19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc

General

Target

19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe
Size

12KB
MD5

7287a3c66a30c177a69cab091eeeaa4c
SHA1

a0a8e86f4cd932f2c9c987dee0601760333b05fa
SHA256

19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc
SHA512

da8a99de77113243dbeb4ea1df517650c6690e9e922366f9b16b6f6b321ed2c4ee8b36b47c471d75de2402f0545bdfd2f8570f6f08b7bff6cb081ecebe8fd166
SSDEEP

384:ML7li/2zWq2DcEQvdhcJKLTp/NK9xanU:K2M/Q9cnU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe

Deletes itself 1 IoCs

pid	Process
4972	tmp444D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4972	tmp444D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 5984	4148	19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe	85
PID 4148 wrote to memory of 5984	4148	19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe	85
PID 4148 wrote to memory of 5984	4148	19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe	85
PID 5984 wrote to memory of 448	5984	vbc.exe	87
PID 5984 wrote to memory of 448	5984	vbc.exe	87
PID 5984 wrote to memory of 448	5984	vbc.exe	87
PID 4148 wrote to memory of 4972	4148	19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe	88
PID 4148 wrote to memory of 4972	4148	19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe	88
PID 4148 wrote to memory of 4972	4148	19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe	88

C:\Users\Admin\AppData\Local\Temp\19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe
"C:\Users\Admin\AppData\Local\Temp\19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pzckxrhl\pzckxrhl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4546.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC5490CCB45AC45E6B05FE3A950154522.TMP"
    3⤵
    PID:448
- C:\Users\Admin\AppData\Local\Temp\tmp444D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp444D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\19fcbfe54fca0bace2d0f1ab9fc6f4fdf3263d560ad514bdb12303cedb3025fc.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
81b5ad21ad2f65849d669e20a8cba674

SHA1
f484b060a53c9648affcbb335017622788ff4658

SHA256
bc41b57e722500c85cc77c45b61fddd2d8d85995142dce4c77b9db691a4d9010

SHA512
ad84da235fb4c175212007b2edf697bca50b684f3e50fb552ab0c7e3687fb8d3d13d6838a6e821e48f2fe26eb732282e8626eecd42e3aad6d2cd4d825e4912ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4546.tmp

Filesize
1KB

MD5
46b2bb49068a89003922ac00f6f665d7

SHA1
4c93d32a73c0d92d352fe278c14885f228442501

SHA256
7fc6b8f6e1eca8636c54e46670dffd4d6f7f5f481abe6cc001b29d2189d4b98a

SHA512
47126ac98513be6ed4f6368335baf2087fbe8366ff29ce2e636891a9e8653f9ac48a5e84a3257f021e35e3f655c389c58b08e6cc4088e607418a5bbb5f6d8ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzckxrhl\pzckxrhl.0.vb

Filesize
2KB

MD5
6252f0e4921e8db9b34eede2a158345d

SHA1
c6a6b8b82d5c1569bbbd2cc1fc075ac4fa013627

SHA256
e93d0e467b11d238458372b1c284e08c5f2864866732f9af1c341502b76b4847

SHA512
45aba360d97d15cadf9203bf59ee2da8614fef255efa9d721780c2dd5c7ad8f5c9d2ed3849d3c0cf51635b097cf91e32aaebb434ff5124c0c9549ac407a21b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzckxrhl\pzckxrhl.cmdline

Filesize
273B

MD5
eb78930a4668df8d392c8e0d76026867

SHA1
f3e326cc6a0e1135834066b147fa61d76c2584df

SHA256
cba358a87be2f4729dc5c8ec965a218931f522b0cc2293c16d015dc6f9e53d62

SHA512
31494a95986af2a50f602b977800daadbfaf1869bc0ee047b87fa8631ed8bbb7c296cd96dd57ed10e8f45f5c28982696c361d4eebb7a624fd1fe5e6b48b6a347

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp444D.tmp.exe

Filesize
12KB

MD5
3d14b53c8d3577e14deb7845f7adeb20

SHA1
595542b0f7853baabd7c6dce5945673082544a53

SHA256
94ab4dd0984b759b4ce2693485ac71419ab48b1bb9d3437521b794e7893cbe29

SHA512
0418bf80da90c8b20f57575b08f3826a0fc1df49e185014a1f26cf269e4e5969fec17d6f4e70f63aa83a2de55811fdda9c6124cb64732017b3bc34fe2afa5768

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC5490CCB45AC45E6B05FE3A950154522.TMP

Filesize
1KB

MD5
23898730d7330888a2aeef4aefdde3f9

SHA1
e545acdc5e66c6087aedcf4fe79938dece0cbd5a

SHA256
1c3abcf4f7cfa22b2ec602a325f4b0600bc347429c134119cd2aba9eff95f125

SHA512
639af890d7caa15dc7c3d1aa94201f6deed5ccf6a392d45040696a501568daa6e987d912340fc17d24d0191d0bc407c0118cf3543f42a6a86cad3629adbbdc3a

Download Submit
memory/4148-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmp

Filesize
4KB

Download
memory/4148-8-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/4148-2-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

Filesize
624KB

Download
memory/4148-1-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/4148-24-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/4972-25-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/4972-26-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download
memory/4972-28-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/4972-27-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/4972-30-0x0000000074DA0000-0x0000000075550000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing