8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83

General

Target

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
Size

12KB
MD5

0933031630e50ec92eef7af126b1dd3f
SHA1

d53b767ce9430f0f061a1b943382eac82dfb9664
SHA256

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83
SHA512

c9f43e5ea9d56e4b937f51d22d89d6cc01b2d2510c326d36f2e37671173ae7e771072819ce91a1bfe7cabdad892d2973097744df64b3335e916d18708b689d3e
SSDEEP

384:dL7li/2zUq2DcEQvdhcJKLTp/NK9xaqI:NIM/Q9cqI

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

Deletes itself 1 IoCs

Processes:

tmp42B7.tmp.exe

pid process

2428 tmp42B7.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp42B7.tmp.exe

pid process

2428 tmp42B7.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

description pid process

Token: SeDebugPrivilege 4988 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

pid	process
2428	tmp42B7.tmp.exe

pid	process
2428	tmp42B7.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4988	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exevbc.exe

description	pid	process	target process
PID 4988 wrote to memory of 4580	4988	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	vbc.exe
PID 4988 wrote to memory of 4580	4988	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	vbc.exe
PID 4988 wrote to memory of 4580	4988	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	vbc.exe
PID 4580 wrote to memory of 1212	4580	vbc.exe	cvtres.exe
PID 4580 wrote to memory of 1212	4580	vbc.exe	cvtres.exe
PID 4580 wrote to memory of 1212	4580	vbc.exe	cvtres.exe
PID 4988 wrote to memory of 2428	4988	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	tmp42B7.tmp.exe
PID 4988 wrote to memory of 2428	4988	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	tmp42B7.tmp.exe
PID 4988 wrote to memory of 2428	4988	8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe	tmp42B7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
"C:\Users\Admin\AppData\Local\Temp\8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xuws2r1a\xuws2r1a.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES440E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc99A58303813F459794CCE6DBBCB617F.TMP"
3⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\tmp42B7.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp42B7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
0193747a263039b55672cfb768bfe6e6

SHA1
f9939b593808da08a05be7c0f9237fe405e807bb

SHA256
597926daeee01c0345ff0c53542a086a5163bd8fe33891629f37e2924648a6b3

SHA512
a21a0bea7bfbaeca4960918f9480b0c421d24aae4a1bec2aa61b9b8f37f89c39c6ce2be80632381c22fe074973a3c1e26f8588202b08dea188c1327d75bcfdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES440E.tmp
Filesize
1KB

MD5
b63c978aaf47ed737cfd1bc7eeeac292

SHA1
bfb437ea02aefee89566bbd6eb2e729f423c8be5

SHA256
6d68ce676e2845055219b0f73e309152648da030fcfa69d0b8356664c0e399c4

SHA512
9c10165e94465e261211340d50c7b8f1dc1cbf4689dabf9b79ea77aa3c4e8ff475548302cefc58c3d9449aa91e8b270ff822aa8a9f8b78f9d5c2cb906dd0a693

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42B7.tmp.exe
Filesize
12KB

MD5
0d91b97ea21beb25d80b6b235ee1df25

SHA1
b8c45788ff571dcd3cc7503408d0fd36d94a559a

SHA256
851290ca8a1c17118e17adc3d1bc87010b735d3009e9abddb3ad74effff35ba6

SHA512
85742418518b1427d145ce8f09011a5d2fee3b475c3d190058a032c4c50cbc5b0213bbb1b214d1ccc0e86409439ccafd93fb964e955e6afea549c8064a9dda64

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc99A58303813F459794CCE6DBBCB617F.TMP
Filesize
1KB

MD5
39ec807135c304f8897ca7567d40b350

SHA1
e55fdb3c3c4ab4e3d5d221b3305d5c1de013c435

SHA256
db838b3233e5fd651fb8ede4b8422f76f7afb723bb68ddd5ecdaf52dd183b0fb

SHA512
733ba0b9d1eec0c5b6338d3f6008280ba15d147ffda530c8530aa5433242e405dad1ea2fdfc22684bff45516d18db15eef6acc0ef46a17519e82bd9bdaa1f5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuws2r1a\xuws2r1a.0.vb
Filesize
2KB

MD5
a48735d80a088cf83e14316fab967527

SHA1
133b4fd5887053d62a3032b74774237c048a197a

SHA256
47240b93f52c9c84194512f0cb99bc8f311fbb900b1fba0b0c2fbe3e7e33ec9d

SHA512
7b61b25ccc24f35cdc1a312c896a733646ee5d39060ccddc341ea03b7258b883ef170376d2e9bd5a7ea67b83ba57a5a95f14bff9df703e17b0594678e8da3cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuws2r1a\xuws2r1a.cmdline
Filesize
273B

MD5
632c33564d3a187eeb18a61a858d808b

SHA1
13a3e33131b8d3020f1ddce2f36d48c36947ce7e

SHA256
2df11bae2dc4a0e0d11f93191a33fb41d6b1ac9a31d83f80c32ad5cf334f4d87

SHA512
e07418f36adad6e69e1ef052db514f40feaf0b44ad614d3f81bd32711a59f8dfc301f244ae2f191f67296e26abfb9c737ded7730b7b11b6e71539b7c8f0ee32a

Download Submit
memory/2428-25-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/2428-26-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2428-27-0x0000000004FE0000-0x0000000005584000-memory.dmp

Filesize
5.6MB

Download
memory/2428-28-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/2428-30-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4988-0-0x000000007507E000-0x000000007507F000-memory.dmp

Filesize
4KB

Download
memory/4988-8-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download
memory/4988-2-0x0000000005070000-0x000000000510C000-memory.dmp

Filesize
624KB

Download
memory/4988-1-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/4988-24-0x0000000075070000-0x0000000075820000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing