cbdef5cabbbcefbb0b094e91a788c1846ec86134ae7819a216e13f26ab883b18ff019c64aa65cd5e3cd6fbea310464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE679.tmp.exe

Filesize
12KB

MD5
2241d80b4d0ddb00797ff86b105c7c67

SHA1
4b47949b70c9bdfb98ab34df1fb733bcef08626a

SHA256
37224350bbe8f329670dcad8969cb8e8604843875b45803641ca66f942c7239d

SHA512
72264062f6ea358956ff3127a77af21551c5f7bf416f1fa7568dc5faa44e11086aee1f8f19aaa30cc6c5245a0ffeadcc9ffaae3385b57377d6d006dd6e943793

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc92EC24CEF44046BE8CEEB195D38FB031.TMP

Filesize
1KB

MD5
9ecb0c61ff6a89c01aeb57c073ac5e40

SHA1
96067cc0fdbf8795f6871d1fcfee73c98b452568

SHA256
00d610cf6984f2dadc3abb6494d63c619c85503fbf10421520e087ee29ea4029

SHA512
0dcfefe23a0d6ad09c6968f4424322a413b81be66c046fd6e30ba93cb74478d842a4c1303207d08dcb0dac3e568c8b067d1ac4e06f2d23094e71776da41fc2b4

Download Submit
memory/3176-24-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/3176-25-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/3176-27-0x0000000005210000-0x00000000057B4000-memory.dmp

Filesize
5.6MB

Download
memory/3176-28-0x0000000004C60000-0x0000000004CF2000-memory.dmp

Filesize
584KB

Download
memory/3176-30-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/4084-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/4084-8-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/4084-2-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download
memory/4084-1-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/4084-26-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing