69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248

General

Target

69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe
Size

12KB
MD5

8ab9b1e9df94436a1f1b4ffab326fbc4
SHA1

df6c481d09c93087fafab9e303c21242cb0b1a1e
SHA256

69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248
SHA512

d47f8ef31d2909004bab554be3f43a9e9631108f1284bd9502222770afc0e52abc2c1c3ec3a815de161f5e29c8e908ae4cacccd2b16730c12f79bfe2f004e61c
SSDEEP

384:UL7li/2z6q2DcEQvdhcJKLTp/NK9xadQ:CyM/Q9cdQ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe

Deletes itself 1 IoCs

pid	Process
4032	tmp4BBF.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4032	tmp4BBF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 1596	3588	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	87
PID 3588 wrote to memory of 1596	3588	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	87
PID 3588 wrote to memory of 1596	3588	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	87
PID 1596 wrote to memory of 2708	1596	vbc.exe	89
PID 1596 wrote to memory of 2708	1596	vbc.exe	89
PID 1596 wrote to memory of 2708	1596	vbc.exe	89
PID 3588 wrote to memory of 4032	3588	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	90
PID 3588 wrote to memory of 4032	3588	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	90
PID 3588 wrote to memory of 4032	3588	69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe	90

C:\Users\Admin\AppData\Local\Temp\69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe
"C:\Users\Admin\AppData\Local\Temp\69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1ai211n5\1ai211n5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3F88F722C1C43D3852FDBAC54F84B16.TMP"
    3⤵
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\tmp4BBF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4BBF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\69e9a6be28ec6c7c609604a9e4c82414c4058e2b5ece7cdc3c5605029de74248.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1ai211n5\1ai211n5.0.vb

Filesize
2KB

MD5
cdf2bd789086fdb92d6a3e6a66114d2f

SHA1
5eeff5f75f2da6a4c3f94408ecfbe05d6a398ae8

SHA256
45fc66bc4dc67d0f9535dc33e7c94c7dfd131f54c70ede47a0922431f9e7ebe2

SHA512
626a9b31edba65a6153a44415ecdea76f61cb4b394601823fd6528635aa79d298dba206efcfc80b95c002ea8fa74743824379784886c1c17b7141d1412928c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ai211n5\1ai211n5.cmdline

Filesize
273B

MD5
30c1807d026ae1034e5ed5602b936eb8

SHA1
17dcc168eddb0eba19351b38cf0a1c2731343ab9

SHA256
594c73e06c36b41199ed5074b076491a7bd9477d23d1cfb15170573a26920673

SHA512
63969871217dfa88fbe5709f97bf7187a63d34f90607af875180b02c528c2ea73e3f2d213d674503b8256a3fc9a1fbdeef6335bc934bcaa1937c92cbe1aa4336

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5621209dc7dbb170b9bf0751aa3e7923

SHA1
0e59650dc61ed9527c4c612b42e515beaa0f436a

SHA256
6018c4c5e902119f521ad694cfae5816683da1d3ff29e6d098e19bf017b8fd44

SHA512
3288c7f342d665bb51f7e3e2a75f068cde5ed290a6abd521db746e4ae9be620ea70d3e9ff9b75f3d369404dad6cae693d05d6dd75f7b7d3a4f628a53bfb4048d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4CD8.tmp

Filesize
1KB

MD5
4f223303cc66ca499cf68294e6ced037

SHA1
90a43535dafcdde023f6b5008f051aae55791c98

SHA256
88980f522d4d0657c530cbc1142189e9a875f5d5fd0a345e600fec937123c2fa

SHA512
50399167023fa1c0136ecefe4cc35fc1ff4c28b965d302d95f49ac5a1289a5131ce444681202064eb793a543abdf83eaae27b1eb0dd9e9d2562b0238bd1729a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BBF.tmp.exe

Filesize
12KB

MD5
e9ea2509f2669b71a0d4236deafd7b73

SHA1
83a132fbfc1578efef97ea2b2dcdbffdfc4461b9

SHA256
35e20a7b1298b0865182c2dd593b9845bbf6e0fe582ae1aff51085c775b955ed

SHA512
dee6c65d41b1e4d90bf9aacffe526785336bbd6b367da24544a1d9eb4a6188f3a5f46ed176db21415803d6818d31c5f20690b62014c35588939134d3c60f44b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA3F88F722C1C43D3852FDBAC54F84B16.TMP

Filesize
1KB

MD5
9054a8202268c720c783c7ed77201004

SHA1
90436a454696b81572a85007984d2fc01bbbd675

SHA256
e126d7dace4a196e2bc393baac182963591f2d2d9de62facae0b81c6e891120d

SHA512
76c574a8413e8ed1a3262028e1b25c589910d041cf02896d9d28f953361da42243817791688fbb608b8290d5fc7d20ad1e7c9fc749433efa7045d98c766a2ee2

Download Submit
memory/3588-1-0x0000000000890000-0x000000000089A000-memory.dmp

Filesize
40KB

Download
memory/3588-2-0x00000000052A0000-0x000000000533C000-memory.dmp

Filesize
624KB

Download
memory/3588-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/3588-8-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3588-24-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4032-26-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/4032-25-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/4032-27-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/4032-28-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/4032-30-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing