5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3

General

Target

5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe
Size

12KB
MD5

0e9020b2cbb1a0d1eae43611d40cfae0
SHA1

9ec5a4d7f7225722a8555f8a0490e7c5029a0505
SHA256

5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3
SHA512

e17c125e0e34b8d79ba84d148643a1a1fb6d0c03f0d1e87715d51e2c9a4d469f16ad8bac92ad21bb31fc3c58e1297df0d243c3bbddbddf33cdcced4d1f592bc0
SSDEEP

384:ZL7li/2z0q2DcEQvdhcJKLTp/NK9xaGQ:pAM/Q9cGQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe

Deletes itself 1 IoCs

Processes:

tmp47E7.tmp.exe

pid process

1316 tmp47E7.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp47E7.tmp.exe

pid process

1316 tmp47E7.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe

description pid process

Token: SeDebugPrivilege 5064 5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe

pid	process
1316	tmp47E7.tmp.exe

pid	process
1316	tmp47E7.tmp.exe

description	pid	process
Token: SeDebugPrivilege	5064	5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exevbc.exe

description	pid	process	target process
PID 5064 wrote to memory of 1092	5064	5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe	vbc.exe
PID 5064 wrote to memory of 1092	5064	5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe	vbc.exe
PID 5064 wrote to memory of 1092	5064	5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe	vbc.exe
PID 1092 wrote to memory of 4600	1092	vbc.exe	cvtres.exe
PID 1092 wrote to memory of 4600	1092	vbc.exe	cvtres.exe
PID 1092 wrote to memory of 4600	1092	vbc.exe	cvtres.exe
PID 5064 wrote to memory of 1316	5064	5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe	tmp47E7.tmp.exe
PID 5064 wrote to memory of 1316	5064	5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe	tmp47E7.tmp.exe
PID 5064 wrote to memory of 1316	5064	5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe	tmp47E7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe
"C:\Users\Admin\AppData\Local\Temp\5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wlk3avqh\wlk3avqh.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9155B8AC7FCE44B8B27C6121C2BE4774.TMP"
3⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\tmp47E7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp47E7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d9c51a61fd258899bf0653ac24467be9cfbb5015e15435713f634dfc7f68be3.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
acb03dc8d4c04231fa6432c874aa7df0

SHA1
ddc8872c359860a7a8ddd0f9177d56a13af7f749

SHA256
056c5e6bf89c81459bcda3bf2994c71656fdf3d986c6f252ed3b69cdbe6b5d4d

SHA512
c1e25af34690e4b02c09983b9cae9e2e820cca923ce6d99a2f90f40927a7bf3c079bd1f012acc11fa9e775271dc8a1ebbf38e7d4a3154ad1f473073cabde2547

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES49AB.tmp

Filesize
1KB

MD5
53db02d5ce3f335c0bc109aa80dc90e3

SHA1
7f7460080006ec9cd1acfc35d636f04bde4ba25a

SHA256
f953cee2f6b455a8dede73a147dcaaeb2121a3bf5c7d0c2873117c11e2981150

SHA512
d5cfae84111cb85b420e2afb20ccad41bb3e85ab31a9b75fc49b7d57d62de8e045df2a6117a0625d7c2b63a07a2d7f837b2cf44bec2bfec876d149cc0cc1b35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47E7.tmp.exe

Filesize
12KB

MD5
151251063e7f5d5a5f509cd5607cd9fe

SHA1
e85023c7383dfb3d9ae316de57001dd187d1309a

SHA256
7ba3f4e3897ff255462837fd6ab9ffe1a1a667689442c0941fcf925aeec2220b

SHA512
2f648cc8b307a104e0056ed82e2a1eaf4e94ce6577d4b95073a907559e8809185313bd87d5899c3efcc054b5f690adf87c516c9e012e8f61407fc159501f2854

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9155B8AC7FCE44B8B27C6121C2BE4774.TMP

Filesize
1KB

MD5
717bf6fc9de9880fc6f1a10b95645407

SHA1
1b3064d640e9658950b2a74101571e4249b1c106

SHA256
ff53a5fb074579967a49c9e9cbdd40b12280c1b6e77e917a252b76b323d23866

SHA512
4b0c1fd6929de7976f608afbf05f14ee61d1f9522df687422ee6f145be5307cfd70a9a6d7072905b4a4f5c2f762a146dff14689737eb96f13241df162f12a3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlk3avqh\wlk3avqh.0.vb

Filesize
2KB

MD5
7d5e6a96d7a6cbd635d38503c9b35a5d

SHA1
120b036896fdbd517b63d34971a4e468a03bde4f

SHA256
20b40ea24d48ec549ab49c60750b9988835318bec7bb894c81ded286cd26ccc1

SHA512
6dff1a64e6825607095524daf7f3af8521780acf6479c9e6f02edc558c608e53701ae48ffa75e922a6deb00630a4d3c57cc5ce6ccc5c6298e032e366c5198fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlk3avqh\wlk3avqh.cmdline

Filesize
273B

MD5
28db12387c726b0f70bf52436b7da043

SHA1
e184b4b4f7a3733a3b8f548a0429d3b05ee3f9d4

SHA256
a3f68d442dd913559a2b334c5120ad1e5c7bc0153698d37021d4694780870ac6

SHA512
d0dae5ab76b931e1630c7abff866a961b06c818c83d2e7fc2ffae1c7f14fa9ab5d00b1a582d3567ffe81305e80813938d6b74ea5a4322e1f570e71b2d26770fe

Download Submit
memory/1316-26-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/1316-25-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1316-27-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/1316-28-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/1316-30-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/5064-8-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/5064-2-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/5064-1-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/5064-24-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing