4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611

General

Target

4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe
Size

12KB
MD5

2db52f76306336a776675fe7f13bfa60
SHA1

bd750fb99e656f8a923c94af1331a335c9a728e7
SHA256

4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611
SHA512

daf795f8a574f6fc07280b37fb3914c871f0f8e382348a6eee89fe2a6e27db4c9ef6e7ec21d2f75dc27e6422553a2bf7d42c005e2854509a0c513358da1e530d
SSDEEP

384:2L7li/2zPq2DcEQvdQcJKLTp/NK9xawf:wbMCQ9cwf

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe

Deletes itself 1 IoCs

pid	Process
4912	tmp6EE7.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	tmp6EE7.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 3720	3776	4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe	87
PID 3776 wrote to memory of 3720	3776	4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe	87
PID 3776 wrote to memory of 3720	3776	4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe	87
PID 3720 wrote to memory of 1676	3720	vbc.exe	89
PID 3720 wrote to memory of 1676	3720	vbc.exe	89
PID 3720 wrote to memory of 1676	3720	vbc.exe	89
PID 3776 wrote to memory of 4912	3776	4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe	90
PID 3776 wrote to memory of 4912	3776	4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe	90
PID 3776 wrote to memory of 4912	3776	4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe	90

C:\Users\Admin\AppData\Local\Temp\4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe
"C:\Users\Admin\AppData\Local\Temp\4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wproo12l\wproo12l.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FE0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D36050D9E9243849C4E61C3C5B445B8.TMP"
    3⤵
    PID:1676
- C:\Users\Admin\AppData\Local\Temp\tmp6EE7.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6EE7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4565862b2c219fe3eb064435716b9bcab94c3bbc4cfa14acad7497c652609611.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f19f5ce9c87c70da42142ed0b679042b

SHA1
e45cc034e49bad4d5ab4c224136f91bd4e7e68f9

SHA256
f52ca886b0683401e9e64c379f0a951c615ed5feedecc7f92088b7d5e08cc139

SHA512
5e87d087a4d1c8591107c58d93d47ec79d3221622ca48011204259c020f1b08d61e799014f87f7cc218d0b5fd9cb5128da93d04ddd3f3c7d04ad9c695a743a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6FE0.tmp

Filesize
1KB

MD5
00f6b978d75b7574997637336c09320e

SHA1
7e763ed78392d8371b4bfecc216e40e21bb32b4d

SHA256
7d6ea58bbc9266491148cd1e04b4fdc499342ed119aaf5b9b21fe188b170612b

SHA512
692485874767531f294043231cb10dad772122c28c40f38dd960c31315f4bb8e462e4ef9abb1699a1d267748e136ccd39c7b81cb5635a9fcf213b1aaa2271212

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EE7.tmp.exe

Filesize
12KB

MD5
41201a8e35a701cfc5152041d9482c0a

SHA1
a0c20276ae3d116179a51051ef04f780a1f1fa57

SHA256
ccd19237e433bf0627ace5aad20c3dc74806ba5813f2921c7fc2b112714147c5

SHA512
8bce8fab1fc2d2a0a5be4d0f875ff2ca23250237ed46db19acea1357c76ce661cb7c22552ffb70a47cf83ece0df3efe3b88234a3e0e7e76ae4d569a81bfc7338

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2D36050D9E9243849C4E61C3C5B445B8.TMP

Filesize
1KB

MD5
7bcb93fa105510b9bb667746bb480774

SHA1
91d5986fb5b407b210de6c47d225cc839843a9a6

SHA256
a1fdaadcec61b6d980ff2f2c67a5f6dfa4885365962f20299188c40df532fd14

SHA512
e4afa9f76bb5cacd439d1015a76a8f65afaefb87bafc5d4bbbd37f25f3483978a0885ba6b3a9b6efd281d4ade0838935f5164685ee1c45d2c3077827008855ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\wproo12l\wproo12l.0.vb

Filesize
2KB

MD5
14cf0578bdd5ab16e00aa9431b9c6145

SHA1
aaf1a6a727cbece21ea6c278a76c06d9ec74a769

SHA256
2fa3f44b89dfa38717126180b73ae6a75cfd001b21dfb4b4e68caa0a366823ba

SHA512
6e639029e304ca696c5c168b8c770b1b2477b0b36f40925c01b8c2e91f6ccbd22ae0c412364f46a2c41b6f5cd9cf559732a695f188a1dfb3a6b358946dc4cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\wproo12l\wproo12l.cmdline

Filesize
273B

MD5
a99e44e57eba983ea0fe33cbc1bc46d6

SHA1
f54d1ae16ec319eae2c09d6795b4613c467fef1d

SHA256
20ba2ea4e8d1cc9e3bfb3e30ded6edea8e6bce8f667bf52a8a2e56d95e234380

SHA512
b63e426ace6aa734d77a8e14c48393f1fe20d774bb5cf2f7328e3495059cb063b776c50a2ffeeac5e1611281ee03dd3340aecba1fb15b0c8be1e59ba08667e68

Download Submit
memory/3776-0-0x000000007531E000-0x000000007531F000-memory.dmp

Filesize
4KB

Download
memory/3776-8-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/3776-2-0x00000000057A0000-0x000000000583C000-memory.dmp

Filesize
624KB

Download
memory/3776-1-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/3776-24-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-25-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/4912-26-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-27-0x00000000051D0000-0x0000000005774000-memory.dmp

Filesize
5.6MB

Download
memory/4912-28-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/4912-30-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing