2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a

General

Target

2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe
Size

12KB
MD5

656b3d1ca72bf5fc3e1d51051240fc42
SHA1

c5010299b52fe066a6b7b844c84ececaae404315
SHA256

2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a
SHA512

d76dece5c175e75382083bb9896b3da22c6e4d26dfa9b0a5fdeafc66eaa022cb680eb3a91e57fddc87774e773f3e2f443a2ee9d9816a97d20e1ae26dfceff1d9
SSDEEP

384:iL7li/2zNq2DcEQvdhcJKLTp/NK9xauH:8dM/Q9cuH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe

Deletes itself 1 IoCs

pid	Process
116	tmpEA2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
116	tmpEA2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 4352	1972	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	91
PID 1972 wrote to memory of 4352	1972	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	91
PID 1972 wrote to memory of 4352	1972	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	91
PID 4352 wrote to memory of 4232	4352	vbc.exe	93
PID 4352 wrote to memory of 4232	4352	vbc.exe	93
PID 4352 wrote to memory of 4232	4352	vbc.exe	93
PID 1972 wrote to memory of 116	1972	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	94
PID 1972 wrote to memory of 116	1972	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	94
PID 1972 wrote to memory of 116	1972	2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe	94

C:\Users\Admin\AppData\Local\Temp\2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe
"C:\Users\Admin\AppData\Local\Temp\2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mmwlymql\mmwlymql.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CF9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9035F5F8374C4CD381317A4DCC1726F.TMP"
    3⤵
    PID:4232
- C:\Users\Admin\AppData\Local\Temp\tmpEA2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpEA2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2d02a36a03813e99cc39da777cee525ed6575bd3594b00810b7e166c6582b07a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
12ee01b833e5229886bcf8b1ad91601d

SHA1
e0ebfa999acb262b2d1c9a9fb08ef700e71d69f7

SHA256
5fc09ff5738714ab00429d1e986fab49f408d379efbc476026466913620b1e48

SHA512
c330d25d53ece4f1879ba4059ecd614ee13aac00b58e1f903b382f88c23cdff39b3ec5ac5f6f446de33ffd0e0b00e96e0cfde931cecf0bd83286c291f55f6b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1CF9.tmp

Filesize
1KB

MD5
43ee9bd0b226f4cb84596f51253ab8e5

SHA1
8397f92c80ce172a1aa499d03a745fa55be46012

SHA256
3d9928ace1b71b50ec9a451a315cb992f05f117b003a27a5c7bbab6ab778fe9a

SHA512
c341bb2414742e112b4b05e89e508886f30e822eb3f48fb921fe4c41b2ef03b165a97781a7f201b93d4ae9d9253713e62fbeaf2fcdd772bcbe4d20fa5f33a4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmwlymql\mmwlymql.0.vb

Filesize
2KB

MD5
d174a8eb58206d03bf950fa8bac403ad

SHA1
d1eb09b2b08bba99fa8f88b1019b713bf2fd86d8

SHA256
962ecdb6d9b80856eb34465a258f73e12efba19c8f8a78137f96275333ac9f1e

SHA512
01f5bdb2b592e11b673d2cf15de573d3651407fcad5680abcd218933e73da76b82a93050050ff52dffd1db545e97de8e7679161f6516b6b49606483dbd5de6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\mmwlymql\mmwlymql.cmdline

Filesize
272B

MD5
1a345869c138402575fbdbc3c77a74e0

SHA1
4019be9ca30c92f24643fb337b7c1d7b55147e12

SHA256
8bd191e613245243ee7a3a687d0830ccbd654980ed2059bd07a79817c499e7fc

SHA512
6549af40cfd0bccf2b9c10717513679950343fae39ac6bb0ef95a405bcea51142602e1f48f2cbbaf39a52df19ac4f430cba35db9ec3da9b679d60286c6ae2760

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA2.tmp.exe

Filesize
12KB

MD5
5400d6cbc7d5780c5a8d49c68e188997

SHA1
114a7d9c2f52484b4a3f185699b8eea807ebf7a4

SHA256
e7e8e693389d50e931a797061b9173f87caecc879dab02591712bc36c1384e62

SHA512
66e8ce5edb15a715a2d6458e6a0d007244ac6e6289f2cc6e64ac69469fc328d32b3c2b35b173982fcb726116662dabe72e8657b6881407f0277334977d7a1039

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9035F5F8374C4CD381317A4DCC1726F.TMP

Filesize
1KB

MD5
eee6dc6d5c7651df7a5a0d8145e85fa5

SHA1
fb7cbcdd2571af540798aaf66fe88053b5d8a9d7

SHA256
773f36c8a2a74bba66b5ea5c1a497a3be9d5e6b380fabe527854ee4d6985842c

SHA512
f09e4ff7b38892a29787b893c9381a7831ce28b577634d02c4285d68944658729ecaebf701c52fbc78e79e3e366ad1196e5c8b42fad120393b6ba72debd47c81

Download Submit
memory/116-24-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/116-25-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/116-27-0x0000000004FE0000-0x0000000005584000-memory.dmp

Filesize
5.6MB

Download
memory/116-28-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/116-30-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1972-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/1972-7-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1972-2-0x0000000004B80000-0x0000000004C1C000-memory.dmp

Filesize
624KB

Download
memory/1972-1-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/1972-26-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing