3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085

General

Target

3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe
Size

12KB
MD5

644146cd659731c52370b0f73fff104f
SHA1

b4330a579ba6ba19178a0c11bc81283391ec1fe1
SHA256

3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085
SHA512

9c6703555ff6c3a9a7c4196f9374cf8b28cec77694a082446fe130726b9b0a05930789b862e198fe1b6c7cf08936da4dc059071323b594c5600bd1662f21bd1b
SSDEEP

384:0L7li/2zeq2DcEQvd2cJKLTp/NK9xamD:iuM8Q9cmD

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe

Deletes itself 1 IoCs

Processes:

tmp4CF8.tmp.exe

pid process

4736 tmp4CF8.tmp.exe
Executes dropped EXE 1 IoCs

Processes:

tmp4CF8.tmp.exe

pid process

4736 tmp4CF8.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe

description pid process

Token: SeDebugPrivilege 4180 3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe

pid	process
4736	tmp4CF8.tmp.exe

pid	process
4736	tmp4CF8.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4180	3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exevbc.exe

description	pid	process	target process
PID 4180 wrote to memory of 1584	4180	3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe	vbc.exe
PID 4180 wrote to memory of 1584	4180	3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe	vbc.exe
PID 4180 wrote to memory of 1584	4180	3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe	vbc.exe
PID 1584 wrote to memory of 2068	1584	vbc.exe	cvtres.exe
PID 1584 wrote to memory of 2068	1584	vbc.exe	cvtres.exe
PID 1584 wrote to memory of 2068	1584	vbc.exe	cvtres.exe
PID 4180 wrote to memory of 4736	4180	3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe	tmp4CF8.tmp.exe
PID 4180 wrote to memory of 4736	4180	3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe	tmp4CF8.tmp.exe
PID 4180 wrote to memory of 4736	4180	3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe	tmp4CF8.tmp.exe

C:\Users\Admin\AppData\Local\Temp\3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe
"C:\Users\Admin\AppData\Local\Temp\3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m0pejdbu\m0pejdbu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A2C543920CC4D81B4BF25A0B1ADBEB6.TMP"
    3⤵
    PID:2068
- C:\Users\Admin\AppData\Local\Temp\tmp4CF8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4CF8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3ac11945de5c4a4286eda785ee853d72d95499ca10d666a7e56f86d357f5b085.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f19f5ce9c87c70da42142ed0b679042b

SHA1
e45cc034e49bad4d5ab4c224136f91bd4e7e68f9

SHA256
f52ca886b0683401e9e64c379f0a951c615ed5feedecc7f92088b7d5e08cc139

SHA512
5e87d087a4d1c8591107c58d93d47ec79d3221622ca48011204259c020f1b08d61e799014f87f7cc218d0b5fd9cb5128da93d04ddd3f3c7d04ad9c695a743a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E9D.tmp

Filesize
1KB

MD5
bb6027f9a3ff0e1eb39bb6f985530a8b

SHA1
f55741377afdd93b6b241478b12df5a8e84a08ad

SHA256
bee5bf33a11cf8cd9ee6998245ba0dbd8160ec98d35fd9b21c7b130dd5b48924

SHA512
bb6add104e370c2e82727a69bce3d7b6163f44c6e86824ff025e7bacc581ea80e9c420daf63b4bbfaa352a0ed1c70f545634dbd0743a1ca4b3924ac415ec2b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0pejdbu\m0pejdbu.0.vb

Filesize
2KB

MD5
14cf0578bdd5ab16e00aa9431b9c6145

SHA1
aaf1a6a727cbece21ea6c278a76c06d9ec74a769

SHA256
2fa3f44b89dfa38717126180b73ae6a75cfd001b21dfb4b4e68caa0a366823ba

SHA512
6e639029e304ca696c5c168b8c770b1b2477b0b36f40925c01b8c2e91f6ccbd22ae0c412364f46a2c41b6f5cd9cf559732a695f188a1dfb3a6b358946dc4cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0pejdbu\m0pejdbu.cmdline

Filesize
273B

MD5
3994f443fbed16b90f61949bd042ee2d

SHA1
24eb7f2623d8048a68248106dab16a35ba02e56b

SHA256
4b5aa6eb2cb0ebfbdb227f16b4a32506dc2bca4efe23fccf253de17f309f7d63

SHA512
5235fe306932f7af2f9e6647725f8851d4a7d19478d3adb2a2e3a6f1568b05ec6d6f799fc4d63e5f6dcf77ffe032802be22d51b014510fa53aae17dad3db2fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4CF8.tmp.exe

Filesize
12KB

MD5
3879968ec6cf86acc2d508854ea154d6

SHA1
ec08bca1ac940be7a92d23f746b2c36ab7aae3a8

SHA256
83719c2fc8edf091633f076fb285ac2fb1e166a4ba443187c2fe170f76ef272f

SHA512
b54f9201e69f1b3f38772e6c47805d5f01b13898a0d2da669638c24ceda48113831f8737150bf7427f19455c14cba9f636662bb3833a77e73ca074cac367432e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9A2C543920CC4D81B4BF25A0B1ADBEB6.TMP

Filesize
1KB

MD5
4bd9bbb9d220dc97c309854927b50ab7

SHA1
8b35b46c74d10919e9dd41c66faf8c394eec4d67

SHA256
93de4a67f5b677cd69c13d5301867c0ffa7c4183686c928e7a7ab470ee339fcb

SHA512
be283af195c104e077a1cb24e061419e017c67a0f11b70be08a17abc444a64822916a497245a20c5d78ddf716c237538e51fd792fe8fd71d776c9705fcf2943d

Download Submit
memory/4180-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/4180-8-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4180-2-0x0000000004A50000-0x0000000004AEC000-memory.dmp

Filesize
624KB

Download
memory/4180-1-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/4180-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-26-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-25-0x0000000000C50000-0x0000000000C5A000-memory.dmp

Filesize
40KB

Download
memory/4736-27-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/4736-28-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/4736-30-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing