15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67

General

Target

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe
Size

12KB
MD5

27059e1cd993cb056f0855acb2f17710
SHA1

96fa4275e67a611e234cc562395e3ca3e2345f6b
SHA256

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67
SHA512

5170524a135b3bb65bad2dc724830ededfd5cdb3200085e7560c20b7275a777abc583973820780c55b6084c317ac825a75b70ebf6e4b5f990c14e3fc66f199f6
SSDEEP

384:6L7li/2z7q2DcEQvdhcJKLTp/NK9xaQ4:kHM/Q9cQ4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

Deletes itself 1 IoCs

Processes:

tmp6B5D.tmp.exe

pid process

1980 tmp6B5D.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp6B5D.tmp.exe

pid process

1980 tmp6B5D.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

description pid process

Token: SeDebugPrivilege 1492 15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

pid	process
1980	tmp6B5D.tmp.exe

pid	process
1980	tmp6B5D.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1492	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exevbc.exe

description	pid	process	target process
PID 1492 wrote to memory of 3392	1492	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	vbc.exe
PID 1492 wrote to memory of 3392	1492	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	vbc.exe
PID 1492 wrote to memory of 3392	1492	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	vbc.exe
PID 3392 wrote to memory of 5044	3392	vbc.exe	cvtres.exe
PID 3392 wrote to memory of 5044	3392	vbc.exe	cvtres.exe
PID 3392 wrote to memory of 5044	3392	vbc.exe	cvtres.exe
PID 1492 wrote to memory of 1980	1492	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	tmp6B5D.tmp.exe
PID 1492 wrote to memory of 1980	1492	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	tmp6B5D.tmp.exe
PID 1492 wrote to memory of 1980	1492	15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe	tmp6B5D.tmp.exe

C:\Users\Admin\AppData\Local\Temp\15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe
"C:\Users\Admin\AppData\Local\Temp\15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5dcy4scw\5dcy4scw.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6D02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3C0C1A41AE2434998533DDCA1D2293.TMP"
3⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\tmp6B5D.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp6B5D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\15f4218be77d7391d5168829a60ee498ee686c08946a0272882d036726379c67.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5dcy4scw\5dcy4scw.0.vb
Filesize
2KB

MD5
ec498d75f63b6799779ec2e4d0864f6e

SHA1
fb5651962d137c75982aa9f7db1cd3d43057259a

SHA256
f5f4154a3a56d1c4b73197e6c168ddd59a21c1cee3548f7ca973d252d43daee8

SHA512
a6504a9c317fb3a5715b667cd4b13e493f87005eafd2135ac7ec4abbb19fd860a55e67a0caf8c2d18ff1ff40f86e269fac2aae768f3266517b517310625d829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dcy4scw\5dcy4scw.cmdline
Filesize
273B

MD5
8b0fcda307644c5473739418e4a61bf5

SHA1
a61332893d47ec47beb507a45df95e8637c8771d

SHA256
ac084a89714962f97727cbb1de78546040355a962aeda6b94b6b1912997db9f9

SHA512
03460c1beae56b08a6833a689e3b8c9c8afa635215e2605432a74c28be8d8c179868b706b54b42b7c87b878aff65a04f2a89a1f74d3aaddc93f1518aa964cfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources
Filesize
2KB

MD5
5ea6b265197abed4fb224f4bd53ae75f

SHA1
9644c18dab0195f8e85adf1350927802b7b2b56d

SHA256
49d430ecdbf648d728ad7e2eb440c55b022633e66e1f94a9052f74cfaeb921da

SHA512
b066969613975149dd1624ba4f1936e2885a7b8df1a0475ca74452e21291defece8b65e6e3be75a92c7508f3f01c967b779debd2e25dc69c4eb64956ec64a520

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6D02.tmp
Filesize
1KB

MD5
8c463f90da1139e747102a36395d9485

SHA1
bcc638b362c1fba78ae6d205904d3e73e8fcf57e

SHA256
822add398b32784d726d347ed8c1a5afeb9f4145fc226306b2ab6697f07cfffd

SHA512
52790460bfcbc59527e08fcf1e0aea7d848c96cc0f7f9099cdd73e2e9798eb7f8bed55874a74945ca5d0192258b11c04a12b42afc3285de8ec50ef4be1d8fcae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B5D.tmp.exe
Filesize
12KB

MD5
3fbdf3277a2c2ec2c2c3c2256d92aa7b

SHA1
f6d7bc218f419a648bbee27bfaa9a73d40160b4b

SHA256
5736e9269186e5f35f928aa34fc3999bddbe8a137c1648ab469e88b6169aa154

SHA512
78cebe56675b66e6f2473dd4cdff2c99d0be10a1b878c1398bd044438874fa3f207991390f218ddca901a3c2790459e14ac63733dd00fb0cb307c491f3c1c7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD3C0C1A41AE2434998533DDCA1D2293.TMP
Filesize
1KB

MD5
54d4c11226f3be00707c725903ff6939

SHA1
1d611b603e00a4c09594119f66664ff98d51b8bf

SHA256
877e2e45fc783d418cc9fff847e8936aad8ef319a2e6b34eee0e89c61a7b6322

SHA512
6bcef1ea9572ea0e65c1e0293726df5cb26b110491fefafe712778a77914223c06fca649185e53a38f75322d9ef4573535802cb5fd1b65276815ef7d65fe1fa6

Download Submit
memory/1492-8-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/1492-2-0x0000000004A10000-0x0000000004AAC000-memory.dmp

Filesize
624KB

Download
memory/1492-1-0x0000000000070000-0x000000000007A000-memory.dmp

Filesize
40KB

Download
memory/1492-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/1492-24-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/1980-25-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/1980-26-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/1980-27-0x0000000005400000-0x00000000059A4000-memory.dmp

Filesize
5.6MB

Download
memory/1980-28-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/1980-30-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing