7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857

General

Target

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe
Size

12KB
MD5

2b887821f2ad5f68620565878f9930f3
SHA1

9b060c27b03283e44f7a41869a88b0495d83d8ae
SHA256

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857
SHA512

51e85f96d303f5a3259222ddd7d157e352adb5da91cd11b56f67096533509e4ba9e3319d90ef5f575b4ddcd9a232e9fcc73b0638f29b9352ddd410a7d69ade73
SSDEEP

384:cL7li/2zWq2DcEQvdhcJKLTp/NK9xaPv:6OM/Q9cPv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

Deletes itself 1 IoCs

Processes:

tmp2C41.tmp.exe

pid process

4432 tmp2C41.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp2C41.tmp.exe

pid process

4432 tmp2C41.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

description pid process

Token: SeDebugPrivilege 4316 7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

pid	process
4432	tmp2C41.tmp.exe

pid	process
4432	tmp2C41.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4316	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exevbc.exe

description	pid	process	target process
PID 4316 wrote to memory of 3208	4316	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	vbc.exe
PID 4316 wrote to memory of 3208	4316	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	vbc.exe
PID 4316 wrote to memory of 3208	4316	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	vbc.exe
PID 3208 wrote to memory of 552	3208	vbc.exe	cvtres.exe
PID 3208 wrote to memory of 552	3208	vbc.exe	cvtres.exe
PID 3208 wrote to memory of 552	3208	vbc.exe	cvtres.exe
PID 4316 wrote to memory of 4432	4316	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	tmp2C41.tmp.exe
PID 4316 wrote to memory of 4432	4316	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	tmp2C41.tmp.exe
PID 4316 wrote to memory of 4432	4316	7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe	tmp2C41.tmp.exe

C:\Users\Admin\AppData\Local\Temp\7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe
"C:\Users\Admin\AppData\Local\Temp\7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vhl0l2ns\vhl0l2ns.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FF11D448CAE48039028CECC83AFB75.TMP"
3⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\tmp2C41.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2C41.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7865fb5551e40e31cc9e824a9d5f750df967edd2cbe5a72c314e2d7c7c241857.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
b99342218f4eca7ebd2698f98afe9440

SHA1
1bc52502d53ce1339fe3088a6b33f47dfc31a212

SHA256
30b540912b5025d9c342f4bab6a7479e82e0894bd29066b45b3b834a6bf6d2a1

SHA512
cf21489fe2e3fc7b02800fa231a86c0ad51f7d625d5e96c0bb57adddb91736e74019873aae4ddd91dea4bdcfd169c84b6a5695eb333498e1f815ddc397f3cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2D88.tmp
Filesize
1KB

MD5
90ef024b77acb8df02c5a8719a305f4c

SHA1
dcafed8302b0f02b045c5a99c6ce74a179bceb93

SHA256
197294182d382d023277046211d734e15bbdba8f577693c82e8f372f9716f4e5

SHA512
0f487af3433a312a236ba1f5e82959ef1c81da7596b9cc901509456e04c56a046054661b76e48fe1c63cdcdb1264f407e40ce4b167193efa9b44b31087c65d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C41.tmp.exe
Filesize
12KB

MD5
369c2e6506ad9ba7048c44797efdccac

SHA1
887be154d35d4004d88b0939a92bba5f100a7d07

SHA256
4fe00ebe6b6c464703ee7357f7c00b8a8c36d7df7dae93361189b6dd9d990ee9

SHA512
559acf205949ddc03c511e1db1f0edeb2ffe1b3497e23dc62b3ed84cbd3df42ffcdfded85517507d59744073671076bef89ca15e068cfba6cc96183b4accf896

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8FF11D448CAE48039028CECC83AFB75.TMP
Filesize
1KB

MD5
ff519d94592e986961a2e1ef1e394bcb

SHA1
28aead06f68b031c70b220dd3c218c0c449be458

SHA256
6729113a1963eb4f5ed2ba2df4245935c9673aa10cd347a3cf993938e163374a

SHA512
03f935f0d460e3b4a27763437288458ad97058193984cc328719d1602ea65384528d3b473bb925866312ebf39593a003d1417e20a599b2f20392e74d24d31b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhl0l2ns\vhl0l2ns.0.vb
Filesize
2KB

MD5
ab20e599c4bb502bfdd9285aa97cf785

SHA1
3178c1ac1c1f73c70a8d74c5296963938680a973

SHA256
aaf76bc6fe7a10f5b4cd923cb229f8d31c17d2910a8e5da239090b66b50304c9

SHA512
dde0459ba23b5e83702f77e1aa0adf5207ca4a0a19f384303eb2db0ebd11ffc2cfe556765050bb0b010c6f1959d445b951c88bd60f869ab5f272e4b58e52bbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhl0l2ns\vhl0l2ns.cmdline
Filesize
273B

MD5
22e4a91e878af6fdd5996756ad3fed32

SHA1
f5716c05941b50a4f240a4c32a577ede17c0ec46

SHA256
ae58075763d4bd4d411ba4014f6c5171fb23db4e971edbaecd6d512735171c6f

SHA512
fb3c805f48bb7bac92191136e0e0ca3c5b5841017203c89e926b98038d4b4c974bc7d29841155d75b957c54daf9b2006c19d8d6b883a8ed9fa1fef4edb10662f

Download Submit
memory/4316-0-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/4316-8-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4316-2-0x0000000005980000-0x0000000005A1C000-memory.dmp

Filesize
624KB

Download
memory/4316-1-0x0000000000F70000-0x0000000000F7A000-memory.dmp

Filesize
40KB

Download
memory/4316-26-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4432-25-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4432-24-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/4432-27-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/4432-28-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/4432-30-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing