c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad

General

Target

c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
Size

12KB
MD5

b912a402c5c743b4fa0db4c9beded7a5
SHA1

c64ae82aed37a3506450db09b5e4a5205fc009a2
SHA256

c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad
SHA512

dc973419fd632d9b7e497894c51edef6fb3439dba8cbbc9e702cf4fc057d4702075ba79a0ea69706d0b2373fb7249154d8b92577e4386c1f024134a6fe98ab72
SSDEEP

384:LL7li/2zZq2DcEQvdhcJKLTp/NK9xaSs:fxM/Q9cSs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe

Deletes itself 1 IoCs

pid	Process
4480	tmp4382.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4480	tmp4382.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 3744	2148	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	87
PID 2148 wrote to memory of 3744	2148	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	87
PID 2148 wrote to memory of 3744	2148	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	87
PID 3744 wrote to memory of 4816	3744	vbc.exe	89
PID 3744 wrote to memory of 4816	3744	vbc.exe	89
PID 3744 wrote to memory of 4816	3744	vbc.exe	89
PID 2148 wrote to memory of 4480	2148	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	92
PID 2148 wrote to memory of 4480	2148	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	92
PID 2148 wrote to memory of 4480	2148	c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe	92

C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
"C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hzlcu1fb\hzlcu1fb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4527.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9EB9A3145F346229ABF6F9E641A624C.TMP"
    3⤵
    PID:4816
- C:\Users\Admin\AppData\Local\Temp\tmp4382.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4382.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c679b0af2d58f3ca6efcaf24df356341f3feadfd3d325193e0d847a1d64182ad.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
fed096e92b299eb75f5a7e4d1a10e4a5

SHA1
598d93301191c3efbd7134269385e37164c914f5

SHA256
249dfaabaa15f5194aa1b2a3fddd7292d6d3e3b0787dd8b1a50130774de63b30

SHA512
2a99b78f9359e20ef168130864f12366d12701ef8c40c1ee5c72f134d17c3188e4a625538f4a64961c493ed1240c5aed679ac665ccc1bc251f8595e506c86322

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4527.tmp

Filesize
1KB

MD5
0d8932824d4b101a5ed0b74704e04f4a

SHA1
e201d203a8fe78ce62865ec875d92aae38010a38

SHA256
051175ea044d2622ab8c6c0d3841a28ba4152cbfd98ba5a67b632827b07400c7

SHA512
569d87b0cf0e423e646a7cf23921c336485e858f8bff891d2f5e182bfd7670f76f16ccbeb45e26ff64d0f70dec4e6788a97a8e3f8e42f7c20f9e24bb7926f957

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzlcu1fb\hzlcu1fb.0.vb

Filesize
2KB

MD5
80af92fd4bc6642983024ef611fae21c

SHA1
beb66176ece391ec767db33651b3aaafac6cc951

SHA256
881e88f523e12130aaac6630867889453297c0d4b618d4dfaaaa5f66ae65969d

SHA512
f19700b12bd5faeda800a3a16ac34d0c63e64f535a8e1c367a659bd681ee215ee2c2536ff09ad1b2004196b198c4e0aacccdbe64b9f7c0ed6d9cde560940281f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzlcu1fb\hzlcu1fb.cmdline

Filesize
273B

MD5
d886cf61df09b60d13fdd12f954f3897

SHA1
1065bbec6ad19f3228638d0682f1ad2626466b6d

SHA256
db27eda11b3769e55204405c0d4fead61aff206b549e9e62cb2d1e15d0b01d33

SHA512
da1d6c4ede3bf31b34392c2e5906e80c5f03f52d6fd0511c199fab7a9815b03e406bcf9840f7a3dd2fb85d5b8647fa28d0424a7918b0100a68c6a2d991251bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4382.tmp.exe

Filesize
12KB

MD5
94d60452a0ac4e605d67d3f78bb279af

SHA1
68ebd76d1b35f922fdc936560ef19d4e335f3691

SHA256
f0a97cd974103429a5ba47f4a2fdf1199ebd312bddbc134c8980d77266bd981f

SHA512
b1d7e90fcd0c376bed26ee2c8343fae7e43232b22b79e9571ffbe2837f745408a6b369cbfa721daea37301a83623436c9db4df657b894472ceddab55bda11570

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9EB9A3145F346229ABF6F9E641A624C.TMP

Filesize
1KB

MD5
a1e53a3658a07dae6bbf50d4b9c03f17

SHA1
6adba83b61fb0cd5de30360b0b869e38b0f087da

SHA256
5506e0602c1295678ce2570c91909e39c8ca744f9c06754539332abffc723255

SHA512
9361a842506c46d87f0f4034ea76b3b98438ba3927049331aa7bbc774cc6f9a180da89ea58429286e677e4cdf53b7376f182193c9ea22ec6c8fdde93dfd55538

Download Submit
memory/2148-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/2148-8-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2148-2-0x0000000005690000-0x000000000572C000-memory.dmp

Filesize
624KB

Download
memory/2148-1-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/2148-24-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4480-25-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4480-26-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/4480-27-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/4480-28-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/4480-30-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing