65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43

General

Target

65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe
Size

12KB
MD5

7946be592d90494e6003db683daedac5
SHA1

48155f2b1746f0153659437ce307ad47fdd405a7
SHA256

65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43
SHA512

b91b8bfa66f5c7f2c20b1a3f7884233e3e170840814430b23cf6352a4d14b029fe35aaef551b340e6b786f9e80761c7895159ced8cb02e10f52c4f6fd44df421
SSDEEP

384:xL7li/2zHq2DcEQvdQcJKLTp/NK9xaDk:xDMCQ9cDk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe

Deletes itself 1 IoCs

pid	Process
2296	tmp13A3.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	tmp13A3.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3980	2332	65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe	92
PID 2332 wrote to memory of 3980	2332	65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe	92
PID 2332 wrote to memory of 3980	2332	65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe	92
PID 3980 wrote to memory of 3224	3980	vbc.exe	94
PID 3980 wrote to memory of 3224	3980	vbc.exe	94
PID 3980 wrote to memory of 3224	3980	vbc.exe	94
PID 2332 wrote to memory of 2296	2332	65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe	95
PID 2332 wrote to memory of 2296	2332	65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe	95
PID 2332 wrote to memory of 2296	2332	65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe	95

C:\Users\Admin\AppData\Local\Temp\65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe
"C:\Users\Admin\AppData\Local\Temp\65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fast5mr0\fast5mr0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1930.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F88D3FA7644C02A098F28615ACCDBA.TMP"
    3⤵
    PID:3224
- C:\Users\Admin\AppData\Local\Temp\tmp13A3.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp13A3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\65ddaf39d5c7858ff5128944ba75642fe147fb63c27ef5b40b08ebc06a5cda43.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
4ac394bb56ccd8dd1d8812c736fa0b84

SHA1
36e8ba8fa1aa414e52625bda22d972389fcfae01

SHA256
8d02e7aa1436aa53bc7800df1d77a2ea97b24886b8ee5ef00cb6acd22227e85d

SHA512
c120fdc3a962a9be93c9599c743521fcc373fed0ec477a3d9d74b7bac722ae2d9a6aa7a726f24b859475f8afdb9fc900438fb486b30cadbd96bb21b01bfd2dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1930.tmp

Filesize
1KB

MD5
64207692b9b12971ceee365e16385057

SHA1
8e05392a7c726c674934477c8956cb2ce227b037

SHA256
ecec02f56536aad8d56bf59b0e790f642e528d080b6e08be34d29a87353f816a

SHA512
d75ed50c9000c2a5d2548ed60260be981ddaa5b66337eb4049394f1ac4ea100b7edb16a4a93bfbc6184f1458bac0060bd8cdd0b7821bf2a15a0756ad4675893f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fast5mr0\fast5mr0.0.vb

Filesize
2KB

MD5
11492d1638026df516a09e9c0ef2271f

SHA1
daf6717d6eac8cb9527733e64b4196134c79c924

SHA256
278df097375761b5c5c6cbb81e0c5d2bd1d66cc810ec98096ba86a65683005bf

SHA512
1f877cf7d2507b0c5ee7cb790699215d7b7d3a1a9582812a35e95db422baac17e2199c153aecaae48266ed9974b773a73e366bdf059c2271d5e7a3f0c5539e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\fast5mr0\fast5mr0.cmdline

Filesize
273B

MD5
a51777fa7b08400a0e0b11b1459988c2

SHA1
d18f9da93f3b8e6d3b65a790f50bc2fa4ee0ccc2

SHA256
29adec0eca0d36fab624e78175f9edc23e968d5b352ba19357bb5ebade7c89fc

SHA512
03d2faad9165d32cb51cb9bf18f473423add2dfe3b25df52c5bde45d3cc0dbcb897dc48fb469ab51134e934f6788526736b39dc79e37798394b20c18c857ce56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13A3.tmp.exe

Filesize
12KB

MD5
91389d55d756d99db0acc8d2e3dfdbe7

SHA1
16d34e528194d447bdeb3e0e9a1269fbb521b8cf

SHA256
b3c7a858f7a254472f42221edd49542281d8850cbdb4318a4faede80d640c789

SHA512
4a8683df318cc1384d53e94a2a54ebfe1ada9a374ec7dc61902eed3318b42e720bd70e00638510b4d7ef96aabcf7629160af65c46533db0996e171fef0e37ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8F88D3FA7644C02A098F28615ACCDBA.TMP

Filesize
1KB

MD5
021cc3695cd4757689f2d9cdac399188

SHA1
cebcb87cbc6a61cbb3fe46d119ba6df54a51439e

SHA256
bded2d57e555600f2e63940bdf691ddce8c460b633bcaf05da2433ef747f0bd6

SHA512
d9379e00e4b26eddf49437a8ab962dcddb504c1da7f2ad34fc57456e90ff72f497d0090775fe60a4a09e7aa40f343217e4ce57f77caa20ceefcf48e6e799f755

Download Submit
memory/2296-24-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/2296-25-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2296-27-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/2296-28-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/2296-30-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2332-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/2332-7-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2332-2-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/2332-1-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/2332-26-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing