10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1

General

Target

10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe
Size

12KB
MD5

3dca6c626c9363766d4bd4108b0f46f6
SHA1

6e3caa5776ba1bedbb33e469d59d0f425e051897
SHA256

10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1
SHA512

b7665e0ebb72f4654ad14b5a53b81454e485f2ce33df64e93eb7c4aec513d7d2110d75f54e0dcfe7bf009bdf5020b465f63410eb3ab83e9d3916ab05f8b60192
SSDEEP

384:mL7li/2z4q2DcEQvdhcJKLTp/NK9xa1C:AkM/Q9c1C

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe

Deletes itself 1 IoCs

pid	Process
4304	tmpB08.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4304	tmpB08.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3076	10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 4696	3076	10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe	91
PID 3076 wrote to memory of 4696	3076	10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe	91
PID 3076 wrote to memory of 4696	3076	10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe	91
PID 4696 wrote to memory of 4260	4696	vbc.exe	93
PID 4696 wrote to memory of 4260	4696	vbc.exe	93
PID 4696 wrote to memory of 4260	4696	vbc.exe	93
PID 3076 wrote to memory of 4304	3076	10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe	98
PID 3076 wrote to memory of 4304	3076	10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe	98
PID 3076 wrote to memory of 4304	3076	10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe	98

C:\Users\Admin\AppData\Local\Temp\10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe
"C:\Users\Admin\AppData\Local\Temp\10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iblrmnle\iblrmnle.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES175B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AB4F7F7AA58471BB5A06F6A2A5565FE.TMP"
    3⤵
    PID:4260
- C:\Users\Admin\AppData\Local\Temp\tmpB08.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB08.tmp.exe" C:\Users\Admin\AppData\Local\Temp\10bf38821b0590fef1b82616920ec743bd09f7d1c374e77731138bed045653e1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7b1818a32322e32a1966cf212aac3b43

SHA1
ff0e3fe9cbc3b6aa63e4f71eb832a12c17b129f0

SHA256
0ac3fec603a25e4209fe3bc6e7655648bcf07808272bca5a963b46c73a0584ea

SHA512
d8e5054429a34117694c4ab7e8e113cf5f4b15345425ab8962906a4366292b074ebf91e0fb3ce72e33c85ca925a49a8752ed4b3dca4820cef616b959e7480d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES175B.tmp

Filesize
1KB

MD5
a2f196b64b710a6880b5426dc7f485f0

SHA1
2e7817782c71203b6004ca8223870688fe153de9

SHA256
fe0285953386fdfbb3bf391c2de4716dba14e26446cae05d34b0a9a8b43f9c92

SHA512
dbf519e9103d8ac621a49c2ae131d4682ed1d2e852b791445f8e0d030d19d61bdb831f36a2c41f097bce9532840115d80c7f96d3781f9d1b370e0b809b8aab85

Download Submit
C:\Users\Admin\AppData\Local\Temp\iblrmnle\iblrmnle.0.vb

Filesize
2KB

MD5
708632f6b9d50ae1d5d5e22dc4f79199

SHA1
394ba060b29863d126e2487515ce20ec94ea7ae8

SHA256
0b17fbe427d92bc06c88035f7e0b9eec28579fa96d83dfec74acd326cb94f1d8

SHA512
aa7fbd0ebc646ed39ad093b741869ddf4bf0569f905c9caaea1e20b7e3cd4838a3db91396ebd06a2f4c32006c258ebcb9782b18b2befd5c0ea171a6d9f26f064

Download Submit
C:\Users\Admin\AppData\Local\Temp\iblrmnle\iblrmnle.cmdline

Filesize
272B

MD5
bba3165bf1784867e7e3c403afccfc97

SHA1
3b9bf10e630d1b386051c73dc2e1080c5f429705

SHA256
354b9a6b3ede1efba909ea8f311b7f364abd8a29e3714d604b5be0565dda0fe1

SHA512
a8d34db9dc3bd7fe178934e29eec7b3520fb6347f11243003553e7dce7c5eb3b588caf37380980731991ca233afe9ed3392c09b399c34ff76b674ba35810925c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB08.tmp.exe

Filesize
12KB

MD5
d6b37e34e60c1a9966929e228238383d

SHA1
25edeb2dbac93766f36de31cb06a25561d3d5c22

SHA256
9f5a613c33fd10bbc556729d2e91e8a5cff39dc75d935fb3c1169e0af443fb95

SHA512
6987bfceda6e757c7c06e13dbf73aa92b4b78871c380b3273fb68f1fb81379963c5ac20a70925349f5be59a3dc93b7e4a5d41a85088d69a13de9af6202659f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3AB4F7F7AA58471BB5A06F6A2A5565FE.TMP

Filesize
1KB

MD5
1bd6dde813ae584ed9655b329fc302e1

SHA1
c850ef6ca0e78f177b7ef438fc469453d47e94ff

SHA256
9bd86fbac614d79daea6fa18f6f144e9c9c6bae778f969da4c768c6ada647962

SHA512
0a9d9d16150c97da2ca7fc6568a6b3cfd589cb668fd9d41256557f055b6dae5b8018195de88465b341056f8ca7c2ded17ab7fced0d49f11caa0a012e64261aa9

Download Submit
memory/3076-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/3076-6-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3076-2-0x00000000053D0000-0x000000000546C000-memory.dmp

Filesize
624KB

Download
memory/3076-1-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/3076-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4304-23-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/4304-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4304-27-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/4304-28-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/4304-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing