156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6

General

Target

156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe
Size

12KB
MD5

0f7455444721bf52547e4070f54b8445
SHA1

d7b7612e820d2c48b86bcc3527c2928357bf881e
SHA256

156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6
SHA512

da3283394e6eaeda375ca271f5b3b81822055e6bf2aa4737d87489f0af07efd368b33962b383e8134d3581ef868b9aa944a6d4e26a46a7609314c219f86ef366
SSDEEP

384:6L7li/2zfq2DcEQvdhcJKLTp/NK9xaW2r:krM/Q9c1r

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe

Deletes itself 1 IoCs

pid	Process
3160	tmp3980.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3160	tmp3980.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 668	1492	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	85
PID 1492 wrote to memory of 668	1492	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	85
PID 1492 wrote to memory of 668	1492	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	85
PID 668 wrote to memory of 768	668	vbc.exe	87
PID 668 wrote to memory of 768	668	vbc.exe	87
PID 668 wrote to memory of 768	668	vbc.exe	87
PID 1492 wrote to memory of 3160	1492	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	88
PID 1492 wrote to memory of 3160	1492	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	88
PID 1492 wrote to memory of 3160	1492	156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe	88

C:\Users\Admin\AppData\Local\Temp\156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe
"C:\Users\Admin\AppData\Local\Temp\156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hawxprl\5hawxprl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A59.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc66EF15AD745F4C81B3FA5B5A23A005B.TMP"
    3⤵
    PID:768
- C:\Users\Admin\AppData\Local\Temp\tmp3980.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3980.tmp.exe" C:\Users\Admin\AppData\Local\Temp\156414d5db138d063f8bad62a8c87a78619599a8ab1bf3cd6ecadc7ccd0d82c6.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5hawxprl\5hawxprl.0.vb

Filesize
2KB

MD5
9731b8d9e752d194f5353523287b36b5

SHA1
3a9615b7fe365d58acb7204726ec2255b1e57468

SHA256
9a70250c47675fc82ae38935e2b29932234e9ea3caf524d9917db7866587e6e8

SHA512
ff877b29d2dbffeea070fc40f6abc2946a8ca049d26d31b6c020aa48bc2c9477a918d56effce3be1920d664b6a1054e55784b4d56f462f5cafd6c4d9ff17b75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5hawxprl\5hawxprl.cmdline

Filesize
273B

MD5
9ca228cb58b93963d2b4892137df2d4a

SHA1
e87cd22316c5ee52d570c396d2c621778944a112

SHA256
75363d0191231b6a26578d71febb4e0fb122f23b3b6ca8ee36fd70df23403b25

SHA512
7c74a48c722a61d830e79d1c9b3b4bd91e009292cd01992558ce376e13bfbfa4d29bcacac7824e1fd9e588e02b7ad67f4918f2b1545704eda1e0d310baab443a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b1a6baa2ab93f6182489c587ad5b85f7

SHA1
899fbe461073fdb623d45617725f20634646e766

SHA256
f905f03a51f2a4a8946f75f43dbae8d2035a28a18ba57bc029218f98e8d59edb

SHA512
1cc94bfb08959566aae168c1334beb2062b282c8418690569f3044e49b57901f27e2b0d2e4b9dc8162a04dd10dba32ae5c22a8268101345810c07cf833791829

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3A59.tmp

Filesize
1KB

MD5
2c4576ad041f4b00a5da627db203e8fb

SHA1
09e52604322cf41a4a19fc7d25c9fdca1e1e8f1c

SHA256
8e81a9a1f97c02562f2a21ce7fe7c58570b76edb0b73d508a062452cabfd2239

SHA512
862cdbb23acb9adf08d7ee1db09c9175ac4e2be2a34237cd7871683bdf030e11d7abb45dbe341143e2a6c1246e7d0170990621806a3ff6f1ce86c1ef9d11946e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3980.tmp.exe

Filesize
12KB

MD5
7fa905dd0322b8a7ef7f1f53cdc9a6f8

SHA1
0447fd0ac825150391d048fe166c0fdcdbba2075

SHA256
80c1ae43436b174d9be26d6c7697ef0ac1c298910ea3266340aa160563b9c14e

SHA512
5382cacc43a468ac6d4f428913c4d14b2f2c05355a388bbe08a75495f49b2be5a2ba851be88e5b9b51836eb98f8986f293f29b7ea1ca55ef4465f53c1b8eb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc66EF15AD745F4C81B3FA5B5A23A005B.TMP

Filesize
1KB

MD5
4c237204b4e0cd4ee46af79948ef1f7e

SHA1
3c9b1aa0f191762a53855d7fad91943fe982b4f2

SHA256
2ae0c8c5c509f537fb7a598eb34756015bf34df66c3da74d211a32fc131f2998

SHA512
682bbfabdeeb519dadfad53a22d5630d0dd7631d8adf68338c1a1e9d41bf7fa72f8ddd4906301ab22052f79299a347e6e94a06d06681b7aa7fc026959bd0b745

Download Submit
memory/1492-8-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-2-0x0000000005760000-0x00000000057FC000-memory.dmp

Filesize
624KB

Download
memory/1492-1-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

Filesize
40KB

Download
memory/1492-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/1492-24-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3160-25-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/3160-26-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3160-27-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/3160-28-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/3160-30-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing