5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8

General

Target

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe
Size

12KB
MD5

50f163f704c404eb0b78557faa9853d7
SHA1

8e5ba381b671052fef2bc83e8cd57417e0905655
SHA256

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8
SHA512

1e7f7ea054e0539564cb29ab4fe68a2a56905f61275aa46b9bacd08f271548b88a1996495418e3d18e403b8ba90a0bedcbaba78ec9b3d6a62ef737e946e481ce
SSDEEP

384:AL7li/2zuq2DcEQvdhcJKLTp/NK9xaNeh:eWM/Q9cNeh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

Deletes itself 1 IoCs

Processes:

tmp3CDB.tmp.exe

pid process

3532 tmp3CDB.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp3CDB.tmp.exe

pid process

3532 tmp3CDB.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

description pid process

Token: SeDebugPrivilege 2896 5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

pid	process
3532	tmp3CDB.tmp.exe

pid	process
3532	tmp3CDB.tmp.exe

description	pid	process
Token: SeDebugPrivilege	2896	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exevbc.exe

description	pid	process	target process
PID 2896 wrote to memory of 3396	2896	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	vbc.exe
PID 2896 wrote to memory of 3396	2896	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	vbc.exe
PID 2896 wrote to memory of 3396	2896	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	vbc.exe
PID 3396 wrote to memory of 5116	3396	vbc.exe	cvtres.exe
PID 3396 wrote to memory of 5116	3396	vbc.exe	cvtres.exe
PID 3396 wrote to memory of 5116	3396	vbc.exe	cvtres.exe
PID 2896 wrote to memory of 3532	2896	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	tmp3CDB.tmp.exe
PID 2896 wrote to memory of 3532	2896	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	tmp3CDB.tmp.exe
PID 2896 wrote to memory of 3532	2896	5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe	tmp3CDB.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe
"C:\Users\Admin\AppData\Local\Temp\5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jiz5qgdd\jiz5qgdd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E12.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B92365698DE4EA09C1054EBB42EE3A9.TMP"
3⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\tmp3CDB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp3CDB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5957cb4625bab12f727ca4cacf88813a8d853a3ec373643754109bca963ad1c8.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4c7ed5e8d25b868e347aab0d14a73a71

SHA1
72acda4130483adaaeb370d0caea105f17bd46af

SHA256
f7ee904f6e2b94b2a6a54325f5adbf5d561c10a03b616988732ea3a54e53a057

SHA512
9fbcfce28ba1ae92ec64fb8d28cecc415580e534d8b878bdc8b8e3056ce64f2cf0201686b6479652b430c2828b3e7b24414a6fa13c0b39b40e7ecb962c7e330e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3E12.tmp

Filesize
1KB

MD5
88466fdbfba985d560fe2776bef3af2e

SHA1
7f8cfd786bca93563f201e078aeaeb0d9201086b

SHA256
dd988638becaf54f7888a8cd14e1ab5f39cf2b8adbb2bb42b17bafc66d5c22b6

SHA512
dcee55e27627b757db2e6b1e18687fb164e9df5a15402c4038c59fb75d475b5ddd44e4863ac342a94311f9331c2ea650aff15a57e5585ad843de7fb603a97e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiz5qgdd\jiz5qgdd.0.vb

Filesize
2KB

MD5
d7ee0368948fd0890d7fc1f21504a52f

SHA1
16fba447337e802175b82c19195d9e3ff5134d5b

SHA256
7a70867a0bd7571759a569d459560ab453c564684959f5648d012422db6ebce7

SHA512
cd2e9bf5ba05d04d496b573a2af1c2dc28ac347d8d9839d3db9877cab365fa7074df2cd2717462df7346a14c6522c09a9617ff03dd8cd3dc7930dfe4e0c77b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\jiz5qgdd\jiz5qgdd.cmdline

Filesize
273B

MD5
9d0608b23e73243d4a66e4fc460aa843

SHA1
628dfe038a576241b2173995c7b19c0b850d5183

SHA256
724218a61365cdc89689057e3f240c198486ef2ce989d82853285ac572ccb700

SHA512
ac0aaf520c74be6ae7206afa4c7bc02a02f2fe5677ac2922518eeb128a46ed2215ad8febbe6d11b60d7b03cf594e58393e9a2a217fbf043d6537becf0987a61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3CDB.tmp.exe

Filesize
12KB

MD5
107b9c3609d95ff04f21cc86545d807f

SHA1
e94216cde96e502b666ce624287b14108e6e940e

SHA256
3a761a1fbc32e19845e65441e14a3f89d41b6bb327182f00bf26f41270f79ae3

SHA512
ce16b844b8c005f6b47a05619fad6b28f2ef9013733c949bcb07b3e7073e4a5d27986a9d7b8d4045f4e6f89c5ff91a9a3e26c25bb51846906c5666781f21a2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5B92365698DE4EA09C1054EBB42EE3A9.TMP

Filesize
1KB

MD5
28df2357072bb6b186aeadef2fdaaba6

SHA1
2acb4dd1419bc9f7da78a71a23c4104e4249fc56

SHA256
9894f243decd17f1101aaff60b492e4926579ba6f9881230cc22b12fe6ab169f

SHA512
a1507c3281e53a76498e8e3c62a9ab20d4e0a89c3874a6914060d43a88ea643c373ddc57068017bf62606f9257d3e1c297c77d2caa35a5b9d6e6234360261997

Download Submit
memory/2896-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2896-8-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/2896-2-0x00000000058A0000-0x000000000593C000-memory.dmp

Filesize
624KB

Download
memory/2896-1-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

Filesize
40KB

Download
memory/2896-24-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3532-25-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3532-26-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/3532-27-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/3532-28-0x0000000005610000-0x00000000056A2000-memory.dmp

Filesize
584KB

Download
memory/3532-30-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing