592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4

General

Target

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe
Size

12KB
MD5

1ffefb205add31fb90c552f0b7f83dc0
SHA1

c5c271404e33e59c6df119ac465b5e30e9df0f31
SHA256

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4
SHA512

858953fc6cba9e28e97315c1c0c0592c8f3fd8aad709b8f27345befb8ee25760223ae6765b748ce2c7eddfd5d81845e2f5ee33b151cc18f3c63007af3bbc4f98
SSDEEP

384:gL7li/2zEq2DcEQvdhcJKLTp/NK9xa1+:+oM/Q9c1+

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

Deletes itself 1 IoCs

Processes:

tmp5E5D.tmp.exe

pid process

3452 tmp5E5D.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp5E5D.tmp.exe

pid process

3452 tmp5E5D.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

description pid process

Token: SeDebugPrivilege 3764 592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

pid	process
3452	tmp5E5D.tmp.exe

pid	process
3452	tmp5E5D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3764	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exevbc.exe

description	pid	process	target process
PID 3764 wrote to memory of 3952	3764	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	vbc.exe
PID 3764 wrote to memory of 3952	3764	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	vbc.exe
PID 3764 wrote to memory of 3952	3764	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	vbc.exe
PID 3952 wrote to memory of 2276	3952	vbc.exe	cvtres.exe
PID 3952 wrote to memory of 2276	3952	vbc.exe	cvtres.exe
PID 3952 wrote to memory of 2276	3952	vbc.exe	cvtres.exe
PID 3764 wrote to memory of 3452	3764	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	tmp5E5D.tmp.exe
PID 3764 wrote to memory of 3452	3764	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	tmp5E5D.tmp.exe
PID 3764 wrote to memory of 3452	3764	592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe	tmp5E5D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe
"C:\Users\Admin\AppData\Local\Temp\592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3jzexoad\3jzexoad.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6040.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc192502E9F3594291A56BCBB9B7AEDBF4.TMP"
3⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\tmp5E5D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5E5D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\592330c0fc89d1cc759dd50271ea7a61bf34201e5ec6b78223bf3612cf7b82d4.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3jzexoad\3jzexoad.0.vb

Filesize
2KB

MD5
e51019abbaa0d7f741344e7a1ba9eff0

SHA1
876b1094811e1d95915750ec8da27b44a9fc7b98

SHA256
6a20fd14ed00960b4e3f3bf66e46d692a067352609fc8e9ab5199e97baa6b394

SHA512
b7e62a57051210c95b6acbcac6114d78fc0ee7c46a5218a13139121a16d7f6a2b117d9421d7333972e95b773fe8c1e30df0a75ba86d8cab36a528b1606d3b50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jzexoad\3jzexoad.cmdline

Filesize
273B

MD5
a3d37a41ff39d52da588ba6812819c2b

SHA1
bbe48b354b0c3550a6f380225a06e168609f786a

SHA256
03eae48833015513667f0cca2da1e97b703ad734dc0bb089f22587db09c8de1a

SHA512
537c2ad5a5a277dbdce3cd61ea0a05e460d61ab523cea0bbbd7badd58792e0cb8109734e905f90830e230ee35f6ad9e5b1ba53297d6e05937502cd6e94c5facf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
eedf174f3d37f3db44cd42467a85ea6c

SHA1
4506530ee08b7a9ed77bc0aee61a368fc4062c53

SHA256
6cd4e695502c8673f9aa73e753c29d9119dd468abf4b0811c75c740025c64db5

SHA512
4a95086e25a83059c8109dce5c598d9247eb623443e44d24704351e1e6d75e07f28ae502a7838cabc3ad985312f024e52d85991d054f8254e5950f8ab967d6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6040.tmp

Filesize
1KB

MD5
f90d9cc340719794eb9926e0e71610a3

SHA1
bdcfe3eaa57c34861071dd2abf4056323fc7a505

SHA256
40a9ff3c0a33e55b94ff72159dae3f6dc2a71cd362e2169b789e793f1d7533ea

SHA512
78f1608b5d6d315e6ec7574bb5272bf64034ba71824e68c103853b035cc23217ede91c6fbe70ea1ee0ac6435d4c2d0bd282e549b33d368dc71485e3a8f5534c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E5D.tmp.exe

Filesize
12KB

MD5
3bd6afcbd41b8a94036745d4f2c661d5

SHA1
befd5d574955d0d1c68ad68bf7c6e5bcd0f372c3

SHA256
fd85a0cd46422f83403e06acf022e53821bc41abb1b4f762d6826b8cf91014ff

SHA512
9c1b1b3f2da646404c3ad86e29c8944c073e850617c58569528a4b9c34edab1ae5fe614bad766fee873bf31b7482b548807e826bbc33c1fd987e7373220038c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc192502E9F3594291A56BCBB9B7AEDBF4.TMP

Filesize
1KB

MD5
e03c61fe48d08755ae18766c79660585

SHA1
b553c26fc1cfc6b1694badf4ad5273f50963901e

SHA256
643ee09888870fa8739ba63497323347ca3408b08f66c0c456d8e91570319ea7

SHA512
79fef5e0f27b00b6d047fd40116dd0296af799f50bb53cf6b6e58284ba7f6703cbded425f0acf27dd4d796ef1a4538113ce273b096dc15feb4b6206e35a33603

Download Submit
memory/3452-25-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/3452-24-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3452-27-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/3452-28-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/3452-30-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3764-8-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3764-2-0x0000000004A00000-0x0000000004A9C000-memory.dmp

Filesize
624KB

Download
memory/3764-1-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/3764-0-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/3764-26-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing