492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054

General

Target

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe
Size

12KB
MD5

18be8734f158add81a1d6123270c7e10
SHA1

33e6e05ec5f55c7945b8993dcb947ad4b3a6c165
SHA256

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054
SHA512

a87de3c25201319c005c14a9328eada2640b220c8c618df3cf6e22dfcecd80b9deb240a87ed33f3e7a5ba2ab62a851003a8661187a52b931d3bc825d57f3ce47
SSDEEP

384:EL7li/2z8q2DcEQvdhcJKLTp/NK9xaet:S4M/Q9cet

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

Deletes itself 1 IoCs

Processes:

tmp3A4B.tmp.exe

pid process

856 tmp3A4B.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp3A4B.tmp.exe

pid process

856 tmp3A4B.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

description pid process

Token: SeDebugPrivilege 4564 492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

pid	process
856	tmp3A4B.tmp.exe

pid	process
856	tmp3A4B.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4564	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exevbc.exe

description	pid	process	target process
PID 4564 wrote to memory of 4172	4564	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	vbc.exe
PID 4564 wrote to memory of 4172	4564	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	vbc.exe
PID 4564 wrote to memory of 4172	4564	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	vbc.exe
PID 4172 wrote to memory of 4324	4172	vbc.exe	cvtres.exe
PID 4172 wrote to memory of 4324	4172	vbc.exe	cvtres.exe
PID 4172 wrote to memory of 4324	4172	vbc.exe	cvtres.exe
PID 4564 wrote to memory of 856	4564	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	tmp3A4B.tmp.exe
PID 4564 wrote to memory of 856	4564	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	tmp3A4B.tmp.exe
PID 4564 wrote to memory of 856	4564	492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe	tmp3A4B.tmp.exe

C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe
"C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5mvl1zfv\5mvl1zfv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BD0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F6B267115C34BC9A080C3F452EFE6.TMP"
    3⤵
    PID:4324
- C:\Users\Admin\AppData\Local\Temp\tmp3A4B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3A4B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\492ddcbe0658c0c42ddeabe16748eb265f5f3c9cfc4c5f4e7ca6ad60ba969054.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5mvl1zfv\5mvl1zfv.0.vb

Filesize
2KB

MD5
e5d36ac005935c318d49215725061c2b

SHA1
bc80673d002c681d86f204ff24f3d0c4f9857fe5

SHA256
fb16d4af38a12e47a620192d0331afa6547df3ab6a45155b2fe3f2e98a2129d3

SHA512
b1bf1a21fa65d3b9bc2e2c67cdaef48074898bd051e970acbb68e504bd14c0044b24a3b414c76bf05d9698ae58324c46cc5a2224be1d30c0925dfb94eb5b0a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mvl1zfv\5mvl1zfv.cmdline

Filesize
273B

MD5
d74284469e74cbdc4dc452adb4ea2757

SHA1
016b84cabf5aa6aef46230a4db169942d9360a51

SHA256
7ab5c7e1a0cebe3cb616d8d0429b7779c4fd771105cc800850fa0a4e2a5c10a4

SHA512
838a9ca21be02ac5a66436437a1b6fa3d963d67a6ba0accaf326da01ab2474c81b45a489ea561cf54a944e4cb7f9b5898d9983adbed1c1d4076ce531465121b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4f6005f46c010c0dacf90526b36dc4ac

SHA1
c44f23af36385257ec32dc9d644f30b5c131e8e2

SHA256
f5e901aa0925f8700734d5ef54bcc629ab44eec0328c8cec075a9717aa794608

SHA512
0d3220e540f9f0f548f48c95e4c9f70fbb912f92edf998caa53ca6c5551f4b183681a37f0f86a24932d9c7052f70fab779fc0741f70b0b608aae7b707353ab05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3BD0.tmp

Filesize
1KB

MD5
efdb410d063ea15176af59993d3ac017

SHA1
b8d76d90fbe112eff6f45f088e9ad00d907f8555

SHA256
c978566bb86fce43654c168fb29896a6e8b1982c8716b24b20774e54b82493c8

SHA512
6d386270fe1810ceb599b6e456d11e757a6f665c6a11ea13199ffcc85fae3f0377c9a8190f4939d8e426c69bf00689f46d0723842b3fed06c1cfa9b2e48da634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A4B.tmp.exe

Filesize
12KB

MD5
887690a5b1212347b6333b4fbd3d42bf

SHA1
05393c5428a25c51f1c49dcb5ca4c6e427009f73

SHA256
2ca15ae6d581a11077bdc8d386822ba57b41cbbe513ff9dd84670761d2a0352f

SHA512
521dbf59a3210eabd749f95522176eae351841f025163730b506abeaccd638d073455aa01a661928e81f451a796b8ac596670633b064c7cdc3b7045476103b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F6B267115C34BC9A080C3F452EFE6.TMP

Filesize
1KB

MD5
18fddfbd32d9c66b9b8f4969d4e05fb4

SHA1
8da2998a7ed97f9c9fb9eddeb101df5f5c020d0f

SHA256
dd576ecedd4120752c438e2f54c231982b21ae7ffd142fb64cde658c84b61e38

SHA512
e9d00dddfd721e3571c8cb6ce6182f616bcbad626c7569bf6be6f17dce8ca581cb010b782f1600e902605b97b69b2ee21d073ce1b602146d82ec0c87c18d3c95

Download Submit
memory/856-25-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/856-26-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/856-27-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/856-28-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/856-30-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/4564-8-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/4564-2-0x0000000005260000-0x00000000052FC000-memory.dmp

Filesize
624KB

Download
memory/4564-1-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/4564-0-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

Filesize
4KB

Download
memory/4564-24-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing