95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1

General

Target

95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe
Size

12KB
MD5

29eb5cab0b1835f02fb78e40f1730904
SHA1

cde6f2f615d2e06da71297122ac154ef1f1ed92a
SHA256

95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1
SHA512

cf31448c7e0ee3f133557b2c83a677f25dc9200b24efa7518d3e64cd41a2f41635773bf4776d352dab827030d7717bee0709f72bb6031851c76a7261cbb877b8
SSDEEP

384:TL7li/2z/q2DcEQvdQcJKLTp/NK9xadO:3zMCQ9cdO

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe

Deletes itself 1 IoCs

pid	Process
1960	tmp4D27.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	tmp4D27.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1588	1324	95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe	86
PID 1324 wrote to memory of 1588	1324	95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe	86
PID 1324 wrote to memory of 1588	1324	95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe	86
PID 1588 wrote to memory of 3524	1588	vbc.exe	88
PID 1588 wrote to memory of 3524	1588	vbc.exe	88
PID 1588 wrote to memory of 3524	1588	vbc.exe	88
PID 1324 wrote to memory of 1960	1324	95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe	91
PID 1324 wrote to memory of 1960	1324	95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe	91
PID 1324 wrote to memory of 1960	1324	95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe	91

C:\Users\Admin\AppData\Local\Temp\95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe
"C:\Users\Admin\AppData\Local\Temp\95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vxag3kcl\vxag3kcl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD30A4AFD6E87415AAFCC289E8DA474BF.TMP"
    3⤵
    PID:3524
- C:\Users\Admin\AppData\Local\Temp\tmp4D27.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4D27.tmp.exe" C:\Users\Admin\AppData\Local\Temp\95861ba2fc43ba3a76875ad618df8de30bc46c28635c33c0e5af6ac7cf7345c1.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
38c050a0e993d037a95505daba6f9e46

SHA1
623013617785bc39528989cea6e60756baba6f6f

SHA256
26d901574861004871f5dea9bf1ea429f88ba3f035c323a5e37679f06be38d5d

SHA512
91b14d53d6e7f05a00978c3e06775e3d05e3648129f5547d4c11bb55a5f0b2d27c57f8132782733c55ee86bc16be74aaadbfee897313ac0bf18783da7100366e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4EDB.tmp

Filesize
1KB

MD5
459f0b29b30447e5eea690a556b1486b

SHA1
d54c81439b6139fc7993f46837c9a6bdf7b58267

SHA256
8196e634c4c4ae08ca3d05c86c9c57e7a78cdf5ddc103fa9cf6ca400c8687f72

SHA512
ca0c7b9a04ae447feb7435a3c9e20a21bd506a6f0c7d1ef94d4081defa969c11c568c5fd14db818944ce03c598992fa6403345defa61c0f8693c404ea2841311

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D27.tmp.exe

Filesize
12KB

MD5
cff843017ba6993c201fb191323b6f01

SHA1
eb874dc26cf5e9ccd59cfe2af3908ddfb2ec87d2

SHA256
4009d5d809977edd0f8ea80a23a49e1e0b900a68e66dab9b45e9cd17f31cee02

SHA512
417c6b776bed9bbce63e00dc90ced231596b0e31acb1f2e44a9d2f98519af1be7d7791119a2a117fb9aa6aa52b9ca8b20dd5a4d89e5d3c41560ff62f86ad6de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD30A4AFD6E87415AAFCC289E8DA474BF.TMP

Filesize
1KB

MD5
3e9949c378b759749eb0c541e27748ce

SHA1
e9102761753ab636519de22b6ca167f628ea90f6

SHA256
2f6697520a92480711325031e5bc6c9b541d825283f39a4da8881c64a0efc0eb

SHA512
132042c680930471a4586fa436a4798d4f1db4c8426fb359986cec30e2ade2c2a39afea639f8c022a2533c139c54f290d13914b9a2fa30cf37212181efcc49ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxag3kcl\vxag3kcl.0.vb

Filesize
2KB

MD5
6687b5efb74c42f8645a0ff42663769d

SHA1
6722f9825fdb5cdb8cf232d5c1cbeb22e743dff8

SHA256
1259da971381c09b2585bea8b69ca96aa851877a2281a2de3a25ab521c500438

SHA512
2b7e7a38fc07fcf4f1ef16341e077023656c4bc6d1e09d6b9bbcd4c5902de1e0caaa45c3a18e1515984f344f33c443be95614736ae05eece41f70c34853d5c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxag3kcl\vxag3kcl.cmdline

Filesize
273B

MD5
1260ab140de0e13e07c4f66a05e506a8

SHA1
b77944b47cbef972e72c6d7273eb6c8e681e3172

SHA256
11bdd6035bed7674287585d12eb9c32314786f04e55b1036fcbabfd95f8d9029

SHA512
f74c4c323ff1e334964ae060a9df69223169a162d640095d441518c33c4095b5f56200e260fdc108485d015a2450510405342299fa03599c2570ac1c8c4ec8c1

Download Submit
memory/1324-0-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/1324-8-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-2-0x0000000004AC0000-0x0000000004B5C000-memory.dmp

Filesize
624KB

Download
memory/1324-1-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/1324-26-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/1960-24-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/1960-25-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/1960-27-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download
memory/1960-28-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/1960-30-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing