51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf

General

Target

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe
Size

12KB
MD5

235bad5785640a23173b6424bcc1a650
SHA1

4ebb71a2e03f2d44acefacf1e922ec21825f1859
SHA256

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf
SHA512

e9e6ef1677168c959af162c554e93f546e646f6a88e2e6e0bb55fa9bb471ca07a7ba6fed48d0bb0d94d68edfc6f1075bbb38ede943f78613ea0bee44ef6d869c
SSDEEP

384:aL7li/2zoq2DcEQvdhcJKLTp/NK9xa8e:EMM/Q9c8e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

Deletes itself 1 IoCs

Processes:

tmp275A.tmp.exe

pid process

3864 tmp275A.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp275A.tmp.exe

pid process

3864 tmp275A.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

description pid process

Token: SeDebugPrivilege 4656 51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

pid	process
3864	tmp275A.tmp.exe

pid	process
3864	tmp275A.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4656	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exevbc.exe

description	pid	process	target process
PID 4656 wrote to memory of 820	4656	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	vbc.exe
PID 4656 wrote to memory of 820	4656	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	vbc.exe
PID 4656 wrote to memory of 820	4656	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	vbc.exe
PID 820 wrote to memory of 4748	820	vbc.exe	cvtres.exe
PID 820 wrote to memory of 4748	820	vbc.exe	cvtres.exe
PID 820 wrote to memory of 4748	820	vbc.exe	cvtres.exe
PID 4656 wrote to memory of 3864	4656	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	tmp275A.tmp.exe
PID 4656 wrote to memory of 3864	4656	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	tmp275A.tmp.exe
PID 4656 wrote to memory of 3864	4656	51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe	tmp275A.tmp.exe

C:\Users\Admin\AppData\Local\Temp\51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe
"C:\Users\Admin\AppData\Local\Temp\51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1faaw1us\1faaw1us.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62BC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18628B2915104E689F2385C1A0D3CCA.TMP"
3⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\tmp275A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp275A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\51614109b8d2b59a1c138417f410bbf0267536165174f18b127d2f593ad1d4cf.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1faaw1us\1faaw1us.0.vb

Filesize
2KB

MD5
b2449bf320d9e6205ab9e35e4b9c2f23

SHA1
afd5517154adc9dfc67cbf1c656faee23a32b27b

SHA256
370fcb85c62d2ee7722e3ad3136020acb5c172762d4809efded726fa976fbf29

SHA512
8bcf91ac059ea193b093ec000088cbcc919e1bf8595d1a8bc9ecc1585f19fb9c32500670c0249cee4d18f5d220d4b37d9f7b40daf5cb4717b8795657a83ce6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1faaw1us\1faaw1us.cmdline

Filesize
273B

MD5
c41f807df0ed9804406b1e85649d9661

SHA1
fca8937cba1ac774139d61ed6ba928c7ed4cfdfb

SHA256
99f0179feff5f6dcabe9bc9081c4ae04ab0163caae8597c2260232830cb49e51

SHA512
10221c4f6c1cd83f80b446ef13cd79dc44c1b4a342540e386e903fdca2ac23242e7515e2001f92c11a3b43ddade725e5a6aca4095ebd40b0a006d0584a5ebe1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
49229aea8568271b84edeffba8e34fab

SHA1
743231df275cb20da8b1a94d8ed39ba5a4ba6243

SHA256
26499d003ce98c270aace30dc8017af4cf9d740bbf93f672d1990ef84f214b2d

SHA512
f3d50ac956144890559c6e5d17a82c1efa1a463dbd6750a06f3fe277fe279a99ba4e4e5aa2ae6a48675b91cc153cd7b927594d150213037f53efd6b04e07d223

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62BC.tmp

Filesize
1KB

MD5
deb091641f7762509bdc2d4fc9f252db

SHA1
94e10bd03b7affb0be1968bb050d6fcb5af9bfdb

SHA256
4dcc75d1607c6164a2c97cca00b537e150d3a3f706e1607e3bfec5c4b9432e92

SHA512
dd964d21df6fa458fca68c5cf58fde3def156e610072b61f07e5ae20d01508e0fae6a87ea0af03039cd85f2a1a4f0399fad964a4fcba53db45a64c412d6f2cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp275A.tmp.exe

Filesize
12KB

MD5
359b085225ed03e3c452c7d9e7cbfa6a

SHA1
7222bfe86b640aec20613518c0bfd258609395db

SHA256
67be3d264a09813d0647437b28749d1547d510a2b55ddf65ab245b90478e99c0

SHA512
150c1c5507ac6b901f0de9d4ccbd273c50ac21367052c0d221566baf890947e5f198b400aa126440eeac855a318c390665baee2a3ac963038175ce36b00d5ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc18628B2915104E689F2385C1A0D3CCA.TMP

Filesize
1KB

MD5
8e99cdaf35b2500a3a2d2a07ee8f2b89

SHA1
002459b29a5df34856c42d27d64654653fc0cf83

SHA256
86335f6ad5192b2006fe61e3fc250b178237ae83fd7f746736722fc36d0fbd0a

SHA512
6d5015d64a545ad29d577435649d956ba9acdf2885659cdeb8058059a8e14dc40056a1f236e8539331feb112acae6d822b21ab36b2762a8107ac8669b74a194a

Download Submit
memory/3864-25-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/3864-24-0x0000000000A60000-0x0000000000A6A000-memory.dmp

Filesize
40KB

Download
memory/3864-28-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/3864-29-0x00000000053E0000-0x0000000005472000-memory.dmp

Filesize
584KB

Download
memory/3864-31-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4656-7-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4656-17-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/4656-2-0x00000000057E0000-0x000000000587C000-memory.dmp

Filesize
624KB

Download
memory/4656-1-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/4656-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/4656-27-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing