5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5

General

Target

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe
Size

12KB
MD5

244c4da31c3f6f37d13d393570c84890
SHA1

b9ca92a613daa7f4aa4a6b2a9acf3e8b538c0759
SHA256

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5
SHA512

925f5ca9b76885669513e2e1bbd11c8a8c045ac259ddcac8d061dd18712f8273f8f357ad48a26976a155b012e11cfbefd17c028ee2530824cb4bcc943f3880f7
SSDEEP

384:GL7li/2zHq2DcEBvdScJKLTp/NK9xapE:gLDIQ9cpE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

Deletes itself 1 IoCs

Processes:

tmp46BE.tmp.exe

pid process

828 tmp46BE.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp46BE.tmp.exe

pid process

828 tmp46BE.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

description pid process

Token: SeDebugPrivilege 3336 5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

pid	process
828	tmp46BE.tmp.exe

pid	process
828	tmp46BE.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3336	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exevbc.exe

description	pid	process	target process
PID 3336 wrote to memory of 4100	3336	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	vbc.exe
PID 3336 wrote to memory of 4100	3336	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	vbc.exe
PID 3336 wrote to memory of 4100	3336	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	vbc.exe
PID 4100 wrote to memory of 5020	4100	vbc.exe	cvtres.exe
PID 4100 wrote to memory of 5020	4100	vbc.exe	cvtres.exe
PID 4100 wrote to memory of 5020	4100	vbc.exe	cvtres.exe
PID 3336 wrote to memory of 828	3336	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	tmp46BE.tmp.exe
PID 3336 wrote to memory of 828	3336	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	tmp46BE.tmp.exe
PID 3336 wrote to memory of 828	3336	5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe	tmp46BE.tmp.exe

C:\Users\Admin\AppData\Local\Temp\5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe
"C:\Users\Admin\AppData\Local\Temp\5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zwoookmt\zwoookmt.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48A2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1678B2E60D249BC961EF0DE714280F9.TMP"
3⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\tmp46BE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp46BE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5a129dcaa628740db378732f37362786d2c9252525c258a7fdd70dea017467d5.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
f77602eeb5dfd8d5331f89b51006957d

SHA1
1d3eeddd01c7c1acece87b7d4c2f3ae3ee15d49a

SHA256
5159b2149ef7241ac000f83f99020b1b74853f6ad93edfef4bd22341335d6f98

SHA512
99a847781f0450b99ff52492aed8c53e45248ff2b8a4a947833a12baebb1b6365506ab5afb2a133466cde7168e39cbfb196510b8b3e0670749301d686dd6b2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES48A2.tmp
Filesize
1KB

MD5
b7d0aebcd063176142a22a38b774d727

SHA1
ba66e756497c50366140ff4ac9ee2415ff1b8a35

SHA256
4ce43d96e9b74c2f3cec945bfef6a53e5592e11d657adc3f8af7536d408dcb72

SHA512
7ab93c9d061c8a0690d68ff439115e2650a077de69d6c179d055f0305ff7ec024ed587222e385cde5c8fd00eeed8b00409ff54c40c721f3c2da512cf10924c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46BE.tmp.exe
Filesize
12KB

MD5
4b37a10a954613df60276339ae8f5ba9

SHA1
a485cd7e30b6520e89b7782d38bca1bae0ec90bb

SHA256
e9843b641e9e82e55b1640456c419f71b23372701d3227c8bbd1d458028383d3

SHA512
6e334a318468d872b2af3775f5ae8c999972aae612c3dd6c46f1232dd4a3f0a08503f55bbb8ab34101ed608a4976cfb14e53609df38348432509cd409fa33f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD1678B2E60D249BC961EF0DE714280F9.TMP
Filesize
1KB

MD5
e7d0cc67cc95b447fcf47fc88b963a89

SHA1
99f70f49026604656d8fc541ff42934204bde05d

SHA256
f21d7412fe116e9ee5e3c3f37568fb89aae657a1f6d62098cfb255635db502ad

SHA512
6ad1601af1eb5305ad6c5bea3edb02153e5d64dddb2aad7fe0d0fdd73a7eec1ca54b2f21d33d7143f13e8a87ce835f669f1d197d1485244aafeb23ceedd25be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwoookmt\zwoookmt.0.vb
Filesize
2KB

MD5
78688011e7bc26f5b0ecf073d20301a9

SHA1
c6e054b132eb32b289cca8648d1e309ce55ebb82

SHA256
a2e10214d5f3563077f786ebd7fc986fba92129384e3635c833d8d29717aded5

SHA512
1b465f2774f386d0a0fd0477eca17748dea1ecd22185e7a1e5b59f7155e3e868d8671dfaae0bfa8aa26efa5690285c23fde44cad3d910c3558c5ba56251528c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwoookmt\zwoookmt.cmdline
Filesize
273B

MD5
2b928eafc8a90a10a05ed5240053ac5a

SHA1
8b836fbdf1bd8731cd6d567ca4da4224074d8663

SHA256
034664803b68a8c07c1714c82bb1d4e7df0d7d119567bf966d092f28a2ee954c

SHA512
6e738d48cccf707102dd892f2b4d0c056ae18a1aa55fe838106f736aa4e126973141da99b524f7ca18135e5d882c484ea058b366c976d1b84f1bc5065ec7f920

Download Submit
memory/828-25-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/828-26-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/828-27-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/828-28-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/828-30-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/3336-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/3336-8-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/3336-2-0x00000000055A0000-0x000000000563C000-memory.dmp

Filesize
624KB

Download
memory/3336-1-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/3336-24-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing