8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70

General

Target

8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe
Size

12KB
MD5

3450ad8fbb0b469b1d077fcfd7c8dee1
SHA1

ddaf0b2c604c7b920355a47e64fd55890ab569fb
SHA256

8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70
SHA512

9e54ddb10928f424c6ec72675e8724fb18cbd4f232f2bf49784049a21d2f4e653557b9dec8579713fd2fd7c34025a7832511be85ee31774c46af138560fad86c
SSDEEP

384:JL7li/2zlq2DcEQvdhcJKLTp/NK9xaT9:5lM/Q9cT9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe

Deletes itself 1 IoCs

pid	Process
4516	tmp5564.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	tmp5564.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 4024	964	8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe	85
PID 964 wrote to memory of 4024	964	8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe	85
PID 964 wrote to memory of 4024	964	8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe	85
PID 4024 wrote to memory of 3028	4024	vbc.exe	87
PID 4024 wrote to memory of 3028	4024	vbc.exe	87
PID 4024 wrote to memory of 3028	4024	vbc.exe	87
PID 964 wrote to memory of 4516	964	8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe	88
PID 964 wrote to memory of 4516	964	8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe	88
PID 964 wrote to memory of 4516	964	8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe	88

C:\Users\Admin\AppData\Local\Temp\8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe
"C:\Users\Admin\AppData\Local\Temp\8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z4ismk1r\z4ismk1r.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5719.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D51F605553A4E978176D31C667BD657.TMP"
    3⤵
    PID:3028
- C:\Users\Admin\AppData\Local\Temp\tmp5564.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5564.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8b5e1a8a099ef3b700a4af6e1084cd288596fb06dfe8c8e06cf1984aace7da70.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ac8b851ef8b0ec7664bd387faea83373

SHA1
38fdd49b7cc1afe9429ff078ffbd38feadf16063

SHA256
2e2fc845a35b69e0166a155f885c30a98fe21b05d3d543b2fb1a3ba7830d4a9e

SHA512
4c7eb282db3c387e1001ba542d4c38c92bb9260470db8497126e62e24b39c0c362feba7865ff64494e093391b8e0528d14ac93b021e60910508d591032ec7623

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5719.tmp

Filesize
1KB

MD5
3790d3680a0f031f2c13678f53cc4f31

SHA1
812ad0b6bd31f95dba98224f7841d1951a3405a3

SHA256
d60f22e4c3e936cb42e142b1b3b83acb4d228694375d96c8bc5c6776e777f5aa

SHA512
31356f1d3fce0bd90883fbcf4b102217c35d2e832be1e875bc01d4005f4dca6a7163ef4b6f8ebedb80bfef49e5a97c54c2f1248270cd0f245fedb2407b32462b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5564.tmp.exe

Filesize
12KB

MD5
83cdddb713c33c6dc41bde6301732e51

SHA1
2d7a87410786cc9e30209c9529c45d67e01d22ac

SHA256
6ae462226e824dc81ed76d7c9b7ac11dc8aaf1b1510bbb347df3c5bdc2b26051

SHA512
ed7e3f31d4c80794612caa70d4ec05b8e58884967eed58efece021723ab8792512bc774a537c71edd7d75626a8bab0d5ea819941c85be13b66bcefccd93428a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6D51F605553A4E978176D31C667BD657.TMP

Filesize
1KB

MD5
4aa81b34da760ca0b9ee3713d0eccfef

SHA1
56dcd118573d5436bcf9098a9802ded8198b528b

SHA256
cf4bf0ed7f9d2a081b5ba54d90237e0a0b83cf40798c85becf987308fc756bca

SHA512
331e290ed0948ffc34f01f697b382ee22409654984221785379fbe1bd1e5a6a4a7e4247d7c2860a408e4fd48cb3a1c44cafed4be985b508f33baacf2b0a61384

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4ismk1r\z4ismk1r.0.vb

Filesize
2KB

MD5
a5442b9c08165666a1cf8ee3790ad0a2

SHA1
c33cfa1b97e6f0f21455882f73ecb38d9318a246

SHA256
dfa24b613b574698345085cbc65a0651268fb625cadeedc26cabff59da5f21b1

SHA512
5a092ac08c212a8dd46a8ec7ff03ee855f80c1522595d0c5aa4a69f0b8b1d20059eaf578dc09ee7157bc5f604aec0b557d4fad8d5e14fbc9f8af10952fe3873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\z4ismk1r\z4ismk1r.cmdline

Filesize
273B

MD5
ea01932bdfabe8082ece4d079b2e4980

SHA1
5c6074abe565cb48bfc0f3ecdbff96e24f288b55

SHA256
f613b27caa3053ccd67889675a442001f0f393964707deebd16ac43802cb1021

SHA512
0b0723ee3efa54b8f9b7bca35bfda76287acb43000162826f33e8fc7a57ce54fd8ad4922ed62f38ad1efdedee632e4d34cbe4dfa39164c39a8bb99199cee132d

Download Submit
memory/964-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/964-8-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/964-2-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/964-1-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/964-26-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/4516-24-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/4516-25-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/4516-27-0x00000000052F0000-0x0000000005894000-memory.dmp

Filesize
5.6MB

Download
memory/4516-28-0x0000000004DE0000-0x0000000004E72000-memory.dmp

Filesize
584KB

Download
memory/4516-30-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing