22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb

General

Target

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe
Size

12KB
MD5

2f773450a270914637e077e3abf22eb9
SHA1

50e57b7c113604c9ee2ee2b3bd945985998f33f6
SHA256

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb
SHA512

bd35c184d8656c99737344732fa3ab11d4e0caf5c05f1ece2e6eedf2553e79b37f2ac54552546dc03ce27d72363b083d6319ec623928c1d7d1dd67c7be157181
SSDEEP

384:0L7li/2zpq2DcEQvdhcJKLTp/NK9xa8A:ihM/Q9c8A

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

Deletes itself 1 IoCs

Processes:

tmp5506.tmp.exe

pid process

4920 tmp5506.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp5506.tmp.exe

pid process

4920 tmp5506.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

description pid process

Token: SeDebugPrivilege 3940 22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

pid	process
4920	tmp5506.tmp.exe

pid	process
4920	tmp5506.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3940	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exevbc.exe

description	pid	process	target process
PID 3940 wrote to memory of 4108	3940	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	vbc.exe
PID 3940 wrote to memory of 4108	3940	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	vbc.exe
PID 3940 wrote to memory of 4108	3940	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	vbc.exe
PID 4108 wrote to memory of 2776	4108	vbc.exe	cvtres.exe
PID 4108 wrote to memory of 2776	4108	vbc.exe	cvtres.exe
PID 4108 wrote to memory of 2776	4108	vbc.exe	cvtres.exe
PID 3940 wrote to memory of 4920	3940	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	tmp5506.tmp.exe
PID 3940 wrote to memory of 4920	3940	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	tmp5506.tmp.exe
PID 3940 wrote to memory of 4920	3940	22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe	tmp5506.tmp.exe

C:\Users\Admin\AppData\Local\Temp\22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe
"C:\Users\Admin\AppData\Local\Temp\22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mzt3y1qb\mzt3y1qb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES565D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE74F191AACE54755B4F6A369BE65604A.TMP"
3⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\tmp5506.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5506.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22114eb2173c7aa72e649b3e416a0f5beae3e5fbdf68bba549eb9803ba6d2ebb.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7b1818a32322e32a1966cf212aac3b43

SHA1
ff0e3fe9cbc3b6aa63e4f71eb832a12c17b129f0

SHA256
0ac3fec603a25e4209fe3bc6e7655648bcf07808272bca5a963b46c73a0584ea

SHA512
d8e5054429a34117694c4ab7e8e113cf5f4b15345425ab8962906a4366292b074ebf91e0fb3ce72e33c85ca925a49a8752ed4b3dca4820cef616b959e7480d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES565D.tmp

Filesize
1KB

MD5
8fa4f943fea7dfc8e3c637fb271c24d7

SHA1
03a478c33501ab530b4289198315a1adf2c27bbb

SHA256
ec17a5cfaf2928d84d9b600e9b615156a049df13ffc45556bc37728914630c55

SHA512
af06056e08723c2939fedd8cee512adefa8e3785e0612f37d7ae078f2343fabebf5ebf162cc40409871ebb97d29c59849e518cb89de112a2cf29b8592adc232c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzt3y1qb\mzt3y1qb.0.vb

Filesize
2KB

MD5
708632f6b9d50ae1d5d5e22dc4f79199

SHA1
394ba060b29863d126e2487515ce20ec94ea7ae8

SHA256
0b17fbe427d92bc06c88035f7e0b9eec28579fa96d83dfec74acd326cb94f1d8

SHA512
aa7fbd0ebc646ed39ad093b741869ddf4bf0569f905c9caaea1e20b7e3cd4838a3db91396ebd06a2f4c32006c258ebcb9782b18b2befd5c0ea171a6d9f26f064

Download Submit
C:\Users\Admin\AppData\Local\Temp\mzt3y1qb\mzt3y1qb.cmdline

Filesize
273B

MD5
4ba8d084cb1140fcaf01af16a26583e3

SHA1
49b785a0ecf2b6a333d78bca3430ea62ccd1f2e3

SHA256
b196253b0472d0d0f6e961a3aba1928251bd999088fed96e861392cca5f3f679

SHA512
1f7528f9e93173b89416e96c95f3d1277fc6b9f4c09a87c2d4a5093946e5d972be0d4eb9207b095b26694a3525a513a32b95e727999f5ef4d63df6af7b252d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5506.tmp.exe

Filesize
12KB

MD5
10877076f41cb20b42ccac89ffb1aa59

SHA1
77d9e223718921f137f8e537d409dfb13ca01fbc

SHA256
a7c4edaee5bcfa73a3a71a316c8fcf142191f24bd77c6b1ab0b4504618bb645e

SHA512
4f33ef5383e38c0589aecd54e61af6898169550329e9714d7035ff9a2de5f18b9afce56fb6dbfbf43bb2060e5d3291da174fdfd4f2be9d85441d0155daaa527b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE74F191AACE54755B4F6A369BE65604A.TMP

Filesize
1KB

MD5
27ca12f8db63022e4eeb5341a5d642f1

SHA1
7ae461add92ab77369faebd453d3e459fb70b901

SHA256
ee241cdba1c70e8e99b442e073b5e5a09666ee4c53218a89e9e6639c1f124a7f

SHA512
4b4cb35128d5714ea71d97a7b4cb32621b8046b59418e249cb8ef23007b93aa5524c7f3425b987ebbb2a60b4b416f0d6da2d0c6f348d8d82b6ac274af2c71df4

Download Submit
memory/3940-8-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/3940-2-0x00000000051D0000-0x000000000526C000-memory.dmp

Filesize
624KB

Download
memory/3940-0-0x000000007489E000-0x000000007489F000-memory.dmp

Filesize
4KB

Download
memory/3940-1-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/3940-24-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/4920-25-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/4920-26-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download
memory/4920-27-0x00000000054B0000-0x0000000005A54000-memory.dmp

Filesize
5.6MB

Download
memory/4920-28-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/4920-30-0x0000000074890000-0x0000000075040000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing