881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83

General

Target

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe
Size

12KB
MD5

70b79c42ae595fe214e60a96c7881ca0
SHA1

5f336d3147256b633c1b9c09c3132f3ea199c967
SHA256

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83
SHA512

2ffe1e2c166c1c963e8133778e98f213aefc06ee6b61a3a0a332ea3301d1e3a3fe8324bb81531ae482a29d1d07167fbb86b24e8e4e939643cbdd98a4f150c54b
SSDEEP

384:jL7li/2zWq2DcEQvdhcJKLTp/NK9xazx:nOM/Q9czx

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

Deletes itself 1 IoCs

Processes:

tmp4C1D.tmp.exe

pid process

4644 tmp4C1D.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4C1D.tmp.exe

pid process

4644 tmp4C1D.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

description pid process

Token: SeDebugPrivilege 3264 881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

pid	process
4644	tmp4C1D.tmp.exe

pid	process
4644	tmp4C1D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3264	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exevbc.exe

description	pid	process	target process
PID 3264 wrote to memory of 3716	3264	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	vbc.exe
PID 3264 wrote to memory of 3716	3264	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	vbc.exe
PID 3264 wrote to memory of 3716	3264	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	vbc.exe
PID 3716 wrote to memory of 2852	3716	vbc.exe	cvtres.exe
PID 3716 wrote to memory of 2852	3716	vbc.exe	cvtres.exe
PID 3716 wrote to memory of 2852	3716	vbc.exe	cvtres.exe
PID 3264 wrote to memory of 4644	3264	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	tmp4C1D.tmp.exe
PID 3264 wrote to memory of 4644	3264	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	tmp4C1D.tmp.exe
PID 3264 wrote to memory of 4644	3264	881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe	tmp4C1D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe
"C:\Users\Admin\AppData\Local\Temp\881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4ug02j3l\4ug02j3l.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DB2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57203FB5A5B140DB94C3ECD41EDA55E8.TMP"
3⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\tmp4C1D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4C1D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\881260b53e71d0a08870bc2cc473dac74d1f32d418a030dc4db0f105c3f5ea83.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ug02j3l\4ug02j3l.0.vb
Filesize
2KB

MD5
bab230a52bf31af09a3e9b9d0dba3c06

SHA1
29cc2c3fd79d562761cfa1a980c42cb2e8cfe6a3

SHA256
3b0591379b9cfdfbf55b31b7f704ccddc679bbeb7a75e6c07c999e9a0e1f6769

SHA512
dc24cebf6d42f665f230ad782526ae8357e79f8e7c3e2b54c91d1ad99bc3fdeb9e4ee23968e3e4cf441299e01badfa713b7a469196ef22c171ac35bc8827b99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ug02j3l\4ug02j3l.cmdline
Filesize
273B

MD5
857bf5739bc3cbc885f68229ae5d622d

SHA1
88e532e219c265ec0d49e2f2369e61072d3f318a

SHA256
d8ca8d7096b228d7b9de689fbd99f31f01d9d496ac81cfb7ae0e58da845cf247

SHA512
b447aaa9ff78509c3e2d04e83337d499cdb2489aa7d7bbdd5ce97f771c143ee0cf14c74dedbbf8165d617f7d4ef46970abe85ea5fb1e77893ca53edd3dfa1d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
55cb12c7b0bf4dbd8cdb65f7cb8140e4

SHA1
6ba38c9ce39387345c5f2e81d54dc194e8481e2d

SHA256
6a6f28159113d96e959b89fe40fa496dca682cdb745c13f3f68577a9f3f9b1dd

SHA512
7eadb8597445381759462d16d2be9f153ebd8235042b50f12b14060a9692675284a4b0c3efc82d25e2dee7f1a5bdeaad7598a01fd1c8c099ec949c18ab72f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4DB2.tmp
Filesize
1KB

MD5
072d033eb970d3f22e19c479ac927eee

SHA1
9e45e4ccda45acf86f21cfbfe40e8372ee0c4929

SHA256
2c5b6f37f99fb359df2f047e904e5d0237657c3369a9444d088857020c1a8c6d

SHA512
9afff8e6926a3c65b01f49b2ce2e4de9ee68de32f4a8c21ac0650cf2f20b32e0e10fc1835f17dd0ac690d35e9f9beab3e5ca325b313601f864cb94ebedafc6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C1D.tmp.exe
Filesize
12KB

MD5
1cb20a8bebbfea2f91c90a1968d736cf

SHA1
d65d17c31561ebaaa3f8cdaec2155243227f8e08

SHA256
6b50a78ef3a314cc76ce05e9e47ea8bbfceb5c3c8a3eb80be718d86e025e8ae5

SHA512
35a096a6f71a9fa1bcb0d3f9b31bb8213b5a14f6e122760d5249211b2a8d013077341ba7118b33d61fa3307b0d907dfbaae6d6eb5e4c8a9fbe63219dcebd7934

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc57203FB5A5B140DB94C3ECD41EDA55E8.TMP
Filesize
1KB

MD5
19990f54aab47609c476b7c296f9b0c3

SHA1
b44e4c8a76b509fb18e3bf0690a3e52d38a9a15f

SHA256
d2ecac0394bea6a18272b449b893af7fa2427e834c44cb0633ec3223ca7232ef

SHA512
e511d1fc0a49ea716955162227c9dd822592c5e1b08845989b16fc9808746eef8805c02166c93228e19c8148c67dc4edc8170b604a802c29d805f17dd6926ad4

Download Submit
memory/3264-8-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3264-2-0x00000000058C0000-0x000000000595C000-memory.dmp

Filesize
624KB

Download
memory/3264-1-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

Filesize
40KB

Download
memory/3264-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/3264-24-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4644-25-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/4644-26-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4644-27-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/4644-28-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/4644-30-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing