fc7291766af24760ecc65ce9ea7e342ded300d8d7f4c883b7055ec0f060ecaf5

General

Target

virussign.com_9d0c08e9397f1b734de76cfce378f320.exe
Size

12KB
MD5

9d0c08e9397f1b734de76cfce378f320
SHA1

bae676d1e7c3fe8d86bb252e040087a35f9c965e
SHA256

fc7291766af24760ecc65ce9ea7e342ded300d8d7f4c883b7055ec0f060ecaf5
SHA512

7587af76f33e1013a3336f84e23deaedf4d95d218f657c5bf3dd4da452c3291a267f9cc5c87e70921e1cb25005589aa165b410afd1e7fdc2e762dac3ddca0f01
SSDEEP

384:1L7li/2zxq2DcEQvdhcJKLTp/NK9xa+E:VxM/Q9c+E

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	virussign.com_9d0c08e9397f1b734de76cfce378f320.exe

Deletes itself 1 IoCs

pid	Process
3836	tmp3922.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3836	tmp3922.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	virussign.com_9d0c08e9397f1b734de76cfce378f320.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 4576	4660	virussign.com_9d0c08e9397f1b734de76cfce378f320.exe	85
PID 4660 wrote to memory of 4576	4660	virussign.com_9d0c08e9397f1b734de76cfce378f320.exe	85
PID 4660 wrote to memory of 4576	4660	virussign.com_9d0c08e9397f1b734de76cfce378f320.exe	85
PID 4576 wrote to memory of 2532	4576	vbc.exe	87
PID 4576 wrote to memory of 2532	4576	vbc.exe	87
PID 4576 wrote to memory of 2532	4576	vbc.exe	87
PID 4660 wrote to memory of 3836	4660	virussign.com_9d0c08e9397f1b734de76cfce378f320.exe	88
PID 4660 wrote to memory of 3836	4660	virussign.com_9d0c08e9397f1b734de76cfce378f320.exe	88
PID 4660 wrote to memory of 3836	4660	virussign.com_9d0c08e9397f1b734de76cfce378f320.exe	88

C:\Users\Admin\AppData\Local\Temp\virussign.com_9d0c08e9397f1b734de76cfce378f320.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_9d0c08e9397f1b734de76cfce378f320.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\syk41wau\syk41wau.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A88.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADD14240E6994A4DBE7F114DF9DAAA9.TMP"
    3⤵
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\tmp3922.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3922.tmp.exe" C:\Users\Admin\AppData\Local\Temp\virussign.com_9d0c08e9397f1b734de76cfce378f320.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
20f5c8a14116e2ac70b01e5e070bd826

SHA1
bfb57aa39f99d14fd99095cd209ecefd694e95ab

SHA256
46373699d27ab476a62a811b3329edba98923f068052ce88322ed44fd100daab

SHA512
40a9921fa914efd78715f1a98eb6fff4a3c13d388771aefa775ccfee125bb4b1847c9f4fbee039f7c33522f034cdb8bdbb48af35292d2974ef0cd621c09b0ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A88.tmp

Filesize
1KB

MD5
f557f576baab13df4505a33ead3d723f

SHA1
dea2bd2916aefcebcd686d2b09a7dcc5003337b3

SHA256
7ef30c1f6c360e83f95308a5f3bb5073b2d7cc5aaa9e6be283d6a1aedb8501ec

SHA512
1fd5538e9add24e9c8d51c01e2d59a614fabcb9485103cb99a32038c8c57b36ec8b26530f585bd022e92f51a7ebb043baecc3aaaa2ab21a0d272290c8464f8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\syk41wau\syk41wau.0.vb

Filesize
2KB

MD5
9934edec8f92299ab4cdf70744dd1d85

SHA1
1de0f7bf320637974c77c7f68f85e92a3afe9701

SHA256
d8b8199bceeebcc58b6f3a203ec6f63b55468d3b9c3e8f382751e65fbad7f73a

SHA512
b905ffe6740cc6eccb5d6ab5c2840f452a849783abb6d755cb1c7898659b36f9b9da02f2245be725ce4adc634081004552abc1f7ad82ffbb0ec932d4e4775ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\syk41wau\syk41wau.cmdline

Filesize
273B

MD5
3f1c17506ca3be699ab860ac3017669d

SHA1
e242aa47336f1d40c62fa0e2a5dcde3277b17624

SHA256
5aa13e2896710b39aab9312e79068bfcfe706085b59b6777bbdb047a488164dc

SHA512
68250b699a20b5e16091127c07ec0577c8483b4bfc3e22a10d59b4cc5e5180a5444eb60931fe5c7b14e7693dc89c5d26e987581f0c36a44a3b9faee24767059d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3922.tmp.exe

Filesize
12KB

MD5
83e018733e537c9a50068def4b3136de

SHA1
eb95f4a4cd9b3f22b1f1820e9bf60c6a3afe87e5

SHA256
a5988bee9f5bb322466ca8d856237e4c677f05e356b445391b0c3ddfa8388d5b

SHA512
50cf2584798a8634aafb58afe15d70860ffb491bc8e7a128254b79207e4f6ba655398d57657796f181504ad88e45ca23fe42aebcc1e0c8ad60be3171f195a516

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcADD14240E6994A4DBE7F114DF9DAAA9.TMP

Filesize
1KB

MD5
ccb1e0a5e90faae15c6f90ee377977af

SHA1
4e46ea5a1ad201a55213ad89ee9b6b2de2ebb274

SHA256
cb1cfe50085757f6acd8c633efc7e3e90077e3d20ebe43da500a604852d05d6f

SHA512
ac5910483d9cc93efff0173003e015119c22f54652efe0434df4cdec09061da6a39371fd62083ba90fb4492f2037d775a1724a93acec0384eb20de2feb45738c

Download Submit
memory/3836-25-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/3836-26-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/3836-27-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/3836-28-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/3836-30-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4660-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/4660-8-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4660-2-0x0000000004BC0000-0x0000000004C5C000-memory.dmp

Filesize
624KB

Download
memory/4660-1-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/4660-24-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing