1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44

General

Target

1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
Size

12KB
MD5

c078a412683a55a2fabfe7351daf5aef
SHA1

d5b864368e318aab0740e41384c82e37b5fc398c
SHA256

1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44
SHA512

7a0e29f72dab53f626a9feec6dc1474dc2225dde59d3c41fcd55ce9f07804ee0e18fc6cf366c54639a337fde78ed24aadf84fb5f780a70ef3bc81d5f1a09f664
SSDEEP

384:eL7li/2zbq2DcEQvdQcJKLTp/NK9xahW:IfMCQ9chW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe

Deletes itself 1 IoCs

pid	Process
2600	tmp40B3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	tmp40B3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2568	2692	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	86
PID 2692 wrote to memory of 2568	2692	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	86
PID 2692 wrote to memory of 2568	2692	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	86
PID 2568 wrote to memory of 4536	2568	vbc.exe	88
PID 2568 wrote to memory of 4536	2568	vbc.exe	88
PID 2568 wrote to memory of 4536	2568	vbc.exe	88
PID 2692 wrote to memory of 2600	2692	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	89
PID 2692 wrote to memory of 2600	2692	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	89
PID 2692 wrote to memory of 2600	2692	1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe	89

C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
"C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zjb0zwnj\zjb0zwnj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4287.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc73662B1D9B1A41C481B16326464D85CF.TMP"
    3⤵
    PID:4536
- C:\Users\Admin\AppData\Local\Temp\tmp40B3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp40B3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1fdff171ee161b518dce33426cbab9034bf48bcca8563d16e8ef923d589bbb44.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6ea4ffc9fe40b7fedd371a15b1763d9a

SHA1
760b93056e4ab3da2b0aff418f4fd337d614a30a

SHA256
1ca94f18a1bfe87b627d7b152c6976ba4bcac855661e8fb84b2a9e3a7924355e

SHA512
1e643e852abbf4f1fa5c41ceec1e998d449974213c9777a50a855c2f071ee8627dad0c94fefe8ab64b00bd8ec849ff1b2b3b3002026b5dea1014e74d62e41ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4287.tmp

Filesize
1KB

MD5
f28b41514fc02ae1634e14590865d8ab

SHA1
b70260400fce8cdd332697a50a1b491553450496

SHA256
10f266bfb499277e66d94389889dec3ad4a0589f92cbb24ac52b2a048604fb14

SHA512
c6e69c0434d7998ea4386d91460164df5b11c1fa3b159dee88eddc7e6f20141e279e1000a70d2567033f338cd19803b9f92b7b9b14c2eda6a985c6761337a2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40B3.tmp.exe

Filesize
12KB

MD5
244f1dd11b8b6483e005b27cd3da6102

SHA1
78c05e351f2e421bc190be0a377f54178ddcdffe

SHA256
a6e7ff234789e4558c39a7d639f8bf89544b28a951e1be8875e0f09735b02545

SHA512
ccd2f5e00bae1a744a24f32ccd007d251191826656ff0f718285c7218695ed08dc1ef2becfb4c44732c19d4e266202e03fb03ee8f171cb6c61c1a70ebdffcb9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc73662B1D9B1A41C481B16326464D85CF.TMP

Filesize
1KB

MD5
0b4b9feaec5b7fa993cc52b4127aed07

SHA1
e4fe300032e41d3bd0fec92f1b5199ea1e13c969

SHA256
2c1495b325af839eab946e00551cfc85b2ef8ecb6d605335925757ce8c390f9e

SHA512
b633df282236e55eb00ff5d4345226d10058d88361ad0ae12dec293ef838ad3a8d654bd024b5685d489adfdbe2c78ee47fbb7a81f7d90599732daef98d98c00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjb0zwnj\zjb0zwnj.0.vb

Filesize
2KB

MD5
96d85ba62108788298fcfbfc728e057f

SHA1
04b8419644a37635904aa173ca519b1e186bf30c

SHA256
fe5a73148c28ddb0e5fa812df006dc2c940463855c7680672d95c1db4c5a068e

SHA512
decdedad91986f966885651f7d4443a72e800c0b0a17fb7fbf938adf807274ef6687c6c68cf3d90c375c8172ecff6621803cfaadbfe87d144ec1ee2f3d5d6e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjb0zwnj\zjb0zwnj.cmdline

Filesize
273B

MD5
264ad1226acbc87bf0849830ee33ad9e

SHA1
09d4cc403e4e2f0a52d5aadff0ca018e921fe5a1

SHA256
3655dd855245e74a04a166decbbed0fa8b1d459123b13f0105a5cdc3df89a634

SHA512
1337d38b28e6e9756387644599bafce9912fda0728fc5c76383e316c89f261b7e59a44653336d018f9c520756b849d2795fcc7619b8808a866e9c15ccb6153d2

Download Submit
memory/2600-25-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/2600-26-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2600-27-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/2600-28-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/2600-30-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2692-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

Filesize
4KB

Download
memory/2692-8-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2692-2-0x0000000005780000-0x000000000581C000-memory.dmp

Filesize
624KB

Download
memory/2692-1-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/2692-24-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing