8e9a8d11b239f2f4a3d87f14731844487b082db2ce8c4d1e4806a34288b60215

General

Target

virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe
Size

12KB
MD5

126b3843a4a1fb5a1c24f4a41eaa8790
SHA1

fcc820bfff76ae2dbd7c89119b87cd717644f6db
SHA256

8e9a8d11b239f2f4a3d87f14731844487b082db2ce8c4d1e4806a34288b60215
SHA512

f651810e1660613004fe77bbdaca3f9a87d1e56974084bd81b2f2ca7d40f810a71f076b483c09077c538d4ea43cc43df2e181dfc218403cfa51c280dd0dbc84f
SSDEEP

384:ZL7li/2zaq2DcEQvdhcJKLTp/NK9xaGw:pCM/Q9cGw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe

Deletes itself 1 IoCs

pid	Process
3008	tmp4A77.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	tmp4A77.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4404	virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 3120	4404	virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe	86
PID 4404 wrote to memory of 3120	4404	virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe	86
PID 4404 wrote to memory of 3120	4404	virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe	86
PID 3120 wrote to memory of 5000	3120	vbc.exe	88
PID 3120 wrote to memory of 5000	3120	vbc.exe	88
PID 3120 wrote to memory of 5000	3120	vbc.exe	88
PID 4404 wrote to memory of 3008	4404	virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe	89
PID 4404 wrote to memory of 3008	4404	virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe	89
PID 4404 wrote to memory of 3008	4404	virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe	89

C:\Users\Admin\AppData\Local\Temp\virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n4bnhqwz\n4bnhqwz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C6A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2999AE19FD0C43559A85E179FEC9781D.TMP"
    3⤵
    PID:5000
- C:\Users\Admin\AppData\Local\Temp\tmp4A77.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4A77.tmp.exe" C:\Users\Admin\AppData\Local\Temp\virussign.com_126b3843a4a1fb5a1c24f4a41eaa8790.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
931d63bfa648786e564d5f6069808543

SHA1
f05ef281cf407c8c378e2ee449103c7427581c0b

SHA256
f37f4f32b97989428bd29d8eb7db7f915a6127acf3b0855c2a685067d2edc927

SHA512
8d777ea0df1be72190835baf3bcba744a2f71e8c7ab390c0ae62767c5e0b2a5f80d30662943f0680b72f3e527173431c9435d5b5ecd77208bcf7c360c75bd404

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C6A.tmp

Filesize
1KB

MD5
533eaa7d0b2ba9898bd5b995df66ff21

SHA1
9ba03f87314db88532d59d65b81e94fb8afbd353

SHA256
e09f8ce797f619252ed8ffd3d92b94ba931988cc5526b2be6a251aea1e828c35

SHA512
344afa9cb76b9a1f02af6525d58dadc8af31a9f7d85987efc3a78ff22a499d4eabd948e9b6677f57f70a119ab80c3096e024068165bd4de2657fa7316e54fbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4bnhqwz\n4bnhqwz.0.vb

Filesize
2KB

MD5
45589f826c36a43eddaa7a0ef3a3cc1f

SHA1
7a10bc2891017a0cdcf346d9347843dede2b4293

SHA256
62e5011e12329aa98b884557ede74810243c6e44f078c23f99bff7510ed9b2e5

SHA512
65a540453a1c86cd0808c4326cfbbc0d2993c51a90bd7f695c9e936c13102afc49d292e6095f695ad75c41202557012cb159a8ac3a934376b5310c5d6edb71e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4bnhqwz\n4bnhqwz.cmdline

Filesize
273B

MD5
81f6bddfcafd5cc93f10b502663de248

SHA1
522298f5787d1ec2bd8be403612237bb5fdc3378

SHA256
ea73ac9c9842da9c35e5e3f98d09a996adf575ee122ed94806333df06cd57bf4

SHA512
1ba624d60a64987416a1f67675f0defb84b2349ad1c24c5367fa7023c43c357f5a3c095ab003822567a5ea6eddf1763e453c1a6784bd412e3c04a6c7476221f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A77.tmp.exe

Filesize
12KB

MD5
74c68d11e0f4a94c9da45535c27e92b7

SHA1
ec639ea79954817b6ae27d578ca52ece807195ac

SHA256
576d48e18c7f34af55465bc127833a79877e40023104448f8cd06feb52426d4c

SHA512
9c95033947039988e3b0fc999b11834ff42e59066344278d91558b4a0ad008fbcf36f9692766529a20a420e671f31cfd19df4bd58055dd4211d4044aca49d7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2999AE19FD0C43559A85E179FEC9781D.TMP

Filesize
1KB

MD5
a64c7bec8b36d32fc80251456775e8d8

SHA1
a072d7445431b8c7c46680a488b5c94cc1c05b0f

SHA256
d59a59448aae84d14a5ea916b290fc174dd45f0664ac8a671cb00d1fcd1baf97

SHA512
5e20244702c19c811fef99d8ae97985aebbf58968c444c14a17bf1452515c76491d07a8f7cd9f95907e35bb3c79cd61564892b663a80d80e1ba3e3032ba5d494

Download Submit
memory/3008-26-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/3008-25-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/3008-27-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/3008-28-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/3008-30-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/4404-0-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download
memory/4404-8-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download
memory/4404-2-0x0000000004960000-0x00000000049FC000-memory.dmp

Filesize
624KB

Download
memory/4404-1-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/4404-24-0x0000000074F40000-0x00000000756F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing