9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e

General

Target

9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe
Size

12KB
MD5

7875b761f01649cbdf43f5ad77ee0d72
SHA1

b1d791783444aee8aba806d6fe528ea5b179f9ca
SHA256

9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e
SHA512

259257fc3659188a4e05b2e0c3046dbad3c9fb4e014ef4bba28ad3d47110827a6adb4c5bd88d664e1048ccac96eba4513e6c8bdd6edc3651e9dfb2e0a5ff24ab
SSDEEP

384:VL7li/2zWq2DcEQvdhcJKLTp/NK9xaJw:12M/Q9cJw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe

Deletes itself 1 IoCs

pid	Process
1688	tmp7408.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1688	tmp7408.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2008	2944	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	86
PID 2944 wrote to memory of 2008	2944	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	86
PID 2944 wrote to memory of 2008	2944	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	86
PID 2008 wrote to memory of 2044	2008	vbc.exe	88
PID 2008 wrote to memory of 2044	2008	vbc.exe	88
PID 2008 wrote to memory of 2044	2008	vbc.exe	88
PID 2944 wrote to memory of 1688	2944	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	89
PID 2944 wrote to memory of 1688	2944	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	89
PID 2944 wrote to memory of 1688	2944	9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe	89

C:\Users\Admin\AppData\Local\Temp\9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe
"C:\Users\Admin\AppData\Local\Temp\9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vjllco3l\vjllco3l.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES758E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc63333F5A82894FB186C9631F2C13AE62.TMP"
    3⤵
    PID:2044
- C:\Users\Admin\AppData\Local\Temp\tmp7408.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7408.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9fe769d46b04ae04d5d4827fdfacbafbf3d354ebb9e9996377dee9eeb4a0d24e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e0cc496447774b55a05fa60566b7b6df

SHA1
b1d3377e552cab3c4e069085bf588b1f4d88d4cd

SHA256
4c9653e493f406ffae4abb65fe82b48d9d1407f3c6e02cb4a56dbe0535fae898

SHA512
8a0bf85e41d9920e30140b292570b91996d45142bbdf4e485dfaa1e6440c2e5eae50a8c48321c6f93142b9b2b6ca5e25f4797d28741d65568de672cc8c20294c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES758E.tmp

Filesize
1KB

MD5
555b7dd19a3042c4335bad04a76ac95e

SHA1
78918c368f7a538bb08f4eb5ca3cf15f51b83e3e

SHA256
e650a19ab9be3c0854066f0f0bb748e1650dd9caa39ffa4aa07a74dd01be9f8b

SHA512
363f4ef4e3741f3fcd0b217c05cc72d26de493dc14387f6c453ed94fd18447f9d41113c3bd76e18c4018045f6007adb1ff9b862fd8db257a6a17eef0bc54cfc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7408.tmp.exe

Filesize
12KB

MD5
7fc74e773ffd678fa8102d62280a1c10

SHA1
b9eecd0e6e211e80ab320d97f6072821455b8039

SHA256
5ea570f45fb41c36e53db9393fb557bd7cc43d1431440bad77a934a41d4a6a59

SHA512
4f51540c60316e205dca4e6bad3edb59fee611e1a29b2b522044423e3cc2a5868c84fbc9e6b42930963b66606dcacd321dbed5af72bf4fe9834cc39e8dabc059

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc63333F5A82894FB186C9631F2C13AE62.TMP

Filesize
1KB

MD5
a2d18d26ef375b9b25f22e7c3e79a305

SHA1
57d4277da4b6fba86ba90d0d4b678d0b185e7fb4

SHA256
ef29a46d6b9c0a776b685e753057df059870819996b9887037c9d8578f6e4046

SHA512
e84ff817f0d9ae40de4179c93a63a8fe6fb298036b7e3730f489615b5a32a06024f41f34832647a5dcc9db0ad60079f2d7827722108c42ef499664760d4b459e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjllco3l\vjllco3l.0.vb

Filesize
2KB

MD5
a28f799115c2ca7780e40c5775a00594

SHA1
ee4853760bf3e51e67e21eaab3daa31bd1955de0

SHA256
39b377e84b9e99d33fe69191e039252c97919745ede8f7c777fd885a0f65ec01

SHA512
4fc469328b6958b2a2bdf50809d996e974e3724c10c03d32a80abdb843a2375d940325211878428b0384b83e3fbb1c77dff16f06c9f5cd97fc4910623cd12cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjllco3l\vjllco3l.cmdline

Filesize
273B

MD5
c516348419021605f35611bb6e88588a

SHA1
a3cd8200b30a14dcef6ccb750e8736ae69be1f1a

SHA256
0a422914f1dd34fe2b45e827add9cc77c3aed5aea38b1a7efc23cb0f36f8e602

SHA512
7b865aff9a39c1e545b4a84331f5eaaa2da0d677f01df6d41c494d08016c9f6e48687b50411cff1babd641fc231ba3b0f8c69664e553cd091591c8f8ef1458aa

Download Submit
memory/1688-25-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/1688-26-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/1688-27-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/1688-28-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/1688-30-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2944-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/2944-8-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download
memory/2944-2-0x0000000004BF0000-0x0000000004C8C000-memory.dmp

Filesize
624KB

Download
memory/2944-1-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/2944-24-0x0000000074AC0000-0x0000000075270000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing