8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af

General

Target

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe
Size

12KB
MD5

c517370ce66c2d93a01f0d2a72fabdda
SHA1

02f8c4bd2e0864c9b109eff569fe31fd313f27db
SHA256

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af
SHA512

1ff4dfea15080f9843a8f35b51ff6a40f23f1802569e982f3d15f71d13cf74685a7ba7fd3e6101657582ed07a607a833e100f7df584279b6250308e011f7eb00
SSDEEP

384:BL7li/2z5q2DcEQvdhcJKLTp/NK9xaxm:hJM/Q9cxm

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

Deletes itself 1 IoCs

Processes:

tmp399F.tmp.exe

pid process

3356 tmp399F.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp399F.tmp.exe

pid process

3356 tmp399F.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

description pid process

Token: SeDebugPrivilege 3216 8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

pid	process
3356	tmp399F.tmp.exe

pid	process
3356	tmp399F.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3216	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exevbc.exe

description	pid	process	target process
PID 3216 wrote to memory of 1964	3216	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	vbc.exe
PID 3216 wrote to memory of 1964	3216	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	vbc.exe
PID 3216 wrote to memory of 1964	3216	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	vbc.exe
PID 1964 wrote to memory of 1644	1964	vbc.exe	cvtres.exe
PID 1964 wrote to memory of 1644	1964	vbc.exe	cvtres.exe
PID 1964 wrote to memory of 1644	1964	vbc.exe	cvtres.exe
PID 3216 wrote to memory of 3356	3216	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	tmp399F.tmp.exe
PID 3216 wrote to memory of 3356	3216	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	tmp399F.tmp.exe
PID 3216 wrote to memory of 3356	3216	8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe	tmp399F.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe
"C:\Users\Admin\AppData\Local\Temp\8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1vzm5oof\1vzm5oof.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AE6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF460C649747546A48884B748ECA58417.TMP"
3⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\tmp399F.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp399F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8f6ae16d2e4a33327d98b496509dd3cc5344e01a8c849425a6584eef8e33e0af.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1vzm5oof\1vzm5oof.0.vb

Filesize
2KB

MD5
7aba28bcfbd4115087f50d817a45e3d3

SHA1
65bb047c65c471dd091ba499a673c6a9f603eef1

SHA256
f6c6f4e341c6e66b907f3dd6e39b97d04c521ce74e689f84de9f24e972ee822a

SHA512
e721baafcbf396300fd035e6279e7ba029487bba950fd931be9573d046fa8a59e1d484bdd0a7eea5be3994ae59776e79283871c6270b79cc92f9a8df13b4cf71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vzm5oof\1vzm5oof.cmdline

Filesize
273B

MD5
90b5a416adbf0cf6dd3042094aa2c3bf

SHA1
c05d7d7d913e687ab4d1ab3fa532fcb9a716ff61

SHA256
0501554f0e48d6cc2a250d917d2e2f400069c806622aea8f94fc6782b00aaa90

SHA512
74ec6c0ec9b00f8da4c1a0d6d30a6efa8cb49e77ea3ade3a195a5b59167a60bb0010715e2d70019a824407037f884f247164523605a9164da6aa137db5b398db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
88a893120dfff08bcff53dad5f798206

SHA1
f75260a1fa7110efb4f2500d05ae62a24c7aba94

SHA256
8a086070f9814eaf349d0a3f5efaa97e124affee0ca5802c283b3011b66ae5e9

SHA512
9c46a2be679e0b988c8bf19ce0320d5a331a082d3ca353bbecf73c22b8d3455c1213f61a36dcfca463be9c455044a99577bba42e43a3b8d02dada56b555d2943

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3AE6.tmp

Filesize
1KB

MD5
9bf1f9c7e36f4784ce1622f5d7bb2943

SHA1
4b6951de320f74fdf195c23112f952672392b153

SHA256
d12209ef188193502a919d88b6dc9120a43e7a14e0c5a508d613bfa8fc55332d

SHA512
8edcb797a25691ac354a343ade6a32fdc7720d0955231668d2faae94723cdea3f269e8b48b0057e5c6498ddc10bc51ed8330a00e4bbc37dbe316874dc2755bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp399F.tmp.exe

Filesize
12KB

MD5
6064e8a991f473568999a479c3162906

SHA1
d1317ef74b83f66beedea038a9b48d1de5687356

SHA256
fb9034cfc3482463f43031b409b4626e85e81119c18f634c67051c3b1ead12f3

SHA512
f7f6eef73d54e6169b4f7da47d4cc77538e186e7dd77c9d1ee71e6b30717b2ffb5ddc4854ed0389bf983899894b08b000683c2e7091ca094e28ad8911fce09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF460C649747546A48884B748ECA58417.TMP

Filesize
1KB

MD5
eba2198caef66a765f2e5bcf64a3e1fb

SHA1
619ef83fd3e2c21d4adf9375012727a3f2872c72

SHA256
4480d4b1baf1c8e4ee7c9aa40f67f0674de87a952da680d476b76acf75f4a44a

SHA512
f54870a6482bcb61b3eedd58b8c5d8ac430eae555978466ac576c80b8cc9812b502823ccf39dd1e740dc6575ba33dea558aae1393aa3307524a882c6dd00683d

Download Submit
memory/3216-8-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3216-2-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/3216-1-0x0000000000D10000-0x0000000000D1A000-memory.dmp

Filesize
40KB

Download
memory/3216-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/3216-24-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3356-26-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/3356-25-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3356-27-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/3356-28-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/3356-30-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing