e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa

General

Target

e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe
Size

12KB
MD5

a4008aecb4e9a193a845b630f1e94553
SHA1

a6f2007238faef17a71b531266256e0b41f594e6
SHA256

e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa
SHA512

0a882e08056993585963a71ec98ee6b7f2974e35c1dfa18293c758c0eefc49422557064792bfa8295ed41e1dd786705c1e62f59d166c7f33e9bfc42433549750
SSDEEP

384:gL7li/2zNq2DcEQvdhcJKLTp/NK9xaz6:+9M/Q9cz6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe

Deletes itself 1 IoCs

pid	Process
4820	tmp3B06.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	tmp3B06.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 1488	3036	e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe	84
PID 3036 wrote to memory of 1488	3036	e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe	84
PID 3036 wrote to memory of 1488	3036	e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe	84
PID 1488 wrote to memory of 208	1488	vbc.exe	86
PID 1488 wrote to memory of 208	1488	vbc.exe	86
PID 1488 wrote to memory of 208	1488	vbc.exe	86
PID 3036 wrote to memory of 4820	3036	e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe	87
PID 3036 wrote to memory of 4820	3036	e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe	87
PID 3036 wrote to memory of 4820	3036	e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe	87

C:\Users\Admin\AppData\Local\Temp\e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe
"C:\Users\Admin\AppData\Local\Temp\e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfoovtjm\tfoovtjm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C2E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36FFFEDD31814DA99729B2BD7DADF82B.TMP"
    3⤵
    PID:208
- C:\Users\Admin\AppData\Local\Temp\tmp3B06.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp3B06.tmp.exe" C:\Users\Admin\AppData\Local\Temp\e1a422410895777443f2e36a3c12ce96f5325b3d3c5deb83128c095d706108fa.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
83e08bdbb9c236adfa11565862dd321c

SHA1
9c99a106a62dd15163323ba1dacf7291490df63a

SHA256
aa673ddbadbae116dd14185ab91d85f83e1abc2e92952840dd7e3a20a0b9332e

SHA512
701b6b06071a9e72e246997a4a91473b57bca8128cca740e499af8533e97e3c15d90037a9d5c8d3f5cedc0463cc59ee132dc1a4c51729e31edf99616fdc8311a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C2E.tmp

Filesize
1KB

MD5
c08c115e4d659e11400a84d224834cb4

SHA1
a28c9b89427688c2e69f5a7508d0b88a124465a2

SHA256
72ddc859d7f2360b694bf759611f3bf4f63756a6a254b42e7f8ce4b53efd965f

SHA512
4088d638f15e151971fb51f8f54851374bf2d67d328d59ee72a0994a53570afb8967cf92b9cc7d7a0f44f318cb3190d4eceb5609ec12c27c85b2115f3e04cc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfoovtjm\tfoovtjm.0.vb

Filesize
2KB

MD5
3adbfc381b68d59e8f4b3d2235477177

SHA1
92f097fb60a90b74bce2904b3d7d17e2ddade609

SHA256
b9fd3edeb43d2c1ac386ab7877cec212424b748dc8dfa8f34beb4aa1421f0f35

SHA512
978e158ec3faeac9f01ad3f5a0d90bba651617f91d74b933998ee9376da4587dfcf8dd2085475a6c8dc8a51e90d6fb81d6b49c4633fb2d4300237f5843467081

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfoovtjm\tfoovtjm.cmdline

Filesize
273B

MD5
3e1a0114ebeb8721d8d7569f16c8d5b0

SHA1
6094f33987cd2594f417ebb8674953f750422d36

SHA256
6a5ab8ae328a98b24e3e8abac1bc825408fd93a18cbef5a9d7fde913f385c0c9

SHA512
e6bb79754d26f49daf59e6f19c2336c84bef82498c549bb8b1172c18b99e135a1ca119bf9ac5c9bb20ad032a7ffe3d961903d0b39386488d3a4b80b603c88721

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B06.tmp.exe

Filesize
12KB

MD5
96dfa844796771aec6133ec43dd1563d

SHA1
c681fa4eb4ec54a572eff32cb73d94973195b4f1

SHA256
7ba91ee36d7d2a4720973923e398142f251936b3c70d764be48cb292aa0a47be

SHA512
79ec11a616318e2aad57669b2279113550812adcca6be364248c663a99f7ca11972d5371ce2d94812cc81a10275ee81a540dadbdabf52bbdd9fb1786653660b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc36FFFEDD31814DA99729B2BD7DADF82B.TMP

Filesize
1KB

MD5
c62be1694a5dd38f526620e93cfff46e

SHA1
d1f28184ad88e85e8357072a5f1d435ae50be072

SHA256
0792d3a656fa8f860deb9be0f721530fc0db4f3203e1a783dd7d439c7d0375a9

SHA512
8aaa6c17edde82ab400c0ab5736f7e1d27f01a3f4aa67a7aa53764ac1e34289c6760335a38111efced50772470755dff7a04008af8b29146bdd756eb2cd4414f

Download Submit
memory/3036-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

Filesize
4KB

Download
memory/3036-8-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/3036-2-0x00000000050C0000-0x000000000515C000-memory.dmp

Filesize
624KB

Download
memory/3036-1-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download
memory/3036-24-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4820-26-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/4820-25-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4820-27-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/4820-28-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/4820-30-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing