01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e

General

Target

01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe
Size

12KB
MD5

899ce74b2c00a1fb34f9f2708610ebea
SHA1

b255de9d773b5bdfcadfcc07542371ccba4d50c4
SHA256

01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e
SHA512

68b5124d356a4f1d233ba7b6a39b20a59d9d7420acfe08a5811053432ce902f940cc668fa624d0d7e9997f920410f197f1f43710085c65f4496544aabbc46081
SSDEEP

384:cL7li/2zCq2DcEQvdQcJKLTp/NK9xaO7:6yMCQ9cO7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe

Deletes itself 1 IoCs

pid	Process
5004	tmp785D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5004	tmp785D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 5076	4532	01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe	87
PID 4532 wrote to memory of 5076	4532	01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe	87
PID 4532 wrote to memory of 5076	4532	01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe	87
PID 5076 wrote to memory of 4416	5076	vbc.exe	89
PID 5076 wrote to memory of 4416	5076	vbc.exe	89
PID 5076 wrote to memory of 4416	5076	vbc.exe	89
PID 4532 wrote to memory of 5004	4532	01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe	90
PID 4532 wrote to memory of 5004	4532	01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe	90
PID 4532 wrote to memory of 5004	4532	01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe	90

C:\Users\Admin\AppData\Local\Temp\01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe
"C:\Users\Admin\AppData\Local\Temp\01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xbulbpdz\xbulbpdz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc13D3E2345DB4EB09123F732C920F918.TMP"
    3⤵
    PID:4416
- C:\Users\Admin\AppData\Local\Temp\tmp785D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp785D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\01deefb0edfd41cbdf3934f44ddbd597862dfc1954553c1400a5cc9416b11a6e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f19f5ce9c87c70da42142ed0b679042b

SHA1
e45cc034e49bad4d5ab4c224136f91bd4e7e68f9

SHA256
f52ca886b0683401e9e64c379f0a951c615ed5feedecc7f92088b7d5e08cc139

SHA512
5e87d087a4d1c8591107c58d93d47ec79d3221622ca48011204259c020f1b08d61e799014f87f7cc218d0b5fd9cb5128da93d04ddd3f3c7d04ad9c695a743a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A50.tmp

Filesize
1KB

MD5
7b8668223844b23d4b39a09d629743ef

SHA1
fe9e986cc8c242d3a45dd8f4f87a1089279afc89

SHA256
ce96f7add2df1f72200c3ac9e2bb482512998f01a4b151c514783fe6f83a05a1

SHA512
8b9f9223f3f58b7dff1129d69fcc5c91e1ca3cb4f04c1dab2a999f928bc09120a9e9cf1ce21ba9d347790a3546336f1659abcc10f2d60001056e5aca87ebcd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp785D.tmp.exe

Filesize
12KB

MD5
dca4bfb4f2bd631de23d751af16de167

SHA1
ce1e555dec4f70af273ff146a3d5a50f77564d22

SHA256
82e92a262da2509dc115d75a044a6826ccd045c29e1be763427c03b30613eaf7

SHA512
6d6f8e91a76d03e75f82bd7fef4d28403052242eee1faeebac9f0618d78b6a478531c12acee0d479166373ade5f370ac48749e0399ea76405de17ba00a224a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc13D3E2345DB4EB09123F732C920F918.TMP

Filesize
1KB

MD5
bddba4c0d7b1f66b1b4d8d26ca94d307

SHA1
dc2980428cbce38c1a303551435050a0f252550b

SHA256
07daeed0ed66cea582f0e3f96b16a52d586626b86660a3e6f04c612b9149a9bb

SHA512
251400dc7e0e18e6d21029e98c9154add8c90d1c67971ff185f0ce99e4429f97a21f799fcea20cff2ca30e0be1f18e43e73ad80edbbfbc4d57c39bee7b0cdd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbulbpdz\xbulbpdz.0.vb

Filesize
2KB

MD5
14cf0578bdd5ab16e00aa9431b9c6145

SHA1
aaf1a6a727cbece21ea6c278a76c06d9ec74a769

SHA256
2fa3f44b89dfa38717126180b73ae6a75cfd001b21dfb4b4e68caa0a366823ba

SHA512
6e639029e304ca696c5c168b8c770b1b2477b0b36f40925c01b8c2e91f6ccbd22ae0c412364f46a2c41b6f5cd9cf559732a695f188a1dfb3a6b358946dc4cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbulbpdz\xbulbpdz.cmdline

Filesize
273B

MD5
41847aa39a5c6a9ae4348af92fa56347

SHA1
f3a0d8640534a50b544ae0a32754abd4930206cc

SHA256
f9308d1edea429d422e2179ae8c9a23df0b2bae2363da53e95531990426e5afa

SHA512
42b4b4c9e565c99a13c4765d9c60c9c12ae343546594376e0bdede2645afa44846a091c05df7929f2a16d50be2f40e113122bf3054a668a1dce505ec6fd57d1c

Download Submit
memory/4532-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/4532-8-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/4532-2-0x00000000049E0000-0x0000000004A7C000-memory.dmp

Filesize
624KB

Download
memory/4532-1-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/4532-24-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/5004-25-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/5004-26-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/5004-27-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/5004-28-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/5004-30-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing