14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a

General

Target

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe
Size

12KB
MD5

04ecdeca7a854a055635a3cc7e0466a0
SHA1

29574fe29abfcecaa893a593f7c6854b64d24e22
SHA256

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a
SHA512

286202f5979ae2fc9a87ed64983686a008c678e4c7c951797822323e89bcc03ca31a748c04d5b4330e8dc5f2e4e23c078329704f8fbb1f609ea439d7a6ffc02d
SSDEEP

384:SL7li/2z0q2DcEQvdhcJKLTp/NK9xa0b:MQM/Q9c0b

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

Deletes itself 1 IoCs

Processes:

tmp5EF9.tmp.exe

pid process

4676 tmp5EF9.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp5EF9.tmp.exe

pid process

4676 tmp5EF9.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

description pid process

Token: SeDebugPrivilege 372 14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

pid	process
4676	tmp5EF9.tmp.exe

pid	process
4676	tmp5EF9.tmp.exe

description	pid	process
Token: SeDebugPrivilege	372	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exevbc.exe

description	pid	process	target process
PID 372 wrote to memory of 3188	372	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	vbc.exe
PID 372 wrote to memory of 3188	372	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	vbc.exe
PID 372 wrote to memory of 3188	372	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	vbc.exe
PID 3188 wrote to memory of 652	3188	vbc.exe	cvtres.exe
PID 3188 wrote to memory of 652	3188	vbc.exe	cvtres.exe
PID 3188 wrote to memory of 652	3188	vbc.exe	cvtres.exe
PID 372 wrote to memory of 4676	372	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	tmp5EF9.tmp.exe
PID 372 wrote to memory of 4676	372	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	tmp5EF9.tmp.exe
PID 372 wrote to memory of 4676	372	14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe	tmp5EF9.tmp.exe

C:\Users\Admin\AppData\Local\Temp\14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe
"C:\Users\Admin\AppData\Local\Temp\14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mo2v0s5w\mo2v0s5w.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6189.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34FB8209628048EFB1E269D3F2D13F1C.TMP"
3⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\tmp5EF9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5EF9.tmp.exe" C:\Users\Admin\AppData\Local\Temp\14b545ee3cb019979679be594cfc19ff6995cb45b85812131ebbcce96e22ab2a.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
8072043a50102ef4429ac35ae0d87a2c

SHA1
09cd8fb05607f3f59f545fab6fc9f672d7c05f02

SHA256
d0f7252ad92bdbe49a81b918318cb080295c2bdd795702d687eaffd04be9a438

SHA512
a72aaf7e53512c6a62a6752bba68c0359bd89c5cad8ba3ef122deb46eb96ba962edfea4d4453fb4d25936009dbcdd8c3a9fde845fe023684a00152f2268323bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6189.tmp
Filesize
1KB

MD5
d76a5bfa260d7d4029cd6d4d06626a3e

SHA1
ca6e99b4a640c1764c0e964afe30d2ab35820342

SHA256
2ae49262f96a7f57f13e93d9bb5760b6176b4fe3e5fea95f06820a7fb33f97e4

SHA512
63ec890c3f19476c5db335f6e7577ec5fe8e1460611a128fea8652af45291cec1f9e44f369eb0540ae0b93259107454bf4c22255157cd2eedc8162157cc743fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mo2v0s5w\mo2v0s5w.0.vb
Filesize
2KB

MD5
bb9d585265918e63cb87164c544d88c4

SHA1
0e2882651c921e7ce4c4f3aafce5cf05ea1f6253

SHA256
f9ada411630663111ccbbcbf76bdc90ee4a34477982ee0ba06f3dfd4a0e3fa5c

SHA512
27fe22a458ee2bd72019ca05cec7db2ff7d4868bdd618d6655a3aeff1448201d8f27e94c430699ba2a3876a263427eaee6100f7f92378e54f5398f159e142dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\mo2v0s5w\mo2v0s5w.cmdline
Filesize
273B

MD5
9365d7a1ca648927d5f68de6c0c15254

SHA1
b7dc13060b90ea7ec83dda4d6f8b190ef8045b66

SHA256
3b4d7f750707616a2ef1998807c0b1904954e5eab7c8b639021163a03564c7bf

SHA512
d63e05359ba2aa18a47db95556fc73e16d6c8a486f38ffa32157cac40f4bac219a80cff5da51cff24ecd47640849308179e7f85b3cac6fef23d00d8423af397f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EF9.tmp.exe
Filesize
12KB

MD5
71db9db075b6d1eb7b6c78c254dc5266

SHA1
cb48d5d7d0cb873d9767739bcb527fd05d2dbb89

SHA256
babbd7b4fa794ee1c7d7d92e65b7ee4d56ef9fcc6bead83790377012dd971624

SHA512
7d2f177d6c0bdf69fb658f1f31514e7b6f005a3af924e93b6b6f930d891ccde740054de07f84989eb6216b43f5c4418aa345212cb06dbd60db3e6651b3db6564

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc34FB8209628048EFB1E269D3F2D13F1C.TMP
Filesize
1KB

MD5
2eb7de74ad87eca4104ad58c6c133f06

SHA1
a0c2a19f2cbad00fe3fc1110ba9fe4f948633606

SHA256
f6453d8f4579d7027fbb9c1e0b357a57b178e6b201f51c91cbf966d432f3a822

SHA512
eeadb36a3dfdc5dede43f2cd60f9a4adb34ea50ae4816232e3cefdee771d4505e4180f259f56ef144f6772c400b5f17f12ed2b9ed0f348aa4a62f4ada1604ac0

Download Submit
memory/372-0-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/372-8-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/372-2-0x00000000054B0000-0x000000000554C000-memory.dmp

Filesize
624KB

Download
memory/372-1-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/372-24-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4676-25-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4676-26-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/4676-27-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/4676-28-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/4676-30-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing