918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77

General

Target

918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe
Size

12KB
MD5

a37b639c3d3d15621d92412478f20e2c
SHA1

f066f7587fff6236fc02659774c64da23f5ff382
SHA256

918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77
SHA512

1264463ae943f3ee0ad75df3777f4b5ed0cb3acbc879cb0fd3243573449a29d6e99e92f85a8887cdff1dcea7b5e285857a1bb5d6d6a248e4c7c886a692bd10d2
SSDEEP

384:DL7li/2z4q2DcEQvdhcJKLTp/NK9xaWN:H0M/Q9cWN

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe

Deletes itself 1 IoCs

pid	Process
4912	tmp513E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	tmp513E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3668	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 2760	3668	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	86
PID 3668 wrote to memory of 2760	3668	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	86
PID 3668 wrote to memory of 2760	3668	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	86
PID 2760 wrote to memory of 3972	2760	vbc.exe	88
PID 2760 wrote to memory of 3972	2760	vbc.exe	88
PID 2760 wrote to memory of 3972	2760	vbc.exe	88
PID 3668 wrote to memory of 4912	3668	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	91
PID 3668 wrote to memory of 4912	3668	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	91
PID 3668 wrote to memory of 4912	3668	918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe	91

C:\Users\Admin\AppData\Local\Temp\918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe
"C:\Users\Admin\AppData\Local\Temp\918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bjmd1j2s\bjmd1j2s.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES536F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC268B478ED3449E7A067CC2CE2570AC.TMP"
    3⤵
    PID:3972
- C:\Users\Admin\AppData\Local\Temp\tmp513E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp513E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\918eab8e1de86f38d83f66d97a3e9f26f76ab0ec54feab43540d50c29fa05f77.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6dd82777df79f49e17f057de40212e0e

SHA1
628a017684155292fdc2e3344c041202a963274f

SHA256
3ec5b01fd472d87acbd1745f0c8fe1a38fb7f5da0afacb85c617f53fddb013bd

SHA512
7827d86a5948a2bcddb3eb8d9eaee89e20878fc21b200bef6e367e819c05a69d99a1b098f68f5367cdc9d7316bf45bdd06ee03c054a6307a63f05cf50e4ddf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES536F.tmp

Filesize
1KB

MD5
0ee0ff994a893e73dc307ba505cfe46b

SHA1
a2159c17656f6558e8ff37b091266c6191fcf9d2

SHA256
d665ce05bc8abc3a04760c4b6b05c398a8a52d405079d26dc64f0b46c4a6cab7

SHA512
0696ce6083f63fd5b6b242d2a3118f3c4b439b8c93ad4fd3073583754f6d23b46076f35197144b7762599333ad9639a66125f647903291725bd5df689eb18d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjmd1j2s\bjmd1j2s.0.vb

Filesize
2KB

MD5
b201ca00e3e7b1019cf2b1f757193412

SHA1
9bc338896caa1f39f29d2a4c50fbaf5ba5aae7fe

SHA256
94f946554a3a2acfc3ebac8956035c8a03847404d70b959b0fa4014bc9455e09

SHA512
cd7a3ca66b79b97bf0d356a859fdb3db52091327fa2d3685b2931f091ccab887c3b3ad2e2049da7772d7fc9ee7ab7a07a89b57811cd61b42e251673a1289fdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjmd1j2s\bjmd1j2s.cmdline

Filesize
273B

MD5
673c33a29e7459feb1c6a8fb47155eb1

SHA1
430f72434d34f3cb392f383d596ec3e9e87f7d11

SHA256
e2a159f544b763b1085c4aaca6902d3800f6217bd8e1d2baefd409eb8a57b5e9

SHA512
f7bc778fc940e97e1ab44e628bcefb6cb6598ff234343a3377328f94449e3113a89fe1695869c1606426a89d82c57d0402742ffa7699569ac275228d902aa78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp513E.tmp.exe

Filesize
12KB

MD5
3cf1699c73688bbb6a77e3aced8c9e09

SHA1
fe39721990d0988c521193b0391a5d94a25aca30

SHA256
f3fa32e266eb6f90f5bd216cc495ce52f9ce65b078b75b754c81876758e5a0e8

SHA512
5dc3b9f7eeaa2e2e11d1ffc45bdd7238737b4339aae7360645a950c85d49850f0cf43b6cc1700f7d2716108daea42060b50bad9d194be96f3fb2ee2788bb0053

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC268B478ED3449E7A067CC2CE2570AC.TMP

Filesize
1KB

MD5
9d2ba96181f3a4503e2908e9a5965517

SHA1
7b96e60f373cfe7825927beb5e8ce10f5b66040b

SHA256
cd8623a36c351a2911eea6c1ec9fc12e860e2b0b9e9139086838e481c3e7e8a3

SHA512
baae48b31ab4d346956d830805d46ed6adb6b9a797a3428ff8c60f3ffc1822da4155ca43964445c386f68be0db0eaa66b4f744d6180aabfc9e169642b47fdf24

Download Submit
memory/3668-0-0x000000007532E000-0x000000007532F000-memory.dmp

Filesize
4KB

Download
memory/3668-8-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3668-2-0x0000000005370000-0x000000000540C000-memory.dmp

Filesize
624KB

Download
memory/3668-1-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/3668-24-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-25-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-26-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/4912-27-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/4912-28-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/4912-30-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing