17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337

General

Target

17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe
Size

12KB
MD5

a436d5f2416bbb566dce80bc445b3ca8
SHA1

9bad0812eabf3cd59ba13480da40435e0a5fffb5
SHA256

17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337
SHA512

df3c3f03b5262178944cfdb6495f492a041c46782d12539d3595eb9b9a1ac1db861c077c5297433c78c48f614614c898ea67e7c0c873438b3c2c6771e91ad953
SSDEEP

384:+L7li/2z2q2DcEQvdhcJKLTp/NK9xaHw:o+M/Q9cHw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe

Deletes itself 1 IoCs

pid	Process
4396	tmp217E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4396	tmp217E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 2032	4544	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	91
PID 4544 wrote to memory of 2032	4544	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	91
PID 4544 wrote to memory of 2032	4544	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	91
PID 2032 wrote to memory of 3768	2032	vbc.exe	93
PID 2032 wrote to memory of 3768	2032	vbc.exe	93
PID 2032 wrote to memory of 3768	2032	vbc.exe	93
PID 4544 wrote to memory of 4396	4544	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	94
PID 4544 wrote to memory of 4396	4544	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	94
PID 4544 wrote to memory of 4396	4544	17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe	94

C:\Users\Admin\AppData\Local\Temp\17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe
"C:\Users\Admin\AppData\Local\Temp\17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vhngtytg\vhngtytg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES26EC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc29D80BEE913D4EB0BD13AFFAE3B1C5FF.TMP"
    3⤵
    PID:3768
- C:\Users\Admin\AppData\Local\Temp\tmp217E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp217E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\17a1280a1171afd9ad152345f4a35cb0be3dd97d26b4ee8a2bd48447add55337.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
eabb16ba774dceb67be50bc773cba4d3

SHA1
b97fe47de339b96cd4c507fd21a75196ed47dce2

SHA256
7da0c6486285f72685113c3a9233a125656b5fc6faca95551701f8d088e34abc

SHA512
f04e6943d33b9408b694b65402eb8a3dc6694cfee9ef354b643360d4f143eff1b5c25b9da0f19ecb0088a2579db35ea33de8bc112c0b41bb661fa3e43ec2b2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES26EC.tmp

Filesize
1KB

MD5
497e63cc0f238fbc18358f1c6b39b83c

SHA1
e85bf333760f19a6e95d4f4df9769ab962c2072b

SHA256
e0208a26189a7d0719c127af61dfc6583b7a4a813c3ee03ff1cc9178b371947a

SHA512
1454b59b1c9ff768c4bbfae9710db1ccd82d82980a03f5cbb413fb9230115fdf9335f885b02b17194872a33080e120e3a6f81983acb7ddd9f5a3c2b9b9b0e926

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp217E.tmp.exe

Filesize
12KB

MD5
eb3376d30eb6507cd7bf7fe639441f4d

SHA1
d940cc02acddbd00160e5992e9803f0f0bd6a7b8

SHA256
9c4c2df497efedd6bea4235a52886dee4fa9642f1bfec30817a0929cd87da0af

SHA512
c430928ee92933e36e47e7207bf4f918fee721a26befc6ff296136084930523e07141e7f3ce675c510e786ef9b3f237304f5e23bf7419b97b4799ae0bddb7fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc29D80BEE913D4EB0BD13AFFAE3B1C5FF.TMP

Filesize
1KB

MD5
f2ee95f1b9b7504398bd98d9084a6f54

SHA1
2fae9ff0309aa1d09d10acbecba1c87d5e4a9377

SHA256
600187b664c3b43372fae04bb9a429ec3103df4f4e00247a99512f22c6c58807

SHA512
56aec18146b733bb0a2f6d8f04bbf729a9c4565029c9d868307c87dfeb0a35f9eac93bc74a48b8c27ba32eee7745ca402a7b2aa215dbd3edc63dc16f9ac85dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhngtytg\vhngtytg.0.vb

Filesize
2KB

MD5
a70992d43eb9d24eb87888a538686506

SHA1
804038391e87453695cfc70dd9f612b131124c2b

SHA256
3fcb4b7ebd4a02a827513c003786524bf7454d601890bd9760ed6e94bfbfd63e

SHA512
cd2b209217fddd941082d4b4cfad2e80e3906c91f87d2f68087bb147f06eaaf9e5153e4bb2b734f7f02afb85043426411661f570513a4e21f731c06ebb606553

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhngtytg\vhngtytg.cmdline

Filesize
273B

MD5
0b64686668bb3fda5da53f799d19081f

SHA1
afd34f3d96ae7ed77d01388dccffbc31e1ad7143

SHA256
7622c9811e024f6fd6ef9c9c319a65bc9ab9c93187823bf268bcaa0f38e7b760

SHA512
636cb7a934211ae9e231aad0a2a01ad54acd0ad054bcc97ee60f91eb61021e4fe06b91f18f85298c7b7238d54d1c0d7da821e1724e9957801f788a9be3e78d37

Download Submit
memory/4396-23-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

Filesize
40KB

Download
memory/4396-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-27-0x0000000005F30000-0x00000000064D4000-memory.dmp

Filesize
5.6MB

Download
memory/4396-28-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/4396-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4544-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/4544-7-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/4544-2-0x00000000055B0000-0x000000000564C000-memory.dmp

Filesize
624KB

Download
memory/4544-1-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/4544-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing