139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7

General

Target

139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe
Size

12KB
MD5

4216a17e11d6461e8939b570442ecd49
SHA1

b872e2ef3abd52871f3bf52c161d15dfc209a621
SHA256

139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7
SHA512

73edb4257ccf2c2f7b9cdd4340acefec4881ce8ca6545f9bd4a87f0e13b48dcfe424518f41f0cd620e7baeb708ef61bcc62f086b3c77c52143f0c57624673523
SSDEEP

384:xL7li/2zmq2DcEQvdQcJKLTp/NK9xaJPxw:xmMCQ9cJPxw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe

Deletes itself 1 IoCs

pid	Process
4496	tmp4789.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4496	tmp4789.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 1516	4628	139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe	86
PID 4628 wrote to memory of 1516	4628	139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe	86
PID 4628 wrote to memory of 1516	4628	139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe	86
PID 1516 wrote to memory of 2016	1516	vbc.exe	88
PID 1516 wrote to memory of 2016	1516	vbc.exe	88
PID 1516 wrote to memory of 2016	1516	vbc.exe	88
PID 4628 wrote to memory of 4496	4628	139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe	89
PID 4628 wrote to memory of 4496	4628	139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe	89
PID 4628 wrote to memory of 4496	4628	139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe	89

C:\Users\Admin\AppData\Local\Temp\139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe
"C:\Users\Admin\AppData\Local\Temp\139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pkuz43bb\pkuz43bb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48C1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAAF300747F8B44368830E8CAD375985F.TMP"
    3⤵
    PID:2016
- C:\Users\Admin\AppData\Local\Temp\tmp4789.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4789.tmp.exe" C:\Users\Admin\AppData\Local\Temp\139f1fbfbb32a19b7fac207b6c3ff62969ee2f8d91babcbe45eb9d1d2df17dd7.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9b95e6030560c579c75c9ab29a9980ed

SHA1
245787141f9fda19d6f5d47e1e639f1c581de03c

SHA256
da4e4acb786f9ea4ea3ffc93723dd45402cca62591d5f1d05995e32338b03778

SHA512
3da9f828f612ee429cf703c069e8a9d1de3604de9b8f1fc40db445c8f4803da2ea6829f86492e4b183fa8e5089d59737ca5cdc8926b8f36081785e38a6c20ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES48C1.tmp

Filesize
1KB

MD5
fe8cb51d61aeb31b651ac12cb2fdfae5

SHA1
6f4fd7ea81ba26ccb5cd88d39fe4b9d55750ac64

SHA256
137f4e5ae6f32947b281bf1338fed3c003f43f4f8d15e850e52b9ccfd446fe78

SHA512
1f9522e968e9d5a96640273ddbedd180ae411cd347b6e2762543296488e3016cf893fb4e5b9174d18f0103598d68faf461cc8f649489f720c735f82e2f0ac7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkuz43bb\pkuz43bb.0.vb

Filesize
2KB

MD5
4ecffec0487d6e6d0cda21f25a841100

SHA1
cc68e143864b64dc2ada83ae04b5a4ba050a786b

SHA256
a79edc20b5049fdfcf6ec28fab5879c804bef439af03296b9a0e7f5f276eaca7

SHA512
4ee01d760dd3633b3efff090523aeea4492ba2a6997467a1c1045d144196c9408acb1e633c2668847d17b343b0c2a0b3c9b2e1efb19d658647ddbd8dffcf4e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkuz43bb\pkuz43bb.cmdline

Filesize
273B

MD5
ee21089ea36133964975a7f1ab1a01e3

SHA1
0be9b20b9fde732363441a1eec01ad0e98f01866

SHA256
a6e1915a4bb53f26fc925f2d9fe8938cc8b31eb7b3bd049d46d32ed9eee498f7

SHA512
3abe2f542307ceb969fb2bf0f14f65b3275f2cef01b15ec414a8172024ebb2a1fdfb74fbf7bf14e57cf424db56cfd181c0cf9abd6b4ca18d5042a89839b8d14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4789.tmp.exe

Filesize
12KB

MD5
9b26eec1baea43ee2968bece2de4d1d3

SHA1
2429fd5e4990178d89014249dc8ad8f308e2ff3a

SHA256
7960967412ab632d3acb7c6f477fde0ee3a1525c7269314c5ed3284da5deb81e

SHA512
485cb4aa97b348125cf6f1cfbba8d72cf363a8a22fbfd859e1293ad27b1dfd62a22cd1c8128eca656120d3b9c7eecf036b1c8245431e785cac80051ecf36b04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAAF300747F8B44368830E8CAD375985F.TMP

Filesize
1KB

MD5
77e83009b93e5139ea858e2ed27375bf

SHA1
6f8a024ef664768a7c82cb5f41ba0cd463d25f7f

SHA256
ab30b0b58d31a8cb073d4c376fb6cf0130040a5bde49ab7b63fd5eea1b10aa25

SHA512
50bacbd962aa0cc7f9f9ba34053c2ad9c3267cfcf5679994f2df3ec578bf4cc7dbba8468c6fb62f9637cabba1f24c19949f70a294288d3289d0803c6e29465bf

Download Submit
memory/4496-24-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4496-25-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/4496-27-0x0000000005060000-0x0000000005604000-memory.dmp

Filesize
5.6MB

Download
memory/4496-28-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/4496-30-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4628-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/4628-8-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4628-2-0x0000000004E20000-0x0000000004EBC000-memory.dmp

Filesize
624KB

Download
memory/4628-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4628-26-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing