7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027

General

Target

7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe
Size

12KB
MD5

0b0da940152d8fd4cafc09b0ed6f7f40
SHA1

01f2a08d3a1ea4bf9353c44bb825a0393ba968c7
SHA256

7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027
SHA512

05ea9442a26bc8527da6ef5b47a174f8731c82c5ab326e18aaa9841ae095d633c2584c199d656b7000d264f6b9c63993bd7a5b0239242c5178d640ee8fab663f
SSDEEP

384:iL7li/2zHq2DcEQvdhcJKLTp/NK9xa/M:8TM/Q9c/M

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe

Deletes itself 1 IoCs

pid	Process
4768	tmp497D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4768	tmp497D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 1568	4160	7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe	87
PID 4160 wrote to memory of 1568	4160	7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe	87
PID 4160 wrote to memory of 1568	4160	7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe	87
PID 1568 wrote to memory of 3324	1568	vbc.exe	90
PID 1568 wrote to memory of 3324	1568	vbc.exe	90
PID 1568 wrote to memory of 3324	1568	vbc.exe	90
PID 4160 wrote to memory of 4768	4160	7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe	91
PID 4160 wrote to memory of 4768	4160	7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe	91
PID 4160 wrote to memory of 4768	4160	7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe	91

C:\Users\Admin\AppData\Local\Temp\7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe
"C:\Users\Admin\AppData\Local\Temp\7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\53w0lqk1\53w0lqk1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C2C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7614097D9E574F94AC7B2CAE8C2D91.TMP"
    3⤵
    PID:3324
- C:\Users\Admin\AppData\Local\Temp\tmp497D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp497D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7221ba368255b4015d0778073af37a70f5230e49662ac06ae884a9582292e027.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\53w0lqk1\53w0lqk1.0.vb

Filesize
2KB

MD5
1be95625106c90e75ed71068d663f554

SHA1
131975158a391bf0945d94893cdbfae3b0048459

SHA256
dc25b196dbc799a2a22e4759066e23a5a52519bacb2a5eafa7f51f110a8ca7fb

SHA512
d5e6762ca3b36df8f727ce09538465d8ba013a1bdea9c0e6d89b027f5aa1393998b6e13adad42ff9009d187829575fd390786d21de5315c8118afb1823b3bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\53w0lqk1\53w0lqk1.cmdline

Filesize
273B

MD5
5916814cbc8a72c3cf9194ca339217b0

SHA1
bff5148f46d56a2e45438960da00cacb597ce969

SHA256
3b974023d9ce66b18522ae83925cc3cc7b4ada90a7e5426684a2b72e9afe6569

SHA512
86c48235ea6d00310afdeb77ecb28c1f545e535f3640551ef7d412905a1344bd1b1eaa1177137767847f05ec4381c94a924b205ae9455004c56656b6e5e38533

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
80e224e9e36acf69cec0166a3e77a12f

SHA1
4ef846ae63a6c853c9a7a826af0ec0c8272143fb

SHA256
30e509d72e2e55899230876d78ddabfb5e80b5d301e6462f351c62820ec197cb

SHA512
fca5c13e2a3e4bc126de58c61b8c2744d081766d7d08e05a7e50ba0fc1b4d26c4109b5635015b10ba504af972a2c45b8484cd89eee82e179d3ebc00145dfa8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C2C.tmp

Filesize
1KB

MD5
4dc1895a8fd22ebbcbeaf5a4a6870cf6

SHA1
7499698fceb3df069b1fc489cc1cb9ba4ae66e02

SHA256
09265707cba4124975c6bf6e3c0b224356249de198f131c7cd324a567762ccf4

SHA512
33c86fea12f08726eee2297ee48495b0b9041fbc6afdfcf495765f77dc9a91de29dfc496658f14511d4ec716dbf9d3455adaa3b5de24e4c3171727cd2f9a97ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp497D.tmp.exe

Filesize
12KB

MD5
d798a0d197d40e01266359ebe696b43b

SHA1
ec74dc7d26016ad3d38b94deff21d1f556824e8b

SHA256
c6d02d8f6080a97615b4914bb5d4b9329cbc7efa60eb6d410bdc057823f69dce

SHA512
52c1337d84c550b388ac46dd52ee540ffc47ed9c0c0e8c261e469dc4ee1ce4d37f97ef480dd5329a53bb0b1a40e7c3ce9ef8d9dd6ebeff99afe03bb53e05434d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7614097D9E574F94AC7B2CAE8C2D91.TMP

Filesize
1KB

MD5
c1536062f51a41dcffc6ca27f92fa937

SHA1
80b7b43fc07d95ba5159162459d64002524d1a02

SHA256
46d78544f111924c4d2ae0a7937e938d279713602f5e8a5c2dcd4b8a623dcc05

SHA512
30013762c79e30b8458cbc721ff0e696ef45504f8b2ed0db63f6cfbac181447b21a0a147a2b9573671846af380181a29701b012f8e4533c3a7d4ce186103bc26

Download Submit
memory/4160-8-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4160-2-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

Filesize
624KB

Download
memory/4160-1-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/4160-0-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/4160-24-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-26-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/4768-25-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-27-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/4768-28-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/4768-30-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing