bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229

General

Target

bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe
Size

12KB
MD5

74ff2c2b59be172afecec7398b9ba9a5
SHA1

e176ae13fcefa2cbc68ba39099e756e4ab7fa0f1
SHA256

bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229
SHA512

4d64ec8954bf658c592927fd6039cf22ca16b5c8336deffba8b087390fe88ee3bf2b45c14f9a6490f742e371a81a1c7f5ad1a40b3c9478c6f01fa006e752bd5e
SSDEEP

384:XL7li/2zhq2DcEQvdQcJKLTp/NK9xaJA:bZMCQ9cJA

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe

Deletes itself 1 IoCs

pid	Process
1176	tmp4EFC.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1176	tmp4EFC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2276	1604	bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe	82
PID 1604 wrote to memory of 2276	1604	bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe	82
PID 1604 wrote to memory of 2276	1604	bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe	82
PID 2276 wrote to memory of 3592	2276	vbc.exe	84
PID 2276 wrote to memory of 3592	2276	vbc.exe	84
PID 2276 wrote to memory of 3592	2276	vbc.exe	84
PID 1604 wrote to memory of 1176	1604	bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe	85
PID 1604 wrote to memory of 1176	1604	bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe	85
PID 1604 wrote to memory of 1176	1604	bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe	85

C:\Users\Admin\AppData\Local\Temp\bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe
"C:\Users\Admin\AppData\Local\Temp\bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ildhuitq\ildhuitq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BC2F17F3C8E4388AEDA12CBC4DD27F.TMP"
    3⤵
    PID:3592
- C:\Users\Admin\AppData\Local\Temp\tmp4EFC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4EFC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\bfbee2118ac95820fa10aa30c113b60478d5efd64a6844ec43008368de57c229.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0da6623e576193254e58434a9edd0c6e

SHA1
b5dbdde35bb55f3eaaa16b23f9674e8119772212

SHA256
ee3e0e4c400bc1c6a4d5aae76e6d44b7b5ede8751d9a5d6203d3580bf3c374e3

SHA512
7cf4c77bb35583ca52c33a528a2e04da2956832577436bb99fb676f81dbc3e8bcd2dcdce2ee1874c569d407b82ec6a72f1e5b6c5ad17b4c37a50433726f9b778

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50A0.tmp

Filesize
1KB

MD5
6cef9b9b220442dbc3bd552a9531a249

SHA1
bdaaa3b34e54cd7e2d1bb5b893790fe1f939946e

SHA256
b8f441c493ca9c35f41ab3d6559c924006e70dab3a382a353ec33f0a948780b6

SHA512
1e689db6f38378956d199bfbf6955d0c3ce562d3191ed03bbb3adf59491aa6e8e7355ace08c2c7a86c4f3f55cf76a12b761587d8d906cd95f65dda7547246d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\ildhuitq\ildhuitq.0.vb

Filesize
2KB

MD5
feea7bf0777d825ff6f463417ffe3118

SHA1
13b416c2bcaf75f47a53bdd01ef2b5bed716536c

SHA256
349ed88a0cfdd7c5274f43c931c87c5cf6ed9fc9c032d660435155361ffebd5e

SHA512
420f2676b52c2a331ebc9f2fc3a761a0429f421970646e8c968cc9b94fc1558d4bf614f42278a317826fdc78b51647ce3b430e135879b5ee2da471831d46d5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ildhuitq\ildhuitq.cmdline

Filesize
273B

MD5
0fa1a7184c6025edf08244f03148ae6f

SHA1
4cc960e5d1c23471c0d869f6dafb49a4cbac7562

SHA256
b85f2c0286cbf3f4e80535ceb176b0152c75d162aab436cd8ded8831cf58054f

SHA512
50050938f55a145135c401ede02ce4f31a48dd71f3e151fa2927aa45f398e5e080ad22c7de71eb8c0228d61abd1d0ce6893dd61c57e50ca7322e316c30f001a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4EFC.tmp.exe

Filesize
12KB

MD5
6513ac66881beeaee74c04a43a120d84

SHA1
58214496fe373fa1bc6cef52b5ed1677003a4f7a

SHA256
5efb41b4ec89783abb2a8719512bfa30d6b9e7acc8cab914aa8c2ef6a8e92438

SHA512
1d228a0686a81a6f10185454c8507c680973c5ef71749dc3820570b085167d7b5eda9c561947214767dbaa252935fa71f1c38e539ed2694bc95a7837bd7d34ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2BC2F17F3C8E4388AEDA12CBC4DD27F.TMP

Filesize
1KB

MD5
52cda652700a7af14466b8a79cf4013e

SHA1
108f894a42be6ef29cfb73546123ef2138966931

SHA256
a65260fd42177bc781be1b87db026bfd450fbefff46ede3841913a630f3406d6

SHA512
23cb9f0d3c871826c9584caa6e418dc20e39b729f2ecd439315e1ff218ac9f8feaeeb4cd20f05c5783fe7cc9446f66a2f6955123c051d7b065396ec2bcb7fd47

Download Submit
memory/1176-24-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1176-26-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/1176-27-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download
memory/1176-28-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/1176-30-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1604-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/1604-8-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1604-2-0x0000000005420000-0x00000000054BC000-memory.dmp

Filesize
624KB

Download
memory/1604-1-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/1604-25-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing