13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac

General

Target

13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe
Size

12KB
MD5

8d806a6c56b408b2389be0f2c7782c49
SHA1

8aad5c187a611c68eda15db99c6865191971ecaa
SHA256

13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac
SHA512

d031664908ec158d61e475a4406c2954f46b1a6b724a773cae0e82d224acc1888d740ffb607cecbf6c12d63766217faa41acc05c419b5e8a7031ce426b60f162
SSDEEP

384:VL7li/2z1q2DcEQvdQcJKLTp/NK9xam6:1FMCQ9cm6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe

Deletes itself 1 IoCs

pid	Process
2924	tmp6AE0.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2924	tmp6AE0.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 2296	4872	13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe	88
PID 4872 wrote to memory of 2296	4872	13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe	88
PID 4872 wrote to memory of 2296	4872	13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe	88
PID 2296 wrote to memory of 4940	2296	vbc.exe	90
PID 2296 wrote to memory of 4940	2296	vbc.exe	90
PID 2296 wrote to memory of 4940	2296	vbc.exe	90
PID 4872 wrote to memory of 2924	4872	13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe	92
PID 4872 wrote to memory of 2924	4872	13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe	92
PID 4872 wrote to memory of 2924	4872	13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe	92

C:\Users\Admin\AppData\Local\Temp\13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe
"C:\Users\Admin\AppData\Local\Temp\13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\roantvt2\roantvt2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CB4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C0F8AA4DE174156B1B9E0349D707C5D.TMP"
    3⤵
    PID:4940
- C:\Users\Admin\AppData\Local\Temp\tmp6AE0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6AE0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\13f86f50bbeafa9a68ea8f85d3847f911698195115d65f7af4c2397953fbc1ac.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
aea665f61d26923bed7eb877b3f03d36

SHA1
e3d325a96b33130e0180ec697365ea2b88aad5c4

SHA256
d59da9e3a11e044ae1b7dc1c9c6555a578005ab0b0d381fedbcdca5daf6d4602

SHA512
806b867f6c5335463bc48707a6d477e2d331419934560e58eff202c5b3a459a77b41e74b9a393b711c696b81008fe3f6cc0192ec73e74005e23eb58ee5e0db11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6CB4.tmp

Filesize
1KB

MD5
7c0ebc478ee9beec6aae4a500bf6a701

SHA1
a436a6a4b8b415638503dd61f4492c865b8b19fe

SHA256
9cfe54e9db5bfbbb741687a5ec81ce9c8a32e4f46283284ad79918d401200941

SHA512
97d0bad26d1d09d773b7c968375046dc69bdccff95b655675bb240de5c87a5ebddd21ca32d2b32113a338de5b3ebbe194ee80a07cbe7d7db63d7281146a2d5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\roantvt2\roantvt2.0.vb

Filesize
2KB

MD5
71bda8d0c133758f1ec4a0c726932a9d

SHA1
82d80434046aa2ce8a5ec8604eefd40e436d8683

SHA256
a5229cc61fa427ceaa953706919f4710e39cda292e2ae90a499b3a5f60482800

SHA512
ed06a0f3ce0259505a0d1ea927b00585ed8e3b90e1938be9a07481fe7434adf10f7a236901f960e5ce92983f6c155265f80ad2464eaabedf97b64862399dceb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\roantvt2\roantvt2.cmdline

Filesize
273B

MD5
df6819210a6a540116af4c2d662c4ed2

SHA1
47253ee4e0dc55ebe97f5590fd0e843c6e44e146

SHA256
78b4deaacdc70895067226378836c372e6088b2e0b7c3ae1fd8a3843b5534913

SHA512
bbee4a7c5e0d36f4b2d6c40b4ebe295fdefc1ea4dec1404323e0fc67c2c9fe88dcc10ccf8baad7f715bf0dfe06d608c542b0dd99a473dc74c59a5a8f6a15c9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6AE0.tmp.exe

Filesize
12KB

MD5
307897ae32c6ce248fecbcc08c147dcb

SHA1
332cad4c4ebcda9ada776702df5cafaa5322889f

SHA256
1e32b7f74111e9c1b4587055a9d3d210f076d4bfb79eaa65df49d85ea61c5978

SHA512
2bb9e3d57bceb79ead64e65c4ba0dc3d5f7fd3425392f324212011d2a2fac0e35b8fa54f228c6cd6954bd27ef9310794941d4d98c8dd82443de2d5346b93c533

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6C0F8AA4DE174156B1B9E0349D707C5D.TMP

Filesize
1KB

MD5
c7340be4ba477c790eb2bf85342b8e76

SHA1
cc016f2a35a264d5d84149ab7add68444f2cd993

SHA256
ebed7a0e2d656349a601c1c68eca4438c595a8b925ac331cf08d3975e3489644

SHA512
92a87d2dccdf395a69a6930399d739ea50e94c9d64b604d7bc26fa24a1428acb96c87b32a209b44dd12f181b0f05004a0b89c4dc6129ec6f08d43b4459586242

Download Submit
memory/2924-25-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/2924-26-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/2924-27-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/2924-28-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/2924-30-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/4872-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

Filesize
4KB

Download
memory/4872-8-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download
memory/4872-2-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/4872-1-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/4872-24-0x0000000074C80000-0x0000000075430000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing