9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241

General

Target

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe
Size

12KB
MD5

9d76d6a5d258d87f04b6db88d63c24bc
SHA1

9c84b644f75ce351860104b61551ca9223164b5b
SHA256

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241
SHA512

8b9588178bbf7c08a935eab80e924f1e82ead40c50fa3d9ec51bd0efe8c6df59083957fc12a6db116e9e583ba16c926cb18e5219a9b1e81844ad263e1eec6384
SSDEEP

384:rL7li/2z9q2DcEQvdhcJKLTp/NK9xaaP:/FM/Q9caP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

Deletes itself 1 IoCs

Processes:

tmpC9AA.tmp.exe

pid process

3504 tmpC9AA.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmpC9AA.tmp.exe

pid process

3504 tmpC9AA.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

description pid process

Token: SeDebugPrivilege 4580 9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

pid	process
3504	tmpC9AA.tmp.exe

pid	process
3504	tmpC9AA.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4580	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exevbc.exe

description	pid	process	target process
PID 4580 wrote to memory of 1220	4580	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	vbc.exe
PID 4580 wrote to memory of 1220	4580	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	vbc.exe
PID 4580 wrote to memory of 1220	4580	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	vbc.exe
PID 1220 wrote to memory of 888	1220	vbc.exe	cvtres.exe
PID 1220 wrote to memory of 888	1220	vbc.exe	cvtres.exe
PID 1220 wrote to memory of 888	1220	vbc.exe	cvtres.exe
PID 4580 wrote to memory of 3504	4580	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	tmpC9AA.tmp.exe
PID 4580 wrote to memory of 3504	4580	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	tmpC9AA.tmp.exe
PID 4580 wrote to memory of 3504	4580	9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe	tmpC9AA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe
"C:\Users\Admin\AppData\Local\Temp\9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rcctpwho\rcctpwho.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD08E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc57937D53422C422392C1ABE2D7E37EE.TMP"
3⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\tmpC9AA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC9AA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9427de15467591a16cfb1970ba8f1b98ba4cb488ed84e613a6d489be91cc0241.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
e069b756e3a5bae4594d604ab887e6d7

SHA1
e8fe1445db8b23a889876e52c309c1308fa2c287

SHA256
115c42c519345d0108659dd93bab1bbd1a51ed6e3c61f173a939c56ec4065763

SHA512
b0649006cad260b0c0938760a9a80f04af649d7bd5db29ead2c68c0a7fb50ec2a5eff3f6570805baf3b0cd53be35d7c140cf14a54d853a62d1398fad73c58f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD08E.tmp
Filesize
1KB

MD5
90476e61470ae0fc1d7f49687001557e

SHA1
03097bb49a1afe31edb67a821906c573227648cb

SHA256
9b8fdd82910f20c05d5beac050d8db14259a39ac70148136497e504ad252e4b0

SHA512
c47ba681675adeaeb1a6297ba77349a0ab426378c064e66b0a8735776eca99c7cef00196ad2346141e2a9028c7b66717a57567fb36ca10db63d7bc15843f8216

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcctpwho\rcctpwho.0.vb
Filesize
2KB

MD5
512a7811c39534dae24086b0415a2aac

SHA1
d0ed883d6d474f5460bb1a7fb9c71aed7d0430e7

SHA256
61c1d7566f41fb7b00a9cb6934716be68863d06cca722da4e93dd251d49697f0

SHA512
1d359c169eb68ba30b90f88fe5f1c2d2aab5333a28d1c7daceeb5b1f90ec5814084211fdacca23cdbce01cd6bec6ee81933c6d300dcee66c978b0f740614bc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcctpwho\rcctpwho.cmdline
Filesize
273B

MD5
f7771631b786bcac0797b11aa8b7e1e1

SHA1
ea0413c8e24a1ef88b60c1093c15d8a0aa8b6031

SHA256
7112d084aa4c097f146d320079adf1c6ad9397ed6e49882be3243a5a1fdcbcc7

SHA512
8d5da4b8a8ef6295d3fe932160b03815c30867a1adfbadc1f9b6b0a6b4dcc20c0d12b200f01b05918139273beb2bed0ba74debaf6a394e06dfa366ddf29e3406

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9AA.tmp.exe
Filesize
12KB

MD5
eb1cd2a1657c1863479eff291144cedb

SHA1
4430b472ca0038dbab2bdacded8d391a110264f2

SHA256
c64c51c6edfceaa65d49216445140d3bdf2baa0214390e601f8d88f8e9b23d66

SHA512
a010babba7d4d0ddc25301d5a44dc854da83a95b4c4c552b79ba2a5b1de1b43828498da26c4b2fb2f8fdc2bd100d68303546e400663faaabc0cd3fd263835f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc57937D53422C422392C1ABE2D7E37EE.TMP
Filesize
1KB

MD5
16ce7ec5811b4166360ccc780771a101

SHA1
7eb0f2456ad328c5ec103096d9718064266ba657

SHA256
1224ca3d3c59962dc81675b884424e59215b4125d887a2ea3fd7e2e62afadb3b

SHA512
89ccf791e7d705db76badf24d204cb2905bf5d539ed0bc0ed4c55bd05d0e64a8f8169323397cd5ea553dc8f1231fd12090ef0b399f085fb4b61cdf281d6eaccb

Download Submit
memory/3504-24-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/3504-25-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/3504-27-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/3504-28-0x0000000004A90000-0x0000000004B22000-memory.dmp

Filesize
584KB

Download
memory/3504-30-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-0-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/4580-7-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-2-0x0000000004DE0000-0x0000000004E7C000-memory.dmp

Filesize
624KB

Download
memory/4580-1-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/4580-26-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing