456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b

General

Target

456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe
Size

12KB
MD5

a28f2126263e0a3fd9a837a3f2f9da94
SHA1

e12be636deddb474ce521449fd915c58b6974586
SHA256

456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b
SHA512

a98b536a90ddc9e2dfd118b7e0a4bd8983d9fea793cd3a21472390c22e31936a0905fd10a32ea756e1a4333d4a5ce8c46a22fafa0f6395cbf04fcd75faaac03e
SSDEEP

384:CL7li/2zZq2DcEQvdhcJKLTp/NK9xaWY:cZM/Q9cWY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe

Deletes itself 1 IoCs

pid	Process
2852	tmpE39A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	tmpE39A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3040	1924	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	95
PID 1924 wrote to memory of 3040	1924	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	95
PID 1924 wrote to memory of 3040	1924	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	95
PID 3040 wrote to memory of 428	3040	vbc.exe	98
PID 3040 wrote to memory of 428	3040	vbc.exe	98
PID 3040 wrote to memory of 428	3040	vbc.exe	98
PID 1924 wrote to memory of 2852	1924	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	99
PID 1924 wrote to memory of 2852	1924	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	99
PID 1924 wrote to memory of 2852	1924	456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe	99

C:\Users\Admin\AppData\Local\Temp\456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe
"C:\Users\Admin\AppData\Local\Temp\456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fagdyoft\fagdyoft.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE56E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC22434711D9248CFB6E62530FD7FED5D.TMP"
    3⤵
    PID:428
- C:\Users\Admin\AppData\Local\Temp\tmpE39A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE39A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\456b881d41c57a215c8515d43471c2164d3bd5498a7f59edfe414516d03d234b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4152,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
8e82750a17b2471438d8877df11567b8

SHA1
6884739a5aeb97dff6644c3d91407e0995be5e33

SHA256
9eebe618a84ff4cc091dd84f9e60031ff6722a91346d1304607338c2f65ceef1

SHA512
93993011015f568ef0a85b89e7e6a6399ac9626df4c0e98099aff54cff62046c8fbfe442b349402f461e40b649465a213a31d4ea551debf4895cba42e2fdd88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE56E.tmp

Filesize
1KB

MD5
f9ea5439edacfd18e647711cff348811

SHA1
a60d4f20b011381627c6b93bb13f353054f1b0ca

SHA256
fa8ed4861c7efb3794cf1d5815de7553aa3a0afc9e27819a588914e537ed93e3

SHA512
bb6ac86a813056915da54eac725debd22a4fc6a4075872a4d14fb8307897544b62878dfdbda32332ffb06eacb773c9c366aa2072375b5b3f53984c75a2fdef2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fagdyoft\fagdyoft.0.vb

Filesize
2KB

MD5
a0fb9aeb792aac5200648530e62a64e4

SHA1
62f72855230a7f90d0d0938b5d314369ad2a9ab5

SHA256
414a63147e1f0ae6bb2042285bdefc3e0e66a767deb6faf62c7a0a9f4178d7c5

SHA512
77062527e3189baf88f2be263d5b172ccfc24fcf30df15e7c65e1b6accb17576daf2ed1bb5b06e1c36e0fd448c72fd27e15ed1c65375762746c25a560b467202

Download Submit
C:\Users\Admin\AppData\Local\Temp\fagdyoft\fagdyoft.cmdline

Filesize
273B

MD5
9824bb9d8563984c6a8a1b2681c6b315

SHA1
2c702646f3c2b178232c38ca8efca0ee5167d810

SHA256
938ee2f1e62d3f5e36d26b0840720e912090d7820bb56d64abf043ba617afdf3

SHA512
272e131563950b59c1079024cf4d32bd22f988b0acaffae98e8fc676b02aa22dc1513ed126163a1a3c0a3462608af357776196a856b123210a30d690c7d8d6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE39A.tmp.exe

Filesize
12KB

MD5
080defe262d2eece36c98ebdf9acab71

SHA1
d0f9c593aef93abd8ca7606c80835fd5c58633d1

SHA256
0c66be4631ebf91f169d58e47295e24450c59e28007ea895d1b3bc5f59cc8d9d

SHA512
00c8a6ebe20f03862afe1a8a2ff59bc96b4e2ac2a9cbc60eb7eb83ce351df841a93df858d978346e7175f5031b823fe402402600261e49e9547fc5fd7b9e558d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC22434711D9248CFB6E62530FD7FED5D.TMP

Filesize
1KB

MD5
3631bb35e19eb38aa608ab24084cbd8f

SHA1
e4183c4c34e08a3a1f1610d522a4c5ef23a0278f

SHA256
dc701b391a70573719edd12553aef27d3becd517cbf2806ce6b4b6e814fd42a6

SHA512
a83f4918195c080a65984553b6e7b8b0d7a686eab3b6e8b27078db84c7acacc70740bc62c3f2c460ed9256c14a3e981fc838c88e8a93427446a1dada42973ced

Download Submit
memory/1924-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/1924-8-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/1924-2-0x0000000005560000-0x00000000055FC000-memory.dmp

Filesize
624KB

Download
memory/1924-1-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1924-30-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2852-24-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2852-25-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/2852-26-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/2852-27-0x0000000005670000-0x0000000005702000-memory.dmp

Filesize
584KB

Download
memory/2852-29-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing