7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9

General

Target

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe
Size

12KB
MD5

01fdd626e033f1c89b8a7dfda074a3a0
SHA1

a62a589e7c1699b20099f3e7ed2a9084365022f7
SHA256

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9
SHA512

0c083872ead06682e972b409784d759103d5487af67ee867d8b6284743c60bd99e0c61770b79de42822c52f7781b8db38f0fed81f24b3508fca91186a0103094
SSDEEP

384:pL7li/2zDlq2DcEQvdhcJKLTp/NK9xarp:ZZM/Q9crp

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

Deletes itself 1 IoCs

Processes:

tmp446C.tmp.exe

pid process

2244 tmp446C.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp446C.tmp.exe

pid process

2244 tmp446C.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

description pid process

Token: SeDebugPrivilege 624 7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

pid	process
2244	tmp446C.tmp.exe

pid	process
2244	tmp446C.tmp.exe

description	pid	process
Token: SeDebugPrivilege	624	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exevbc.exe

description	pid	process	target process
PID 624 wrote to memory of 4388	624	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	vbc.exe
PID 624 wrote to memory of 4388	624	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	vbc.exe
PID 624 wrote to memory of 4388	624	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	vbc.exe
PID 4388 wrote to memory of 2544	4388	vbc.exe	cvtres.exe
PID 4388 wrote to memory of 2544	4388	vbc.exe	cvtres.exe
PID 4388 wrote to memory of 2544	4388	vbc.exe	cvtres.exe
PID 624 wrote to memory of 2244	624	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	tmp446C.tmp.exe
PID 624 wrote to memory of 2244	624	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	tmp446C.tmp.exe
PID 624 wrote to memory of 2244	624	7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe	tmp446C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe
"C:\Users\Admin\AppData\Local\Temp\7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mdejtrk1\mdejtrk1.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4602.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8A7A846F9C974737ACF28460B14DBFB2.TMP"
3⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\tmp446C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp446C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7b504de9ddaeb2eb85403c7dcc64fa1f9da0c1fe62d3acc1815f4d27d269f6b9.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
036c56218cbe4129d9288d3706063d3e

SHA1
14376bd896cd6b6ab87e1420eeea6519d3f52c7d

SHA256
91a3b06c885b71d69561f93862d64958e51fcd9c2d9a9badd94e9648cf31b220

SHA512
16a57febfe916c561cd18ad87ad53a66eac5d28c381225e87b63fe3f30bbc2f327d50974968619f2ec07bae1ed11737c1c59cb54109986b5c424a3aad0755a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4602.tmp
Filesize
1KB

MD5
a642c9a3011ce5a1fcf22f3149562948

SHA1
114c25c7678d900acac9c28797a0babcf6fb8061

SHA256
e85d6917f5736878f650e8da69ff06181a412472d2b191fd37b3523603582ad8

SHA512
fe4c2c52d030de77b7c00f8acdc089f9438657cce4d3ede37638089c4de759cc51cbcfb7e9a2a3ed69486f96f350d3612393fdb22f9ef4c4967de793399a7864

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdejtrk1\mdejtrk1.0.vb
Filesize
2KB

MD5
c21c7cfdfb67345c4971cfdcc90039d2

SHA1
9006f4441b353fd06448dad5bb7508281d1c11ef

SHA256
59db2a06303834d512246b121b2672335af018c3c38bce119337dfb1210c2062

SHA512
890712c8d5406f0a5fadd5696581387b57a0ca415341c6160822f6db62d56c7b4d887638c63ae6d1fbece439ea5e2db391cc89e41ca6e015141c26648879155f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdejtrk1\mdejtrk1.cmdline
Filesize
273B

MD5
9391a21ca146dfbe2452aa8a9e99a2c5

SHA1
86960252e451b7e62f0dad8c55698fa6ddb09538

SHA256
e303b59578232fc9a722e172f5e8bcbff9cab34720709c206600e21c914533e0

SHA512
b6fdbf8cd89397f98681b4e4a3474d0f51bca0b4bd2b401f4ec003e0aa071f2918452dd460ac86da28c91045974b3d0a718059b8244a72eecef3674ea81c7bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp446C.tmp.exe
Filesize
12KB

MD5
b0b62b76739cbd77e20142e715d97a35

SHA1
4ca8b73cfb227c3bf6dcdc80225d01b7c1d5872e

SHA256
6ac9ed203c0cdc6ffb60bb1e11682dd9329535bffed026d9119acd35e8a1793d

SHA512
aa154d0be6261cf1ad4fdbee172b396f456e03466046d914d1531ce7e8385125c78bb3cf4d42b3e17b5ea0e7074d1941db7ebe01abfd82da42178b36baa04153

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8A7A846F9C974737ACF28460B14DBFB2.TMP
Filesize
1KB

MD5
0070b8114a87de9bd626df31b5e85cd3

SHA1
abbef0245049ab391866a8556d92ec5891687b8f

SHA256
bdba7afc742a5e77d38b98cf5ea90dbeaa26cce8c34fd25db472392190907fb8

SHA512
427bdc3ada5eb01d15184cad82151368e7397ebdefb4383b0519a15ba733bda5255688e7bb8bbabbcaef5c831ea59f92841ecd5ba6753871bd447f634a0be0ab

Download Submit
memory/624-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

Filesize
4KB

Download
memory/624-8-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/624-2-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/624-1-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/624-24-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/2244-26-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/2244-25-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2244-27-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/2244-28-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/2244-30-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing