8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f

General

Target

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe
Size

12KB
MD5

a935ad05746b25a6bea9be4bc7e981f3
SHA1

ca41c1f91d4af77347d7516cd2a20775e82f0eec
SHA256

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f
SHA512

981b3278cc1fa648ff9c19a88a60660d1190dfb18a6dbaa01dff93595f46aec415b71e7e905e2c7017d26c059759e3a2a7e9a3546fceef3ab1931eedd7ecfbbd
SSDEEP

384:+L7li/2zEq2DcEQvdhcJKLTp/NK9xaHJ:o4M/Q9cHJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

Deletes itself 1 IoCs

Processes:

tmp4A29.tmp.exe

pid process

4648 tmp4A29.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4A29.tmp.exe

pid process

4648 tmp4A29.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

description pid process

Token: SeDebugPrivilege 1180 8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

pid	process
4648	tmp4A29.tmp.exe

pid	process
4648	tmp4A29.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1180	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exevbc.exe

description	pid	process	target process
PID 1180 wrote to memory of 1056	1180	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	vbc.exe
PID 1180 wrote to memory of 1056	1180	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	vbc.exe
PID 1180 wrote to memory of 1056	1180	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	vbc.exe
PID 1056 wrote to memory of 1508	1056	vbc.exe	cvtres.exe
PID 1056 wrote to memory of 1508	1056	vbc.exe	cvtres.exe
PID 1056 wrote to memory of 1508	1056	vbc.exe	cvtres.exe
PID 1180 wrote to memory of 4648	1180	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	tmp4A29.tmp.exe
PID 1180 wrote to memory of 4648	1180	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	tmp4A29.tmp.exe
PID 1180 wrote to memory of 4648	1180	8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe	tmp4A29.tmp.exe

C:\Users\Admin\AppData\Local\Temp\8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe
"C:\Users\Admin\AppData\Local\Temp\8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pvrs1jzl\pvrs1jzl.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7DC7821EAE84C8FAE382C45BF4F57DA.TMP"
3⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\tmp4A29.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp4A29.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8faaf904aec43f9115f535ce47342ec6cd1ef95aa6008af7623a32b73f6e2f1f.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ba2de093c8b6163475ce7840d5f7e23f

SHA1
e87e40a7ab6723402a0e79d21489e69bb51d4586

SHA256
e4397db949a700fea646995c2d7180a2e110ccab8525df4788afd786e896095d

SHA512
62136ee258d664ff102aab7b08859e7bc0c334e9da117efa352965b0437db9087be5d00ac421a4dfef5ce2c1b4254e9ac41f0121dbdea8489f8d82caca38d185

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4BBE.tmp

Filesize
1KB

MD5
682f6905ed601be6aedeb6d7c3ebe74a

SHA1
39c77351e78a5defe9d8958f061aa08c6fe819ee

SHA256
2e248a8f038c5b9b8c16695c6829f3f9566c1e7a13eeefb7606613243f37af81

SHA512
984d3da75e19819f410e2831d7ad6064129e8bdf23484d9949ac85e3866d8ee14508915adad3fe6b2e31661262882d21f99361603ddc0a011abfdc1f82e4d12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvrs1jzl\pvrs1jzl.0.vb

Filesize
2KB

MD5
a8f791d305a13b725261caf187cfda11

SHA1
dba1997f2eca205aa8d0ff7d47f32aa98cb35fce

SHA256
ed5133c871b81f68f0742e25189b85726b3e8af63421f593ac2dfede02901e64

SHA512
942a48ade97b325870773f9775c0bb8255fadeb2d6c0f03cfb8c8fa4abb210d2a0423895effdbf98c569beffb4bd582c18db8c7b8266357b0b1d82be5ca1c532

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvrs1jzl\pvrs1jzl.cmdline

Filesize
273B

MD5
f7d1ba9563257665c3c554ee6301611f

SHA1
a44fea9caf41bad8550c2e9743640bc7552d76fa

SHA256
02236874f3a02a47232220bcb1df64f857560dfcac841e1bacc3abaef2e04a49

SHA512
7131b7e583c8264bb50b1233d7f7dc5c1653187511b115f0224cacf243d904c6d8dc6ca67eb92061da77f86740c72b592f2ff581c84954c7bbbb70f531939b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A29.tmp.exe

Filesize
12KB

MD5
0de32f8975d132557f67db73b5403fa5

SHA1
4751a9725429faa6daa562e8fa53cbf66ac4c070

SHA256
4d8a1b076d11ff942e8e681307160ee6f78003148a3bd2c12a6f5a3d48c57feb

SHA512
7fc0a2b2dc2d11459dd2365566967940dd074638c216a7daa2494ce9c1b649c695a59b83c522f262ac86abfdab6f95e336e01c13a5cba9f62f35bc8d59148102

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF7DC7821EAE84C8FAE382C45BF4F57DA.TMP

Filesize
1KB

MD5
d9570842db784417ae8600c233e4fe1b

SHA1
b751e10e78520d6147f5ca7d6c6635f7ecd552b8

SHA256
b92ed56a7bfffba03623ddfa5ef112cf3b5d4a83d7bea6ac0dd2917e3e94b2a0

SHA512
4c420ed34788b37529eea7398ec38cb9d19c5920c209bf0e1a7e8b389d5213fec912108037814d02faf69e3215f5a78305359d8a17003ffe3316e755e7497128

Download Submit
memory/1180-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/1180-8-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1180-2-0x0000000005270000-0x000000000530C000-memory.dmp

Filesize
624KB

Download
memory/1180-1-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/1180-24-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4648-25-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/4648-26-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4648-27-0x0000000005460000-0x0000000005A04000-memory.dmp

Filesize
5.6MB

Download
memory/4648-28-0x0000000004F50000-0x0000000004FE2000-memory.dmp

Filesize
584KB

Download
memory/4648-30-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing