f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401

General

Target

f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe
Size

12KB
MD5

b4ca9e7dab55f4650035a2d02b33fc50
SHA1

a240e5642f1eb1489b48acb987dc864dd617658e
SHA256

f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401
SHA512

d57d476a6dfb464b757c5a1a915dd7a34bbc631b68aa20cbf4fa195fec04be3f95ca09b9edcad12e8853b891da286ce91c5e53567f2d26d170ac807674a447c6
SSDEEP

384:8L7li/2zuq2DcEQvdhcJKLTp/NK9xax3:aGM/Q9cx3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe

Deletes itself 1 IoCs

pid	Process
4300	tmp4C9A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4300	tmp4C9A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2052	2664	f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe	89
PID 2664 wrote to memory of 2052	2664	f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe	89
PID 2664 wrote to memory of 2052	2664	f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe	89
PID 2052 wrote to memory of 2132	2052	vbc.exe	91
PID 2052 wrote to memory of 2132	2052	vbc.exe	91
PID 2052 wrote to memory of 2132	2052	vbc.exe	91
PID 2664 wrote to memory of 4300	2664	f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe	92
PID 2664 wrote to memory of 4300	2664	f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe	92
PID 2664 wrote to memory of 4300	2664	f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe	92

C:\Users\Admin\AppData\Local\Temp\f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe
"C:\Users\Admin\AppData\Local\Temp\f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gloeauof\gloeauof.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D95DA1AA68E4F0B9C2CA89C3ED5B54.TMP"
    3⤵
    PID:2132
- C:\Users\Admin\AppData\Local\Temp\tmp4C9A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4C9A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f804399a79f59008b861e204dec4babc53c556f565af794dc6f3204154938401.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
20f5c8a14116e2ac70b01e5e070bd826

SHA1
bfb57aa39f99d14fd99095cd209ecefd694e95ab

SHA256
46373699d27ab476a62a811b3329edba98923f068052ce88322ed44fd100daab

SHA512
40a9921fa914efd78715f1a98eb6fff4a3c13d388771aefa775ccfee125bb4b1847c9f4fbee039f7c33522f034cdb8bdbb48af35292d2974ef0cd621c09b0ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E10.tmp

Filesize
1KB

MD5
55d61f514a220de10a5ba754c91481cb

SHA1
791c0717c4355ee53f5aded9c51303b555978262

SHA256
14a188de1ef92ac9c32a0868f3b3726c4b2e506d6931f016a2ca2c0c48419d1b

SHA512
3796c427855b50055d7e99b8b518cec7c860c1f359ba653afce9f6f362edd9d2d6c467d08b4fd3dda8bfe8bab8619fabd9ded8e13530e54b94ad80ba6d79706d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gloeauof\gloeauof.0.vb

Filesize
2KB

MD5
9934edec8f92299ab4cdf70744dd1d85

SHA1
1de0f7bf320637974c77c7f68f85e92a3afe9701

SHA256
d8b8199bceeebcc58b6f3a203ec6f63b55468d3b9c3e8f382751e65fbad7f73a

SHA512
b905ffe6740cc6eccb5d6ab5c2840f452a849783abb6d755cb1c7898659b36f9b9da02f2245be725ce4adc634081004552abc1f7ad82ffbb0ec932d4e4775ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gloeauof\gloeauof.cmdline

Filesize
273B

MD5
f6c14730e4c36b650697abc11ed51bbd

SHA1
03e76a058aa08e0a11cdd00c62cb8b3016d15d9e

SHA256
3057c18830d70e7e7fe7e361bf3a56ee6bf6613be69e3cd6cada7168f13c973f

SHA512
dbfb4790127c3ffa7dece28b8562be797865bb33e81b287ddb9a9fd2b54baa09f587795908435429f252fbe4bd965b57c21e2327043e3834ee474b6451caad03

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C9A.tmp.exe

Filesize
12KB

MD5
5a1ef0eda70ebc84c0372b6015aa8f5b

SHA1
35bec8930d1c3895a6e7cae65f248ca0cad42d0b

SHA256
d4b72d44e9769f2e1b7ea8999971bfbeaaac4d911b0a7c0d9dff5a58888ac1bc

SHA512
829110ea810ba679b6a3b420fad02df4656524fd90abb14bd13e6da90e0428705249516410f7c6d77bded813cbaa4795dec65cf089725028966d05048dae195a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1D95DA1AA68E4F0B9C2CA89C3ED5B54.TMP

Filesize
1KB

MD5
cb216da5ee644ddfcdf2afe6dee5f924

SHA1
20702541659608df110e868a6721eeb7d9958c9a

SHA256
b27e4b374dbb7c87e42300d129c8eb51e47efc60e72f2c3fd6cd3d51b999b657

SHA512
04f80d9845bdefae232aa7772654e2b3369ec09a3f3b2eb51d1af74426c90be4dd5eec2719d7151dd6a466789d5edcd312f1ea1586c35699e756fa6447ecf43d

Download Submit
memory/2664-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/2664-8-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/2664-2-0x0000000005930000-0x00000000059CC000-memory.dmp

Filesize
624KB

Download
memory/2664-1-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download
memory/2664-24-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4300-25-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4300-26-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

Filesize
40KB

Download
memory/4300-27-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/4300-28-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/4300-30-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing