b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053

General

Target

b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe
Size

12KB
MD5

bb0646e925db1748156fad8f7b03084b
SHA1

df29851e36e0c8ffa3d916e2c978c83e410639dd
SHA256

b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053
SHA512

8cb22cd49523dbd01424d336b0de7b5001830e5229052bcb19ebd38796739cb54f166c6917d4ba97c949091f6a1077055c865109c89e8c3b82b195b51977109e
SSDEEP

384:JxL7li/2zWq2DcEQvdQcJKLTp/NK9xaWF:T2MCQ9cWF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe

Deletes itself 1 IoCs

pid	Process
4108	tmp50D0.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4108	tmp50D0.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 2264	4016	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	87
PID 4016 wrote to memory of 2264	4016	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	87
PID 4016 wrote to memory of 2264	4016	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	87
PID 2264 wrote to memory of 3568	2264	vbc.exe	89
PID 2264 wrote to memory of 3568	2264	vbc.exe	89
PID 2264 wrote to memory of 3568	2264	vbc.exe	89
PID 4016 wrote to memory of 4108	4016	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	90
PID 4016 wrote to memory of 4108	4016	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	90
PID 4016 wrote to memory of 4108	4016	b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe	90

C:\Users\Admin\AppData\Local\Temp\b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe
"C:\Users\Admin\AppData\Local\Temp\b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pv3qvfsy\pv3qvfsy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5311.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc647114AE3DAB400F8A6B2E3E938668A.TMP"
    3⤵
    PID:3568
- C:\Users\Admin\AppData\Local\Temp\tmp50D0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp50D0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b2142d218313161e0c90167d91860c3618e663f1811f5b3fff5dbc6aee5c1053.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
53dcdc0a14c02f29a05c57323c2f2755

SHA1
3dccc5c93c7e6310866a33ae0d28b1198e70d687

SHA256
07fa46bf66eca5dd74bf38258eb8ab42d7c01375498c689f43fb18b8d6d8489a

SHA512
9f3129b8e995567ed66771e249affcf3242b0e81121d87adee4c5eb4da765d1bfd6ed6b5dda6004e4a35eaec61ead5d3007b95dad39658ca12a481a720d47334

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5311.tmp

Filesize
1KB

MD5
978eed654d1a59896a19298a9b51a8fb

SHA1
4579249b882e43d3ef07000899e71a4262c98bcc

SHA256
e4dba674a70f57156cbfe63f9363e4c06814fecf6c72f7e166f386bad872154f

SHA512
880c7842c49b215dddadb0146c89ed8910cee961ada39654eb35b93e25921fc2df4f5dd18aec7354934aba8aad80773ebd20824289097dec821d871dca6a47a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pv3qvfsy\pv3qvfsy.0.vb

Filesize
2KB

MD5
099b3a7ea303642ffb9fb0defc538aca

SHA1
cae97fcb9b88b91c3aa583ed26fad39dceec6e12

SHA256
4ece797c0b62e46795bd1630a75eca129dab9348a6156bea1cecfd33f43d5a83

SHA512
9f5c0d485fc533c9ae346dc2b37fca658615e0aaf6e0c0b2675b98a901f0055a33e14a27b9f76cc3aaaf460e74ff3f2958538cb860b2c56b73f8d8e7f3f964fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pv3qvfsy\pv3qvfsy.cmdline

Filesize
273B

MD5
15ed8e5a958e0dc4ace58eab6e2262b2

SHA1
c6d6832f0dc23801e6206f3af76bfc94c09467cd

SHA256
1ae3d52d2023a4d53f2c597b9ad50ec8f86539030e88f3c8af74a8ae63614fe2

SHA512
b7fbfefa16d96ce22e1fe61900ae0bfc0d7962f50bcb9dd084784546b80f8fde522d1513b76443d0b269dd724416dd24a74a5629701f1a608edb8b87a69cf28b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50D0.tmp.exe

Filesize
12KB

MD5
fcfe6959c7b760a1bb3be4eaa311f7fb

SHA1
172a96cf1fe2b272ab9ab51f4c7db51cf183dac0

SHA256
b56a291918cb5cfe152a23ff086b86991f82d36970b1d396e7af8061a07fef65

SHA512
de9b2b60df9266027c42abd62a4376adfa07feecca2e82be222e326d6f2fa73825a3c7ad50ba761ef39be18ff89e7661538b85e637de17324d51b7d007277a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc647114AE3DAB400F8A6B2E3E938668A.TMP

Filesize
1KB

MD5
62c6e186cee43a3cca62b193137e841c

SHA1
1eaba964339947f0d520d9aede3a6b06a3ce79d8

SHA256
9126741a662bfc61ce8f098b8773d57c1baae998181502080a640b205d46be6c

SHA512
1a740d13cb3c054ff2599a349c4ab009c7c0b3e12652abc045d23a8f5a3f7d90d6bbcc97c9bb12b2d4bd7b32e11d4a5806e26445b97b9c7102e49d45fc1da004

Download Submit
memory/4016-0-0x00000000753BE000-0x00000000753BF000-memory.dmp

Filesize
4KB

Download
memory/4016-8-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/4016-2-0x00000000052F0000-0x000000000538C000-memory.dmp

Filesize
624KB

Download
memory/4016-1-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/4016-24-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/4108-25-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/4108-26-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/4108-27-0x00000000050D0000-0x0000000005674000-memory.dmp

Filesize
5.6MB

Download
memory/4108-28-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/4108-30-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing