8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117

General

Target

8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe
Size

12KB
MD5

8ae67f25869e43297ac33d87c981c8d6
SHA1

af74b6266540f6ca3e4c3c7532e2d04618fce9ae
SHA256

8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117
SHA512

71c2154954a1cc0dc725edce0247516f03f0637af4cbeb811f0b3743193e8bbb139b9a3fe5dfca81b2cb4112a86a07b9daa07947a26f77045566302db510ae09
SSDEEP

384:ML7li/2zSq2DcEQvdQcJKLTp/NK9xalA:KSMCQ9clA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe

Deletes itself 1 IoCs

pid	Process
840	tmp64D5.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
840	tmp64D5.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1364	2136	8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe	83
PID 2136 wrote to memory of 1364	2136	8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe	83
PID 2136 wrote to memory of 1364	2136	8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe	83
PID 1364 wrote to memory of 3008	1364	vbc.exe	85
PID 1364 wrote to memory of 3008	1364	vbc.exe	85
PID 1364 wrote to memory of 3008	1364	vbc.exe	85
PID 2136 wrote to memory of 840	2136	8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe	86
PID 2136 wrote to memory of 840	2136	8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe	86
PID 2136 wrote to memory of 840	2136	8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe	86

C:\Users\Admin\AppData\Local\Temp\8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe
"C:\Users\Admin\AppData\Local\Temp\8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4tghtbdw\4tghtbdw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES666B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDBAD5BBBA7FF4E6AA392DD4F45AC8555.TMP"
    3⤵
    PID:3008
- C:\Users\Admin\AppData\Local\Temp\tmp64D5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp64D5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8314a9094d8ad3b03ba5a782613aae4d03602072de578848e84ad31efd318117.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4tghtbdw\4tghtbdw.0.vb

Filesize
2KB

MD5
5d2b4305f9434c53437f6223ce6d690f

SHA1
d460cff960a1bfe1d1aef6bdbf9c730a11127750

SHA256
37f5832b2d78b10a24c768b693f537907a2f05a2453d47998a53bc8990aca466

SHA512
e365eeae6fa243329f8d82a789af26d2f40e9dbbb9da6405dbe0009d26a07f73674af645f0723079d319f35406aa189c5a0f2988c6ab4e079d6ba8b0dfa6066d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4tghtbdw\4tghtbdw.cmdline

Filesize
273B

MD5
e29125d3f87e439fd9fc69eaa5157469

SHA1
a48414efcac3731f190a99d0619c6aac7c342903

SHA256
9d59569811ca973b4ea2c9905fed5b8cb45bc4b1102dd21b211533a4d179eb05

SHA512
3206e904cf7bd0975bc2118a2fd9ccd839e2dc43f67a454c0625626796091a875799511655b96439ee29238fa72670a844158ace4ac0871f48aa6d390c83abf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
2a3d4448aae24f7f73988bd942f816b3

SHA1
a89e523ebfe4b0f2d460d752da548e0fa8c3414e

SHA256
f4c019eb4cbbf3f193f827babdd7c1b5b16b176773e5d02e4fb4c287f3447a34

SHA512
4f05dc7ff0356f52a062e0b52f1c4623d4cfb14b6b1202977555473331cb7381ace4cc3703156ee1bbf4d54438d8fd7379b80185bc31b0ee6de3259387493e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES666B.tmp

Filesize
1KB

MD5
2324604b9f765e8ad65635d0a1ac2954

SHA1
620a3ff3e35b56c7019d482540ae497046e10c00

SHA256
8c9f19c50626a4a5c0b8630015619aea248792327b4931dcbb9576c9fcde1611

SHA512
609ece9b18a1d1138c12141d686d9fea0fe656e443c567f5d291aa7d9e589b2d150578b46a5c32dcc5b49b903501ae7188646bb6d6eb497570018bf0ebe8cfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64D5.tmp.exe

Filesize
12KB

MD5
5c5cc1a967bf09a2e76f7dc7b93e802f

SHA1
90b0626625d07edfd09d63d9216e86f944706427

SHA256
1e353393b8c174e510a53b858d1f494c3e5eec9232f101b4275acfc6f10593c8

SHA512
073baffe032c7fdfd2d7699084b3a95afca3debf6ecf2feab8b511fce310e7e5e7603458932bb2194b868bea8eeab8f59f0d2336e56e2f9c36a93e2e81966f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDBAD5BBBA7FF4E6AA392DD4F45AC8555.TMP

Filesize
1KB

MD5
9d018200c2d25590c1b166d7e754abfd

SHA1
9c9a391972f6b46e4f3d345c3052dc881f141874

SHA256
7c306aea5325d2d074fcca3a3773bbe9e467930ed29a798f3b37c78419f2a5b1

SHA512
8499ac0f5f2d9349c8779bd2ffa78574b9b4c9ecb0632f2211faf64df3fdccdb272c5321e595a7f73cbe02352d3b0367e5e1360de3f3eb05f4835b0ca46d855b

Download Submit
memory/840-26-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/840-25-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/840-27-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/840-28-0x0000000005010000-0x00000000050A2000-memory.dmp

Filesize
584KB

Download
memory/840-30-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/2136-8-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/2136-2-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

Filesize
624KB

Download
memory/2136-1-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2136-0-0x000000007509E000-0x000000007509F000-memory.dmp

Filesize
4KB

Download
memory/2136-24-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing