c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a

General

Target

c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe
Size

12KB
MD5

095954cfd117ed5067a0abdcd070a4cc
SHA1

c1443a42b640e4269f6d10f1c9e54128823482e0
SHA256

c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a
SHA512

c06800b9b67d1c1ddb3393dcb8602725380399449c897a7d1d5cb494959ef668a106d5efc86819afcfd15ea60841c8ea7a389193bc15019595f154fdf8def55c
SSDEEP

384:jL7li/2zUq2DcEQvdhcJKLTp/NK9xaUP:ngM/Q9cUP

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe

Deletes itself 1 IoCs

pid	Process
3896	tmp4E9E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3896	tmp4E9E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4524	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2340	4524	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	86
PID 4524 wrote to memory of 2340	4524	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	86
PID 4524 wrote to memory of 2340	4524	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	86
PID 2340 wrote to memory of 2400	2340	vbc.exe	88
PID 2340 wrote to memory of 2400	2340	vbc.exe	88
PID 2340 wrote to memory of 2400	2340	vbc.exe	88
PID 4524 wrote to memory of 3896	4524	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	91
PID 4524 wrote to memory of 3896	4524	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	91
PID 4524 wrote to memory of 3896	4524	c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe	91

C:\Users\Admin\AppData\Local\Temp\c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe
"C:\Users\Admin\AppData\Local\Temp\c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tecu3kpr\tecu3kpr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc962B31A273194BB9A48144C13AB0732.TMP"
    3⤵
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\tmp4E9E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4E9E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c8f2c52a040c0404e4438714e3ad01687e7dfc455a0024971d70e4246d60bf2a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
d7fb4191a32eede76f60c1b3e82c150a

SHA1
bba17ca50ee2a0a320bb76027ac92e8af958b877

SHA256
1fa04646cc9bb82b13f1e2c3fdb3c09c3d7e160d913ba1c8735bd640b4fc47a1

SHA512
7995b7b5b865a1480e438bfc9a2f8afcd522c9a6c6de8ea7cd5f27dc0467b1dc3ded2b52a14f4d7dbb976c7d5a7f2f1b852e092bb051f9758a06803b8d2d4b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES50A0.tmp

Filesize
1KB

MD5
659d5d1073a34575031bf15f639ee9fc

SHA1
75774941fbcdf057fbec06c6a5c79e4ea2f60324

SHA256
277c0ce5e1bd0044b3044e5670c394a2d6416f15e3a7cd8b28d1697fda543b36

SHA512
0c7f573c60803739297fec3003aa2c50da6c2c7780136666150ac9f593551d2c7f94e4aa05916979cbfc138e77ddb7cbfa9c357694666f53a462eae1edb3ef79

Download Submit
C:\Users\Admin\AppData\Local\Temp\tecu3kpr\tecu3kpr.0.vb

Filesize
2KB

MD5
2dcda0483b2d557c485f7e169b1018b6

SHA1
5470d3dedbb0c616cb5dae17691a3391faaac054

SHA256
0cd000a488ba93730ecbf3d0a9be1a818ac20b1cad67d375c3045d99685a192b

SHA512
746fbf97b3bd528a78ee7b8cae761c910b3db48e60ab5b5b82a231700b4ec62bcaa1ffde685e43660578a7709ff83e5781207643d973afc7ed8b9c68be6bec93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tecu3kpr\tecu3kpr.cmdline

Filesize
273B

MD5
a8b2f776902c93f5b04ff164a857ff5e

SHA1
2202c75bcb622febd436536932ed72de08b42074

SHA256
4b1c16500964467c9b8903404ffe9b1e16cc5cc8f75763c18ba0ea46483ac35c

SHA512
c7f4f16d6b8c6be4f17ab42d7a1bdffc3473f5f59c3b48cb6f2d2c8c683adda93d69d4c238883c0cd9272d860f3898da59bfea2b44c14f00ea05887170fa5450

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E9E.tmp.exe

Filesize
12KB

MD5
d104068e8c107b9e2d6dc130beef570f

SHA1
58ccc49d00d8f53fee9893bcdbd0ae78aff7a29e

SHA256
77069a74f7b45d0adf3af8097565ccf06d8c1ce5e7edbc4375760a19abd720b0

SHA512
ad2ed48936116117fd44872fe566c01cc3b3297692249e9708c0bb1644cda37d0b6220e7f2419142d34a88fa5a038cece435029922e965694a997f6be2aca80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc962B31A273194BB9A48144C13AB0732.TMP

Filesize
1KB

MD5
9a122e1a4afb1a1dccc8f11740f14d07

SHA1
a480f6102dbd82ad6bed701e03dd62d2c23845c3

SHA256
76731f101555485e2dcadafed58d8bb9076dbe85b215cbbee1875f95c901231e

SHA512
0b1b7ea6d178953a0601ea1267858667b961010711fb5d7c7e9d60087cb7cb4472c9972de24dd17d1a7aa522e391d44c77b0091a85b5ba49510db8a0fc7bc725

Download Submit
memory/3896-24-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/3896-25-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/3896-27-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/3896-28-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/3896-30-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4524-0-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/4524-8-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4524-2-0x0000000004B40000-0x0000000004BDC000-memory.dmp

Filesize
624KB

Download
memory/4524-1-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/4524-26-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing