87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11

General

Target

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe
Size

12KB
MD5

4079e086d7d00f7514942ec9b0f9e6aa
SHA1

f2941f8dfd886bd98cb64b7a6fbd9c9b9fd87dbd
SHA256

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11
SHA512

68fd6e11e70f45e5bad4eee89ec870b2a2c7be15cee8dd87910d13d86c898378c911dcfafcaa3db9c634fe555f9d7e354e2edb443c2dd82a27774fcc2b7e16c4
SSDEEP

384:CL7li/2zEq2DcEQvdhcJKLTp/NK9xarF:coM/Q9crF

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

Deletes itself 1 IoCs

Processes:

tmp346F.tmp.exe

pid process

3896 tmp346F.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp346F.tmp.exe

pid process

3896 tmp346F.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

description pid process

Token: SeDebugPrivilege 1564 87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

pid	process
3896	tmp346F.tmp.exe

pid	process
3896	tmp346F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1564	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exevbc.exe

description	pid	process	target process
PID 1564 wrote to memory of 780	1564	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	vbc.exe
PID 1564 wrote to memory of 780	1564	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	vbc.exe
PID 1564 wrote to memory of 780	1564	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	vbc.exe
PID 780 wrote to memory of 812	780	vbc.exe	cvtres.exe
PID 780 wrote to memory of 812	780	vbc.exe	cvtres.exe
PID 780 wrote to memory of 812	780	vbc.exe	cvtres.exe
PID 1564 wrote to memory of 3896	1564	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	tmp346F.tmp.exe
PID 1564 wrote to memory of 3896	1564	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	tmp346F.tmp.exe
PID 1564 wrote to memory of 3896	1564	87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe	tmp346F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe
"C:\Users\Admin\AppData\Local\Temp\87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\px101ryx\px101ryx.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4867425484DB46498591433A1EE63A34.TMP"
3⤵
PID:812

C:\Users\Admin\AppData\Local\Temp\tmp346F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp346F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\87e044bfd76b2473e0622f607a22c8501bc80d21150a0cce78b01122b8c9bb11.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f08acae78665b711dcdc50b2da7a3305

SHA1
3e30481009eb6539501bdfbcb5d416372d7d1eb3

SHA256
7d959bc099219fb79563b10e2dc49336552c4cc2c67fb09c4eb1d32158d79d08

SHA512
151081387a0e496494390712f863bed0c12a8afd921f2ec72be1ade3bd7e6c10f3c0ba376cde952ca52c5f3f81cbd019ef00ea0e45e26166fad78968a0350dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES35A6.tmp

Filesize
1KB

MD5
56b6e94116ff33019a3d1d43588059a2

SHA1
e9d71ea7a3af68a65e3f81c7c41410d41dbb7bf0

SHA256
e0c5b7f9d47ec47dd43909dc943f56b4ba88be03e61f57b8d0cc22ae0ed25731

SHA512
ae07b1e18caddd493003646b27893d0c7c4fd6434ab79bf85b1e083345e7aa9692b58112241e6a402533b4cd8d35150ba44d12bae56ede4d43d70aea6a3928d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\px101ryx\px101ryx.0.vb

Filesize
2KB

MD5
9b52f47c3913178bf247b1d2f35cb902

SHA1
ac3ba6e6a78acf8496d2a769c7a0dc8fef90b0b0

SHA256
6cd208a9cf880969cb1914ab44891882ce14ca901cccbe8ce24fca2a9ea3c4ea

SHA512
92804c018b45e9cfad05ce3493cc058c72ef022cc16105bef7d95d5748c6c45f72e181465de96ecdf326a247f1766189de4307a1250ae060377fc98293180846

Download Submit
C:\Users\Admin\AppData\Local\Temp\px101ryx\px101ryx.cmdline

Filesize
273B

MD5
3f633634a5ee924401b48c5eb14471c2

SHA1
a1d78a0c5011c2c20a391bc6854c52934f3fccbe

SHA256
dfa9a0d7e75c29eeb052e46592bb2afb77f678e2ceb8a6cf08c0c3e7052e14ec

SHA512
4fa7a2441fea64ba190170c1999d00319a7b21eb073127972c575c9bf7a76d98c15eb1a0e4161b928233979e83868581b76f350636a29d4226e630df9f8e73d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp346F.tmp.exe

Filesize
12KB

MD5
ebea7eccfbff24a62c5822c422e5d9e6

SHA1
b6e8b3e75ddad5c15ba14de3ec2ebe239fc2f5ab

SHA256
1f07c2ba106eefeb83de623c2446ab1d08b71a66d97d886cab218bc00117a4d3

SHA512
05e06d1effda87e8d83e9fc575249d7c8240a9eaf796cdf54d04ecf9aa3e24bfd05590d3b4c357e96a031754c19eeaa61c7f6a0fda89e2a7c8faab390d02cc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4867425484DB46498591433A1EE63A34.TMP

Filesize
1KB

MD5
0ccae241a074af39eabe64a9a2767749

SHA1
0d6215ea1186103dca8792a5d77ad138efd97239

SHA256
78d4090c656dbfd9e75bf8c0d7cd663fcafe009a397e99ae72a7fe076eebc59d

SHA512
e6f21132e327e366342b090f1b32623a5c6ed1e54ab4846da2ee2bd44fedba499ace9e2b3b1eba088764faddbbcde34f10ef062b917dd955ca83bb919bd8dcf3

Download Submit
memory/1564-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/1564-8-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/1564-2-0x00000000052F0000-0x000000000538C000-memory.dmp

Filesize
624KB

Download
memory/1564-1-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/1564-24-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3896-25-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/3896-26-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/3896-27-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/3896-28-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/3896-30-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing