71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209

General

Target

71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe
Size

12KB
MD5

8bdc65b18b33c2d62df70016947269d6
SHA1

7af30ea0fe8faba4abacf1aecd5d436daf85f85d
SHA256

71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209
SHA512

d54d169523df047e611d0599570ad0a2320de1cdd82f43272d34902f674d03a56c10350cc5b0c9007bb0bb6aa50e8d964e61af584cff62222559f152447d829d
SSDEEP

384:YL7li/2zyq2DcEQvdhcJKLTp/NK9xaKK:mKM/Q9cKK

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe

Deletes itself 1 IoCs

pid	Process
3392	tmp494E.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3392	tmp494E.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 3192	1192	71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe	87
PID 1192 wrote to memory of 3192	1192	71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe	87
PID 1192 wrote to memory of 3192	1192	71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe	87
PID 3192 wrote to memory of 3400	3192	vbc.exe	89
PID 3192 wrote to memory of 3400	3192	vbc.exe	89
PID 3192 wrote to memory of 3400	3192	vbc.exe	89
PID 1192 wrote to memory of 3392	1192	71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe	90
PID 1192 wrote to memory of 3392	1192	71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe	90
PID 1192 wrote to memory of 3392	1192	71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe	90

C:\Users\Admin\AppData\Local\Temp\71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe
"C:\Users\Admin\AppData\Local\Temp\71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ibv0essg\ibv0essg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDAEF8212F3CD487BADF525B284F37931.TMP"
    3⤵
    PID:3400
- C:\Users\Admin\AppData\Local\Temp\tmp494E.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp494E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\71ad66da01b790a51cec29a12487f4f21c483e6fb47588a9b0fd5e7252d7d209.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b32c145bc23aa8d031f0ff368b74140a

SHA1
940f3f7b9e589f2072690775c3d5c8c4bb5997a1

SHA256
ada27b4197139aad46139190b2569f347cd2da600d1a7ed035237dd90f82271c

SHA512
30183f9e747e70efd21ff2272c04a33f654b6ae1d123703be8d726278ddeba6dad992972f129e9c3184bcb201e7f4c4604c578d6b42163d84bdb8302b60112e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B03.tmp

Filesize
1KB

MD5
2aed8a7aa69b70a718603f277a44ce3c

SHA1
fdab7336613605ce8665bb160356b39be497b5cf

SHA256
5230437eeac73a7c2e78063d05a041e185838dc51cd94ff3a42962b3ccca0862

SHA512
42f25f9c841b31795ff33aa4d2074184ca4cfc19fee9d10a71a1fdd23f3bfbc61911ea8a2d0d543dc1ce781848379e1c539fa62727cdcd054d4ef04970549909

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibv0essg\ibv0essg.0.vb

Filesize
2KB

MD5
e1fd69bcf7cbe295e40fbfaf09df0767

SHA1
21f658d90c5591f7f266a70689d0e7aca79cca19

SHA256
b0e695a6dfbae993a99e93a8bea8f90af0bf22e853d9ef08391526c0f7cd24f5

SHA512
919e27f3fdced7805e2848721ddd219e7ba69ece6b7de486d1972892bc20b8f560af4018a78addf72628e0c06c1d181f37c257101afae9c832add89b1799469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibv0essg\ibv0essg.cmdline

Filesize
273B

MD5
473c2a47959b81040ad9c6e1212d68fa

SHA1
7b7962c0901ed4d4e7536b972d221f8429419dde

SHA256
c8685295b398ade5292187c068e07cf3e80f8b3d0a18d7c01ce8b1668e3af161

SHA512
9ae26c75f8457e3fea2fab4c87315178f36d5b57a2fbe13eecdbc90a4506388a15740467abb94bc84e5e8cef4b6a0d4cde42a0178136264a0c004a1b629f2872

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp494E.tmp.exe

Filesize
12KB

MD5
8c8fb5f599d6130b1c9d8d4564342c83

SHA1
87277e45f1cb4912557cde743f9a37fd7c439d1a

SHA256
6564f537706fe0df858de6cb9397d13f20fd45b4a19a842307a5f031b4678371

SHA512
89f78f52805713db92221f9b0849ce18a44712795e238610c3c5558ea56178fe2e82e4f8dfee345a3b1d6a5b8962bcfa1610a24ef2aeca5fdd675e24d3a331b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDAEF8212F3CD487BADF525B284F37931.TMP

Filesize
1KB

MD5
b030c93d3eb3adbe068cbcfe5f07caa0

SHA1
56a3e5fbe88c8e93a6ba867f8527b1fd5279b20e

SHA256
a16794406cc0dc37352bc5af78dd7761f27c1a13fe4a1f6a2e8fb05320993034

SHA512
d09fbc5babbadde3050a2b19ebb9c5912be947971539ab94817b5652e14e98e16f5a6e605a99692605b2fe00a73e2aa6c7f33b2953a70ddd02989cdc29079eeb

Download Submit
memory/1192-0-0x000000007503E000-0x000000007503F000-memory.dmp

Filesize
4KB

Download
memory/1192-8-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/1192-2-0x0000000005220000-0x00000000052BC000-memory.dmp

Filesize
624KB

Download
memory/1192-1-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download
memory/1192-24-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3392-25-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3392-26-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/3392-27-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download
memory/3392-28-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/3392-30-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing