e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07

General

Target

e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe
Size

12KB
MD5

8a7c1e1475cad00573cf203438118820
SHA1

d67f8134e11d5e047be230004e3f25b6aa3c2315
SHA256

e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07
SHA512

c11802723730a9942c7e713ba678404c568f0f63e19adee312b37758388590f19732e4dbb68d239b30717dd7fb3ebc06a1ddea17b6d917e7a4ab584b4cf1221a
SSDEEP

384:+L7li/2z3q2DcEQvdQcJKLTp/NK9xaYy:oLMCQ9cYy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe

Deletes itself 1 IoCs

pid	Process
2980	tmp5768.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	tmp5768.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4892	3628	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	85
PID 3628 wrote to memory of 4892	3628	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	85
PID 3628 wrote to memory of 4892	3628	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	85
PID 4892 wrote to memory of 4776	4892	vbc.exe	88
PID 4892 wrote to memory of 4776	4892	vbc.exe	88
PID 4892 wrote to memory of 4776	4892	vbc.exe	88
PID 3628 wrote to memory of 2980	3628	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	89
PID 3628 wrote to memory of 2980	3628	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	89
PID 3628 wrote to memory of 2980	3628	e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe	89

C:\Users\Admin\AppData\Local\Temp\e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe
"C:\Users\Admin\AppData\Local\Temp\e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yb0nn01l\yb0nn01l.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES596A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc308DA624E902492B85695E3F80F350B0.TMP"
    3⤵
    PID:4776
- C:\Users\Admin\AppData\Local\Temp\tmp5768.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5768.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e9675f6fb29fb940c53a668fffd95c68bc7173550dbe9389ebe94f966eef4b07.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
aea665f61d26923bed7eb877b3f03d36

SHA1
e3d325a96b33130e0180ec697365ea2b88aad5c4

SHA256
d59da9e3a11e044ae1b7dc1c9c6555a578005ab0b0d381fedbcdca5daf6d4602

SHA512
806b867f6c5335463bc48707a6d477e2d331419934560e58eff202c5b3a459a77b41e74b9a393b711c696b81008fe3f6cc0192ec73e74005e23eb58ee5e0db11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES596A.tmp

Filesize
1KB

MD5
fe6b1821e4cae22804206e46577fb0d8

SHA1
8dbd15d84921a84202dcee28cdd16ee040e303d6

SHA256
bc1fa8deb80f9d80a5c0cce6e5834537be2306ea7f58d60a0e64ad4c42ad68b3

SHA512
77f043ca1fc3226dfc750b6264521037f550b1a77fc135e7ff848e3d28d10ed605ab95b1be6603de636ec010c3a8e03a5ba46fe66348e927f3da45aed9a05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5768.tmp.exe

Filesize
12KB

MD5
4dce2709046823749df24972a22363db

SHA1
a851051beef92bcc926e98d69cb081efc6c7527c

SHA256
0d8359709f1a4100786bb04701944ac48bb12eddf1a184165918095c8ecb96cc

SHA512
24c665bbe2e7e47262e966b9264c688fb1827a53fb4ccb71c2ce8ed1f3ce79d4608d6c9ed4c05f2dd11c72fb541580ac3351c26c98f7becfc5032f1b771ed85e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc308DA624E902492B85695E3F80F350B0.TMP

Filesize
1KB

MD5
8d61c08795b15a428f27166b9ed5d1b4

SHA1
0f52b3827bb953569aab02b064eede12ac6a0c4d

SHA256
b1f13e49ab49b81a897d2f761a3f1f5baafe39f1eea3892c39e3e2b38406dd75

SHA512
b6034a2aac00508637fd85a3ac215218b194627bc33771fe46c582abf9a66391ddfc38cac455b1182c183e0bd23552de42dc1ab231a00171f3e4c44046dca845

Download Submit
C:\Users\Admin\AppData\Local\Temp\yb0nn01l\yb0nn01l.0.vb

Filesize
2KB

MD5
71bda8d0c133758f1ec4a0c726932a9d

SHA1
82d80434046aa2ce8a5ec8604eefd40e436d8683

SHA256
a5229cc61fa427ceaa953706919f4710e39cda292e2ae90a499b3a5f60482800

SHA512
ed06a0f3ce0259505a0d1ea927b00585ed8e3b90e1938be9a07481fe7434adf10f7a236901f960e5ce92983f6c155265f80ad2464eaabedf97b64862399dceb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yb0nn01l\yb0nn01l.cmdline

Filesize
273B

MD5
49965b0c181e6606deefd76d8f59b989

SHA1
ccd4688581ef29addc6d4448d0ad00860f355600

SHA256
c99df3ae70dc413b02b8dc1c69e02cee2e22779435ac70ebfb85f46b0d5100aa

SHA512
0b5aef9e3f3a8b59272c101534fafb754f32248abf0ceb4b1a1cb48172c721c3e7d9ecb038e821cecba8101b6c3223a63e084fab236d3231950a7f367ceb811a

Download Submit
memory/2980-25-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/2980-26-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/2980-27-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/2980-28-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/2980-30-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3628-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/3628-8-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3628-2-0x00000000058E0000-0x000000000597C000-memory.dmp

Filesize
624KB

Download
memory/3628-1-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/3628-24-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing