4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053

General

Target

4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe
Size

12KB
MD5

54883e45d53a58b61d9433e3c474ac2b
SHA1

21642e02c1e6ade9f80b50fad6bad3203c3297ec
SHA256

4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053
SHA512

1751ce15b1e7c303b4d75aa051bc61fd5e036e4f9bc586ef414120f0a69f71d2de812db455c0279944b6a3da5c99237c9ed2aed22ef88a1132c42900b05a14e7
SSDEEP

384:oL7li/2zpq2DcEQvdhcJKLTp/NK9xa2Y:WhM/Q9c2Y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe

Deletes itself 1 IoCs

pid	Process
3836	tmpF974.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3836	tmpF974.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 1332	936	4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe	95
PID 936 wrote to memory of 1332	936	4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe	95
PID 936 wrote to memory of 1332	936	4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe	95
PID 1332 wrote to memory of 4436	1332	vbc.exe	98
PID 1332 wrote to memory of 4436	1332	vbc.exe	98
PID 1332 wrote to memory of 4436	1332	vbc.exe	98
PID 936 wrote to memory of 3836	936	4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe	99
PID 936 wrote to memory of 3836	936	4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe	99
PID 936 wrote to memory of 3836	936	4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe	99

C:\Users\Admin\AppData\Local\Temp\4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe
"C:\Users\Admin\AppData\Local\Temp\4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wwwqril4\wwwqril4.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcECA9944B5BE14D2C8C6AFD8993F9EB4.TMP"
    3⤵
    PID:4436
- C:\Users\Admin\AppData\Local\Temp\tmpF974.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpF974.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4ca85cfcd4d90c64df76df106d3fbf54bf72b38ae4bd3a5b0844e115af343053.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
80e224e9e36acf69cec0166a3e77a12f

SHA1
4ef846ae63a6c853c9a7a826af0ec0c8272143fb

SHA256
30e509d72e2e55899230876d78ddabfb5e80b5d301e6462f351c62820ec197cb

SHA512
fca5c13e2a3e4bc126de58c61b8c2744d081766d7d08e05a7e50ba0fc1b4d26c4109b5635015b10ba504af972a2c45b8484cd89eee82e179d3ebc00145dfa8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB77.tmp

Filesize
1KB

MD5
4e149db2074bf150b23bb851406758b2

SHA1
b2528a10cf1781622a3d00fb59b9b565cdff7fd5

SHA256
06d6e516b02945626ca7057a0d2fe7c08d8b7a45354c097764acfc2b00a5a82a

SHA512
41c618dbec9e90038ad02ece86935078e20a5e94d5e3d7904ef48d027945c242e0d8f0010d1f046e9beac08b1c9c691edf0be95dc0a30de14375e9f4f32d8050

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF974.tmp.exe

Filesize
12KB

MD5
687e391297dfc6c22c3acf1a84c1abc7

SHA1
40f505588597c3c2c4309e38fa96272391d1570b

SHA256
fa0ceb3e539e0f74f1f32b9df1509b946b8633c4a3f815453ac6bf67dafe44b4

SHA512
24ef379593a61bf53115724e82e88cf0b0f6bdb5676db9b12e6a9be6c6592f4b79cbdbaaacc1959af0e7e56f21a035f55432ee7278e34aa4c342cb7fa4044bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcECA9944B5BE14D2C8C6AFD8993F9EB4.TMP

Filesize
1KB

MD5
1773f768f639d1b7ff99ac21fed80caa

SHA1
0d7c0c21d4f2ac31716ae4ed184ac55d5eda4e03

SHA256
67ccf4af8b2cd5303245a3e77bfc866be7c8882a0cea6c4b569542e6269aa93d

SHA512
dc6941e5c4c16344a019414a2c1490d734b3330655b473b80ac456be89016cb7caacd2d383378bdf0a0005103f879e253661ae33d9293bacfe6bd181a1409574

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwwqril4\wwwqril4.0.vb

Filesize
2KB

MD5
1be95625106c90e75ed71068d663f554

SHA1
131975158a391bf0945d94893cdbfae3b0048459

SHA256
dc25b196dbc799a2a22e4759066e23a5a52519bacb2a5eafa7f51f110a8ca7fb

SHA512
d5e6762ca3b36df8f727ce09538465d8ba013a1bdea9c0e6d89b027f5aa1393998b6e13adad42ff9009d187829575fd390786d21de5315c8118afb1823b3bca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwwqril4\wwwqril4.cmdline

Filesize
273B

MD5
103464e377092e7f9da29da6aea5866c

SHA1
68594c885617c6360c507e4e92f990d2c1f4d890

SHA256
3befb1f68d07f1f230c36a0119d571f869159953b4668f7f1938702a108470a0

SHA512
de1e1f17dc3e0cf9b3e40606b0c77b5420badcd5b4279a532102cb7e2e8f3c2a278c5aa0f0008c296b81c99bfb64b746b9fa20196ccf5b00593349ad45ff22e6

Download Submit
memory/936-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

Filesize
4KB

Download
memory/936-8-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/936-2-0x0000000004F00000-0x0000000004F9C000-memory.dmp

Filesize
624KB

Download
memory/936-1-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/936-24-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3836-25-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/3836-26-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/3836-27-0x0000000004FC0000-0x0000000005564000-memory.dmp

Filesize
5.6MB

Download
memory/3836-28-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/3836-30-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing