ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9

General

Target

ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe
Size

12KB
MD5

58eec028c16c94111b4c77885a41a12c
SHA1

a1824748cc91053a835e6b2187c4c0f386eae583
SHA256

ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9
SHA512

dc1e60c9e48fd020732a911787cd5352381a85f91f53b329c12206f2bf8b1a04fbef3a25341c62e211feac6546bac41e32cdd5313d7cd05b6bed727408c99a6a
SSDEEP

384:oL7li/2zRq2DcEQvdQcJKLTp/NK9xajL:WxMCQ9cjL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe

Deletes itself 1 IoCs

pid	Process
3016	tmp4DB3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	tmp4DB3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	804	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2812	804	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	87
PID 804 wrote to memory of 2812	804	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	87
PID 804 wrote to memory of 2812	804	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	87
PID 2812 wrote to memory of 2288	2812	vbc.exe	89
PID 2812 wrote to memory of 2288	2812	vbc.exe	89
PID 2812 wrote to memory of 2288	2812	vbc.exe	89
PID 804 wrote to memory of 3016	804	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	90
PID 804 wrote to memory of 3016	804	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	90
PID 804 wrote to memory of 3016	804	ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe	90

C:\Users\Admin\AppData\Local\Temp\ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe
"C:\Users\Admin\AppData\Local\Temp\ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\li3l305s\li3l305s.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5004.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD93D100A4A024DC692DCF2ED0D8A7F0.TMP"
    3⤵
    PID:2288
- C:\Users\Admin\AppData\Local\Temp\tmp4DB3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4DB3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ab3434870dcfa6782eda146a76d70bed05e1693c43ab228abc3fb99e7ab945c9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
26b05c10a5a33339f759eed9ca336f19

SHA1
8147d424dfc6779bffc54d63175e528d1d58aacd

SHA256
c8d0aba674d9c86ec885896bec03632e5364d2c7bf8e4c71f6e9bdef64ea3eb3

SHA512
ce97cd23557e75af74ab538cda61e8b44345337e5109bc6c39853f3f3dea0fc4c9edb26c0ea2def1a5d8bb74b0120aa21299721cf8a92c4f39bddb2f6bbcb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5004.tmp

Filesize
1KB

MD5
a7b69bd5eaeaa5ea25dcef977a1bae19

SHA1
077e84de64c590da54825a5414c56a2308a473f5

SHA256
de472a52c72b258161e513be65f44716f28d8716a8eb2a2f1c2836b714b1d5c6

SHA512
8272bb8fa034b11c19d3f6ef960d1f454e8bf5ca42d2c52d3290220756df74f4d51b3bc144bdb5e81b43f4df0ecb489b77912d0136b6800b6a5fa4fd6cd197b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\li3l305s\li3l305s.0.vb

Filesize
2KB

MD5
35295d5f34a4d0762ffd1e371f27b271

SHA1
02361815bbefe23719b8a8abaaf0c5cf2054db94

SHA256
797564395128c46b0a4b1ae771dd8aec89ab8afe57a5d53c3667297043d5ddff

SHA512
d4f79261323a1fe3f4125a0820deb07ca8821b53114d09fc6017c45c105304e0bfd290309629389ff90e2b0bb1b9443d8fa6d0944faeb4f51211ca86e6e0e799

Download Submit
C:\Users\Admin\AppData\Local\Temp\li3l305s\li3l305s.cmdline

Filesize
273B

MD5
5435b2ff0ffea91e506735a0f1cb1e21

SHA1
9eaeb8c9495cdeb5885f6627a6c506214879fdfa

SHA256
7bb37000a7abd9dab0b4c83cddaa74198a18571726eaa5e264b78d413f3198a7

SHA512
7fb97e4abfe7d4542083fa8c887307cd0673e24233696664ecf10bd3570d591e1c7bc1a9b5dcef0acf193a15c6c0706cd37bd706e7b8c18b6f797f644806908e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DB3.tmp.exe

Filesize
12KB

MD5
ce213db1392a00c3e514e3f81986cd33

SHA1
9035f99f961cbd8a2825ffafa2c16eb4fc02de8e

SHA256
e9f97af13016108e9ea26055904863af9778881a6df53ef22a35d4ae9c9c27d7

SHA512
c10fdfa57aecfa6825ef5e7b6f297c1cb61454706363c8cc0a89551044ac265942a85c02f992220bd572853bf66810d1547095ef43a2e72ad2def49c24cd24ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD93D100A4A024DC692DCF2ED0D8A7F0.TMP

Filesize
1KB

MD5
0ae1e498645267b58364ce53d3c98e18

SHA1
a084ec7eaca12005f362175b33b6fe46dddac9e8

SHA256
c44cbfded139dd3b339b02a07e843c73fe1b29738c4d72c93f8655de65dc6a61

SHA512
d01573c35b9d6c604e04ea4b74f7c83367820ff188232f581a663d78c091a497797ee11e038619a0288d1bdd5b6e52fa70d1332f0ad6dbae801662069e5f2a57

Download Submit
memory/804-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/804-8-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/804-2-0x0000000004E50000-0x0000000004EEC000-memory.dmp

Filesize
624KB

Download
memory/804-1-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/804-26-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3016-24-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3016-25-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/3016-27-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/3016-28-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/3016-30-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing