e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f

General

Target

e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe
Size

12KB
MD5

7f3b36803cad4ef33701fa937a792eb9
SHA1

e7eaa8dd6b6abbdd2f0e1a6979a62e37dd0b9063
SHA256

e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f
SHA512

7e0aee2b2e17bc9d8b40515a4e1ed4713806f192fc5508304294de937584dd99e9b605e3363ab45b881ddab6aab8eab0c234f05788f4cd8cc30cfd542d06e26a
SSDEEP

384:XL7li/2zseq2DcEQvdhcJKLTp/NK9xavw:blM/Q9cvw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe

Deletes itself 1 IoCs

pid	Process
4472	tmp403.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4472	tmp403.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3584 wrote to memory of 4932	3584	e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe	93
PID 3584 wrote to memory of 4932	3584	e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe	93
PID 3584 wrote to memory of 4932	3584	e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe	93
PID 4932 wrote to memory of 3948	4932	vbc.exe	96
PID 4932 wrote to memory of 3948	4932	vbc.exe	96
PID 4932 wrote to memory of 3948	4932	vbc.exe	96
PID 3584 wrote to memory of 4472	3584	e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe	97
PID 3584 wrote to memory of 4472	3584	e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe	97
PID 3584 wrote to memory of 4472	3584	e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe	97

C:\Users\Admin\AppData\Local\Temp\e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe
"C:\Users\Admin\AppData\Local\Temp\e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kvzo4zaa\kvzo4zaa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1E7B2DE399924A63933F4CFF867E02B.TMP"
    3⤵
    PID:3948
- C:\Users\Admin\AppData\Local\Temp\tmp403.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp403.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e8a5b2b11dc992e27b289dc6576039454f76a471ef6a2fc63c545f5299b01e3f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3404,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:8
1⤵
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4f6005f46c010c0dacf90526b36dc4ac

SHA1
c44f23af36385257ec32dc9d644f30b5c131e8e2

SHA256
f5e901aa0925f8700734d5ef54bcc629ab44eec0328c8cec075a9717aa794608

SHA512
0d3220e540f9f0f548f48c95e4c9f70fbb912f92edf998caa53ca6c5551f4b183681a37f0f86a24932d9c7052f70fab779fc0741f70b0b608aae7b707353ab05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5C7.tmp

Filesize
1KB

MD5
f58a9a5b7f384f188a035f98c9492980

SHA1
67bd8443cc665ad3ec45fb77f8dc14373d22fb8b

SHA256
1dba672f9f57754f53b63d76a05a8ef6b3b55e22142b490c46e72595a60198f4

SHA512
87cc915ef6e9ebe12188e473af430eee8348563fb3a9fa39520689bc9ff34ac8025a66c3aa5169c01bbeca80e594a7d4a7c08283f49adf24bc6a57b6633d4d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvzo4zaa\kvzo4zaa.0.vb

Filesize
2KB

MD5
e5d36ac005935c318d49215725061c2b

SHA1
bc80673d002c681d86f204ff24f3d0c4f9857fe5

SHA256
fb16d4af38a12e47a620192d0331afa6547df3ab6a45155b2fe3f2e98a2129d3

SHA512
b1bf1a21fa65d3b9bc2e2c67cdaef48074898bd051e970acbb68e504bd14c0044b24a3b414c76bf05d9698ae58324c46cc5a2224be1d30c0925dfb94eb5b0a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvzo4zaa\kvzo4zaa.cmdline

Filesize
272B

MD5
4a9c5423a3cf9b3e785eb046ba816d56

SHA1
a6db665667b5f638164c16a98da232370dfa91fa

SHA256
4cace020c7880c9538c02cdcea1ee563f2ee01cda59849e6ac429dc3bfe87f05

SHA512
105b0b71b38b754f4f265cf5a78f3cb5b01faea1ef84086915c221561500a0778a6700b38037fecc0c8bab43530f7d753e1ffac489e91cfd4b186e1da469e695

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp403.tmp.exe

Filesize
12KB

MD5
2a3e206162fe49a95c624b21bd94172b

SHA1
6321ddd98b377559d8062d7c71a32d10d225ff42

SHA256
d8eff22512173a8e1e54ba3df6e4a1ff4a7c426e05ddb7d56ebba6ddf248b471

SHA512
db66a2ff63cd87b3ef286c213bb0a993eba84f096f608bbff7eff2a10771d2a6c70f8c2a29f3b44129c74cbe62116fb2b3ead5f35c388d9b06290a1ba2103f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1E7B2DE399924A63933F4CFF867E02B.TMP

Filesize
1KB

MD5
0fa1540f0f99211f5ee60f8e978510c7

SHA1
02bb1cd759e62e35d7f5f8aa3152dd46f5f10555

SHA256
12e85c4af0b309365abc83eaecbe3a1edb32154fbf94b2ac83c197264f553ef9

SHA512
e9709eae3cceb3373062e233c64e7f0ecf6952bfcf2d67eaa046ac4521f04a9eba67fed75acb8a6f20d3a62345f41d3686dacff7786ad4cfe3105eb7aa588a07

Download Submit
memory/3584-0-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/3584-8-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/3584-2-0x0000000005760000-0x00000000057FC000-memory.dmp

Filesize
624KB

Download
memory/3584-1-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

Filesize
40KB

Download
memory/3584-24-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/4472-25-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/4472-26-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/4472-27-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download
memory/4472-28-0x0000000004A40000-0x0000000004AD2000-memory.dmp

Filesize
584KB

Download
memory/4472-30-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing