63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844

General

Target

63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe
Size

12KB
MD5

2ef567d192c69c37dafe905cf10e1357
SHA1

c16b170c3c2fda87ffde1f810f368f06d531240b
SHA256

63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844
SHA512

3859862d466716a4e43a498e9f92075b1447a5accec52707202a1a3e3839fdcfa211ec96617356eb4936e83931d4f38a70edf90e30f471b44aae9fa95cf75da1
SSDEEP

384:wL7li/2zWq2DcEQvdhcJKLTp/NK9xauc:ueM/Q9cuc

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe

Deletes itself 1 IoCs

pid	Process
4976	tmpF33A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4976	tmpF33A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3792	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 3972	3792	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	94
PID 3792 wrote to memory of 3972	3792	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	94
PID 3792 wrote to memory of 3972	3792	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	94
PID 3972 wrote to memory of 2016	3972	vbc.exe	96
PID 3972 wrote to memory of 2016	3972	vbc.exe	96
PID 3972 wrote to memory of 2016	3972	vbc.exe	96
PID 3792 wrote to memory of 4976	3792	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	97
PID 3792 wrote to memory of 4976	3792	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	97
PID 3792 wrote to memory of 4976	3792	63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe	97

C:\Users\Admin\AppData\Local\Temp\63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe
"C:\Users\Admin\AppData\Local\Temp\63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ncgcfwaj\ncgcfwaj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF52D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA4E1916B3EB4DAE8C9A532635B0BB76.TMP"
    3⤵
    PID:2016
- C:\Users\Admin\AppData\Local\Temp\tmpF33A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF33A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\63202be28ddcb32b3d5d809445eb0686054fe7744c6b725e31c2c8e22be18844.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3608,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
2434bf0e8e4349e1e1b34a3347d81953

SHA1
85e021f0f6771c308c9a05bd9879d376155ec51b

SHA256
06f04e8fee749c0336b532a00efec2d1e2caa164561d2c021163b0fd503f9000

SHA512
c740a4e0473d0c207a7bcac3bea27171faf24c234781df437ce1c3fc67b71c1f64ee79287d223280fff01a1636e73997d7c8556c3d0cd3727fb5d6cd973010a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF52D.tmp

Filesize
1KB

MD5
6f4ae45ac80653b82d3e145fcecc6818

SHA1
52f3b5921e9863b0f99945d73cc8bf633751c9b1

SHA256
83bf6f7644454d908b0c199fa9bc8b65a79d8127b286ecfa85686ed14c3c14e3

SHA512
b8ca2863372a4c4ff9d1455cde1f5567ecd97302e0288bf07a8854122fb1d369cfb88b60198c94198baae9ac278928f3d5e5cc2dd8f4de40fa9396dfb259bf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncgcfwaj\ncgcfwaj.0.vb

Filesize
2KB

MD5
3fcd6330b09cc3c6062163bc1c77ecf9

SHA1
34d65a4de93918bb3e7944f5c71f94c0dc9a380d

SHA256
696d9d4df2aa013c7d91d593323fd1a8880e06a1c8782c553982e4747dcb8b54

SHA512
3b268dba8400234cdb205e03568c4962b8b7b7f33c6d356492ff03fb6d5ec034ccedd24761da213afce5b11752a810355c1594a51a9a01648555824abfcb448b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ncgcfwaj\ncgcfwaj.cmdline

Filesize
273B

MD5
581133c35bfd5fed2c42685d26ab35b8

SHA1
1aa75de65c69ee5a26093d720db013dbb501c652

SHA256
d374c0dc00b5bf354d2c27815b1222150f1c0568c350c1efdf22e51c468a9275

SHA512
07aede2de261f709d8d8d26d14c8b4a2ddcc9678dae5608c8c47f9e1e6623e98a73b923c0cd15e812c7c926bfa0518198c526edf1bd90809d048862e3ad126ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF33A.tmp.exe

Filesize
12KB

MD5
1fb0a19e6d708d9ededc7bba6c82cb55

SHA1
e07ea7396d9a2d6a939a468aabf76883b8d27880

SHA256
d8a84defda4f4edc1cc0b95dde925e6f3a586d74576e0c3ed7744df0ac23452e

SHA512
f952335128cd6e7eeb3b38728920204d2a960401bc77bf000bd771d08300bcb783d267320a8c85207c56c7010629f2a320befe2aee4bb5d8828126a7ce198322

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDA4E1916B3EB4DAE8C9A532635B0BB76.TMP

Filesize
1KB

MD5
9aa9459fa1fee42cbe070e63d23298a1

SHA1
4b842b62988a09dc8e3ef40c2d447f6066c5502b

SHA256
2cf0e05d64b881c25d022176736c120c207a52d70eae00c3e23e147b83adfebd

SHA512
d7afdb8053a6501823da62412ced47e040e77d63981fdb9dc306ab0cadfda2b10a4d3e777ec9be65bfd1e8189984971db96b4decc449b7addbf7b562f54daccf

Download Submit
memory/3792-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/3792-8-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/3792-2-0x0000000004E00000-0x0000000004E9C000-memory.dmp

Filesize
624KB

Download
memory/3792-1-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/3792-24-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-25-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4976-26-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/4976-27-0x00000000051C0000-0x0000000005764000-memory.dmp

Filesize
5.6MB

Download
memory/4976-28-0x0000000004CB0000-0x0000000004D42000-memory.dmp

Filesize
584KB

Download
memory/4976-30-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing