3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b

General

Target

3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe
Size

12KB
MD5

fca2594763b5ceae79b5d4cbb8a6aca1
SHA1

fa70f1457216d197e160b8ca372e281f6df86615
SHA256

3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b
SHA512

b330b6b8ad41c48f32e91aa22a7779508c34e9ae31e2fee679f98897d1ae7d9aafcc3ac605371b54cfa0a739997e8d7c5bd622ed66cfc06be97803bd6af92271
SSDEEP

384:9L7li/2zlq2DcEQvdhcJKLTp/NK9xa9e:t9M/Q9c9e

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe

Deletes itself 1 IoCs

pid	Process
4624	tmp5843.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4624	tmp5843.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 3736	1036	3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe	85
PID 1036 wrote to memory of 3736	1036	3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe	85
PID 1036 wrote to memory of 3736	1036	3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe	85
PID 3736 wrote to memory of 1808	3736	vbc.exe	87
PID 3736 wrote to memory of 1808	3736	vbc.exe	87
PID 3736 wrote to memory of 1808	3736	vbc.exe	87
PID 1036 wrote to memory of 4624	1036	3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe	88
PID 1036 wrote to memory of 4624	1036	3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe	88
PID 1036 wrote to memory of 4624	1036	3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe	88

C:\Users\Admin\AppData\Local\Temp\3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe
"C:\Users\Admin\AppData\Local\Temp\3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\23rqruhs\23rqruhs.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES594B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD4520AE3A254EB2B91DCDF447BE2F.TMP"
    3⤵
    PID:1808
- C:\Users\Admin\AppData\Local\Temp\tmp5843.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5843.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3cc0f3d7ce58a5972c0fcb1e4be534e34012a7c12b3c449e767df09d57cb0e8b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23rqruhs\23rqruhs.0.vb

Filesize
2KB

MD5
e36b72f006c76e07cd11cbf270cafb10

SHA1
950f24ed06452e61a9fb7ec002fa87a64ac74996

SHA256
2556ea2b963c1b2a9026a2150495ee714e37ba25cb61fe07241cc60b67ef4eb2

SHA512
71007337aca7e6f6b86195bdd1d4c3892ad30f810e9f13605bc01024313ab6b92882016102029c76e55e514d89c9cdd49c75b5a8fd00cf19836ccdb2abf662d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\23rqruhs\23rqruhs.cmdline

Filesize
273B

MD5
96f597b2492c6e38686484194a6e762e

SHA1
ffbfa8bea08d16708a200e57cc403cf111dfa3e3

SHA256
eeb96a1c1d18c2ecbe88c6943c0d77c124c3807bec7fe590dbc0f59382a0e4d1

SHA512
8bca588616b1bfb488d3c3a716acddb5463dbe9991b36652e17b53e33baa30d1adb181743017d0f30b1f958186571734062ea42f410813a336f4b88538e48813

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0d61a36bb7cfd33c7f46d97685d64608

SHA1
d46513ac829b7c54bdae060fd372cbd8f6d0cdd9

SHA256
6787a8a3c2fc4d58f54464c1788b250db6ada3e2859ecd8fcfd021dd17170789

SHA512
d8dc4073cbccfaa2d31003670ff7055331fc47783a30239690c3e5061008fcf1bb4c810629a66926dc960c52ea03e624a2ff90898d89f500c7a2ef6252dd6d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES594B.tmp

Filesize
1KB

MD5
f8f959e11af517b54c3b96f590b05b3f

SHA1
fd5a5cdede91b0327fa5be6432e3950bc8766dbb

SHA256
f5f9cac3ff5d2c8b0f69f20cbb1fd8c36a92510de0f68e636628532b70165482

SHA512
b02a9f99e37aa48487e52c41ad672ebfd2e53fb03f21cfdb6887ef374e221a9a86637ff721e20ecde5a39da5484fe1bd20d4fd6e69bee0a69c998eda86b73fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5843.tmp.exe

Filesize
12KB

MD5
0988702f291a8a2349fcbb21a813ed56

SHA1
e03ab1925f537ce1fef91263d08aebc9f22da5e1

SHA256
15c4d077e5c68ed183d778dc84439d10d257c1259ee9b8cadbab13d54eb9db38

SHA512
4ee42f9cbf9667e34395c6e2394a2826f037b4e18560b343c068580c2d21c9667387ea2c04b96739fb062939bb7170f296cdd4139d18512b53746fcbf574b715

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAD4520AE3A254EB2B91DCDF447BE2F.TMP

Filesize
1KB

MD5
05ac06e11a2a7c5bc5fdbd46d48b281c

SHA1
c66d9ddafe627eb43bac7e2cd4a03d3b5d5b0707

SHA256
ec38dfe9e3da7ee203d99379ba42f146e2869619f14d1a75df089529e2e85879

SHA512
dc9c2801de5109469e96005db64a3328fd0975d1b5a32266f7d31966bd715bd29b75f4590aa62157757d316fa9b6f5799daf9c4c1f21786c6cbbc0308797b19d

Download Submit
memory/1036-8-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1036-2-0x0000000005390000-0x000000000542C000-memory.dmp

Filesize
624KB

Download
memory/1036-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/1036-1-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1036-24-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4624-26-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/4624-25-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4624-27-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/4624-28-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/4624-30-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing