82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606

General

Target

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe
Size

12KB
MD5

97c2f337efefa97a8cc9be6905cc0d64
SHA1

bc9bd8206209c63dfbcdfab3e833463e81fd78ae
SHA256

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606
SHA512

6687aca0ca95953340076b2b55e82c6ddad460cf950a63784ecd979ed72afe0f644538523916d69ee39ce2a9b878a559ba534da21ed4bcc474b23cb98f017979
SSDEEP

384:1L7li/2zCq2DcEQvdhcJKLTp/NK9xarU:VSM/Q9crU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

Deletes itself 1 IoCs

Processes:

tmp5276.tmp.exe

pid process

532 tmp5276.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp5276.tmp.exe

pid process

532 tmp5276.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

description pid process

Token: SeDebugPrivilege 412 82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

pid	process
532	tmp5276.tmp.exe

pid	process
532	tmp5276.tmp.exe

description	pid	process
Token: SeDebugPrivilege	412	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exevbc.exe

description	pid	process	target process
PID 412 wrote to memory of 2624	412	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	vbc.exe
PID 412 wrote to memory of 2624	412	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	vbc.exe
PID 412 wrote to memory of 2624	412	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	vbc.exe
PID 2624 wrote to memory of 2256	2624	vbc.exe	cvtres.exe
PID 2624 wrote to memory of 2256	2624	vbc.exe	cvtres.exe
PID 2624 wrote to memory of 2256	2624	vbc.exe	cvtres.exe
PID 412 wrote to memory of 532	412	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	tmp5276.tmp.exe
PID 412 wrote to memory of 532	412	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	tmp5276.tmp.exe
PID 412 wrote to memory of 532	412	82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe	tmp5276.tmp.exe

C:\Users\Admin\AppData\Local\Temp\82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe
"C:\Users\Admin\AppData\Local\Temp\82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u5qimdy4\u5qimdy4.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES53FC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc700A71E1A13A4AA19831FD7A34F2E11.TMP"
3⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\tmp5276.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp5276.tmp.exe" C:\Users\Admin\AppData\Local\Temp\82fee8cc1bd1d4e2d421c4a221f995c6717bbb1c0319326251a9813b0c570606.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
8a7cca5708377c9a1cc770d5eaa59d13

SHA1
4cc29742aa31e8321fb190f3bb37e274d8f5a400

SHA256
32b3b5c3c5f013fd21d4597e601b5159e7af2020a7a8d8950bb889a83e25aa8c

SHA512
2fb0fe1d4908416dd829470c39f5c4c0469e587da5caa7d3ca81eac9d451a523322ece3ee50ed4d79d5b86cc56f0fd4cac871112bf29f754a9fd55081c5d4dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES53FC.tmp
Filesize
1KB

MD5
c8b63216cc670adac61f6e9187fa16a2

SHA1
1e851b956d8f0a2897280aeba002aebf29c9f4df

SHA256
3471583841e754ebcae98efcfde96fb09d4da56bc71db70594d36bde8a417819

SHA512
e713623da6c79d667fa1a4c5a79bb87a86b2274b535b566d85a260bf036cb8339cfbebd127667bbd07b3ec23a51f58d1862685ca2893636f5802f74e89e29d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5276.tmp.exe
Filesize
12KB

MD5
4f916a19f432f79a986be7e0d751a94e

SHA1
968e3a25633408fc1dc674a05becf21e4dbd34d4

SHA256
c9bfaec56d2ef370aaf2d239519dd6f80d877881d75cb7140a603453dbb55845

SHA512
f6608ecaca521f9773972e1c234173bdade1ea4845c356d2d572f96596cf8309ee2fb9097ae108c5232a07d2659e989e51dd81cd66b0b747f2ad0f24e996b4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5qimdy4\u5qimdy4.0.vb
Filesize
2KB

MD5
9b68ff558b069daedaa779979a66a779

SHA1
0b9e4f8149489f088f8dc879b5e2144a14b1f0a8

SHA256
e5bc94033241038b76f8558ad8a4bb2682880744a996530f580130850a99c067

SHA512
77053e06a1d5160c8a0c86e7961fca1d31d6ad4b61ab56c117c70f699c37fe2d8e05400dfe3afb820823c65e4f7f7cf2377e8734491e1099fc5a913c0e5282ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5qimdy4\u5qimdy4.cmdline
Filesize
273B

MD5
07e8dee8dc0a6e2c228a196202c5b968

SHA1
93a64e8785bec7072149eee5119531ed33c13220

SHA256
bce516708e7b0affb0b285a7a1d8a97454b60894977b5a6f0c3be7708d9c857f

SHA512
b62c4f94ad44528ca445835a337505429488ce977348a69c603a2b764e8806202e98f35386fee7b721de5b7cc122c4785eedf8d1155b80e0890cc25fc09f703a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc700A71E1A13A4AA19831FD7A34F2E11.TMP
Filesize
1KB

MD5
408667ccae8793d7907b997aacb4f742

SHA1
2dd7072c6487a8411e063a0ae6afaf0a14d7c2dc

SHA256
57ea38317b7b2bdb2215ce8f723fc72d0aba62f375f47895b9770e65f65a9c40

SHA512
97c0523d535e8fda95e6b9b64558ffb421f04d481c6b8909315a589fde61a6cef8e049fe4611ff4f069cd2eeb913b6123202e433339814378af40062894139d0

Download Submit
memory/412-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

Filesize
4KB

Download
memory/412-8-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/412-2-0x0000000005450000-0x00000000054EC000-memory.dmp

Filesize
624KB

Download
memory/412-1-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/412-24-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/532-25-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/532-26-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/532-27-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/532-28-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/532-30-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing