7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e

General

Target

7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe
Size

12KB
MD5

89556e58c72182d7e7390a94c5380550
SHA1

e22d6a1daf4cea4fac7c4c47ec623f2ff339af5d
SHA256

7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e
SHA512

7072a1f20e3d2b09c6e66a7837b27f3e6394552a86feef5c9f5df2ceff11ef7925e1f243dd343ed6fe39f7829e5acb8b4eb1fae30ce1dbc96d5a86a90f91d74e
SSDEEP

384:TL7li/2zX8q2DcEQvdhcJKLTp/NK9xa+S:3r8M/Q9c+S

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe

Deletes itself 1 IoCs

pid	Process
2992	tmp43FF.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	tmp43FF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 1660	2144	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	82
PID 2144 wrote to memory of 1660	2144	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	82
PID 2144 wrote to memory of 1660	2144	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	82
PID 1660 wrote to memory of 384	1660	vbc.exe	84
PID 1660 wrote to memory of 384	1660	vbc.exe	84
PID 1660 wrote to memory of 384	1660	vbc.exe	84
PID 2144 wrote to memory of 2992	2144	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	85
PID 2144 wrote to memory of 2992	2144	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	85
PID 2144 wrote to memory of 2992	2144	7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe	85

C:\Users\Admin\AppData\Local\Temp\7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe
"C:\Users\Admin\AppData\Local\Temp\7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b4i3caui\b4i3caui.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4565.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc580C0360B1E34793BD40E3B623EC6261.TMP"
    3⤵
    PID:384
- C:\Users\Admin\AppData\Local\Temp\tmp43FF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp43FF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7647040612db83d65d7b0106b59acfaa7e00dda1fa77698d19f0b6b8ec5afe4e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
53dcdc0a14c02f29a05c57323c2f2755

SHA1
3dccc5c93c7e6310866a33ae0d28b1198e70d687

SHA256
07fa46bf66eca5dd74bf38258eb8ab42d7c01375498c689f43fb18b8d6d8489a

SHA512
9f3129b8e995567ed66771e249affcf3242b0e81121d87adee4c5eb4da765d1bfd6ed6b5dda6004e4a35eaec61ead5d3007b95dad39658ca12a481a720d47334

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4565.tmp

Filesize
1KB

MD5
3feed351f85d963fb3bb7cc15d748325

SHA1
75a71aaf4451480681e09e647b84c01b2e1010d4

SHA256
fab5324bbc9c36a6e02e4d090fb85ddbd827959b65f83432f1b7f2020cf567af

SHA512
93edb2390d0500ea1d954442ac92bd6702bbd694e1a795cc8dbe2af311758486bad277fcc7d7ec94f95323a7ad8fe7bccbaaa1f942e7b5a2bfdd38a1aac48065

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4i3caui\b4i3caui.0.vb

Filesize
2KB

MD5
099b3a7ea303642ffb9fb0defc538aca

SHA1
cae97fcb9b88b91c3aa583ed26fad39dceec6e12

SHA256
4ece797c0b62e46795bd1630a75eca129dab9348a6156bea1cecfd33f43d5a83

SHA512
9f5c0d485fc533c9ae346dc2b37fca658615e0aaf6e0c0b2675b98a901f0055a33e14a27b9f76cc3aaaf460e74ff3f2958538cb860b2c56b73f8d8e7f3f964fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4i3caui\b4i3caui.cmdline

Filesize
273B

MD5
905763222fb292daa37b62841fc5441c

SHA1
5434ff3e0a379228de5a6958fa4bcdc10d2432e4

SHA256
45e3ac6bce2de266dd91a5b0cbf6f0c09eb3be5fedeb6ecbf96198848a3712b7

SHA512
507bf9f50f2365b7f8ac59c4e5db21f6bb8f9a8f49078d1045efce50b0f6e379a364c490ae78842ebc2c54ded12504cd243e33cae92167c9b50857fcba1f82aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43FF.tmp.exe

Filesize
12KB

MD5
4c19ad7ab2350dca4c18498b2d897b2b

SHA1
86c87d6cddbc14a531604e01f39e8bdacb4dcefe

SHA256
89cba3e30d1fbbee512615a2993366e463513063bbe2358df688280123cb91a5

SHA512
e8082fbcb41fd51dbe14d8872becbb72cb085dd216115ed17076a14aed1676c9834d54b65c1728c808b6d5d29840bcce13ff8dc0a3166fbbd8243d728a0483af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc580C0360B1E34793BD40E3B623EC6261.TMP

Filesize
1KB

MD5
185530bfa1d0c54c4d08a5ec838f7878

SHA1
04a2b4016d70b380c4c70863bd9f8500ce177622

SHA256
e866519d6062c969ea55e7fb2b975aab99c363de0bb93fd3682f45867a3e31dd

SHA512
7092bbb00417f833fcca2e0baf41070889bf1f5973f727fa53b7f36c887c625b078a7475f7d76bfdb79052919c0af4635e385277a304fc81a5fdf2c857331be8

Download Submit
memory/2144-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/2144-8-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2144-2-0x00000000055A0000-0x000000000563C000-memory.dmp

Filesize
624KB

Download
memory/2144-1-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2144-25-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2992-26-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/2992-24-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2992-27-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download
memory/2992-28-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/2992-30-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing