4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43

General

Target

4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe
Size

12KB
MD5

cc36e5481ade2f8aff59cc64e1712bb5
SHA1

248e59954c144e31e22b6127890a04710a134718
SHA256

4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43
SHA512

c9ee4281d1ea247fd53a3736f57a331abc894d6a9b2ef03464968a8c6950146a36dab3a87bfc32848bede3f7e81dc7bd4415c54cefdb506eb998a39f42536145
SSDEEP

384:hL7li/2zAq2DcEQvdQcJKLTp/NK9xaMi:BMMCQ9cMi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe

Deletes itself 1 IoCs

pid	Process
3004	tmp665C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3004	tmp665C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4404	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 4548	4404	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	87
PID 4404 wrote to memory of 4548	4404	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	87
PID 4404 wrote to memory of 4548	4404	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	87
PID 4548 wrote to memory of 3348	4548	vbc.exe	91
PID 4548 wrote to memory of 3348	4548	vbc.exe	91
PID 4548 wrote to memory of 3348	4548	vbc.exe	91
PID 4404 wrote to memory of 3004	4404	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	92
PID 4404 wrote to memory of 3004	4404	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	92
PID 4404 wrote to memory of 3004	4404	4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe	92

C:\Users\Admin\AppData\Local\Temp\4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe
"C:\Users\Admin\AppData\Local\Temp\4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zipf1tpf\zipf1tpf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6755.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDEF1C887AC3F45AB83EAFC961B2B7224.TMP"
    3⤵
    PID:3348
- C:\Users\Admin\AppData\Local\Temp\tmp665C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp665C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4b7b2f69c69ab422c23f1f76acace7f5cd83861117d1cae56398d847145f1d43.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
412694357d0378583ff0fa3240ef882d

SHA1
29515d7c65eafe065ce93d5babdc4f7fd526a765

SHA256
74a4220415b4efe303b677c24529fb5f5e6a595d28bc4ed8e0075576bd7fe7ec

SHA512
43801314e4f7277bf78020881258ce9ae49897bdae5ad2278458d85df2bdeb7d93b7b9a737d7543877c0da14791b4e55eeb044d1c89d03a07ec167648ec1b024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6755.tmp

Filesize
1KB

MD5
e17afc80621de90692c7847fcfc90e04

SHA1
ffce056cc43100e2dbb5f8fd2ea3977fa4c654cc

SHA256
dd3cb59271585162c8bef99acc2a0effe18ef00b42210894316734ff34299387

SHA512
1d92abd6e98ea282dca0efc4f8db7593b2d6d38b68482f398fd66161e5a15fc9fe43303675fdfd825cb5a7be2b441597e730e5edab7f5724f5fc66ecd91ee134

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp665C.tmp.exe

Filesize
12KB

MD5
c741cd32aa79f0486766667c4d09bb06

SHA1
5ba41bc8ac29046c51b85b4dd5accf1821e5fe63

SHA256
8a32a49d4721f813551fba8445ec09ac6fdff9f0d73e6d1690db6a9c685980e5

SHA512
c8a0a093873403b8b237e523de89bd96a28a3982df39d58b498916b24e1d7555db85a5cf3cf9ab329ea93a82fbefd4a13c355417e9bf8f0c5f22c997de70c7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDEF1C887AC3F45AB83EAFC961B2B7224.TMP

Filesize
1KB

MD5
eb1c7ba5fdf9f94fcac7b3ec8d1c3195

SHA1
bf4b21229bad2db4d19e6e19f1e88b1ee0ba5ee4

SHA256
a200d053fbebb8de3fe7701da6d953ec1fbe77b90ee8d3600e67205b977901e3

SHA512
69196e8dc648a15dab1936e362ff26598cd2916d39acfa0e5e5ad8bec31137052c850dc88c102e102ed4ca95d5f15cdca6d48bd0c69a88b6430da15d68179fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipf1tpf\zipf1tpf.0.vb

Filesize
2KB

MD5
8be385bfae327e9ee08db75af8113b69

SHA1
cb9b8bbc97c1306ec46bca01c03d17cfc5faa70d

SHA256
5be2286ec892224c18e14f939c60a135e81ec7b3265bb18b461578929fa5a590

SHA512
4a2fc7e6026b2e26dc5e6ab55d4e21e971c80daba8d0cd4669ad1bcd061c568069b095ab7ed8058ff2997499faca5d13ac51df486f62140ae191d7394e842e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\zipf1tpf\zipf1tpf.cmdline

Filesize
273B

MD5
bfb2b6db81030780cc609513b5eb0bf5

SHA1
6c775d5a221ed775e22ddccfcc146f0921eb4375

SHA256
f9c23d2cb4bd38e5cff4e31d6d8a46e164b41cd7fc4b21d78b1f419580785b89

SHA512
cdb9bd3c0244177f0f054be9f317ebfd9166999052fbad67ffc3076fd27abbe03377457b2e8e8cc9b8d2e7cfb0f4d9acfe028cf1c846abd0311e4ae1e5e1128a

Download Submit
memory/3004-24-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/3004-26-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/3004-27-0x0000000005710000-0x0000000005CB4000-memory.dmp

Filesize
5.6MB

Download
memory/3004-28-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/3004-30-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/4404-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

Filesize
4KB

Download
memory/4404-8-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/4404-2-0x0000000004D10000-0x0000000004DAC000-memory.dmp

Filesize
624KB

Download
memory/4404-1-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/4404-25-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing