9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5

General

Target

9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe
Size

12KB
MD5

6ba9b792a4f0e82a42ebdc8433c8fd8a
SHA1

c9546c12e749f4b9fecee50b99ce87f0b2780f79
SHA256

9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5
SHA512

c59255550ccdd264ce96f892f616e2dc779a869a93de1ef9f880a05f09f529a2d5b8f8baa643b6af1925e5b0799dc713a51b244853b9b20bfd553e3988d92283
SSDEEP

384:uL7li/2z/q2DcEQvdhcJKLTp/NK9xaEw:4rM/Q9cEw

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe

Deletes itself 1 IoCs

pid	Process
1404	tmpECF1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1404	tmpECF1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 4776	1584	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	95
PID 1584 wrote to memory of 4776	1584	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	95
PID 1584 wrote to memory of 4776	1584	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	95
PID 4776 wrote to memory of 2884	4776	vbc.exe	97
PID 4776 wrote to memory of 2884	4776	vbc.exe	97
PID 4776 wrote to memory of 2884	4776	vbc.exe	97
PID 1584 wrote to memory of 1404	1584	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	99
PID 1584 wrote to memory of 1404	1584	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	99
PID 1584 wrote to memory of 1404	1584	9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe	99

C:\Users\Admin\AppData\Local\Temp\9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe
"C:\Users\Admin\AppData\Local\Temp\9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cqp3icup\cqp3icup.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDFA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB5481E43BB3B43B2A43D8021FF888E9.TMP"
    3⤵
    PID:2884
- C:\Users\Admin\AppData\Local\Temp\tmpECF1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpECF1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9dc6d8d96596fbd302e3083988916af475f2841c1feb0194d4100f2beb1335a5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3784 /prefetch:8
1⤵
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
bc8d99c32ae311aee4a1f9d946073a7d

SHA1
121d425b97b91c62c4caef979434fc897ad2b3bc

SHA256
93cb6f35080eda08379f2b8eb9d405c8b11336633f2cf43bf1b669719c394690

SHA512
1e616fc78391ffc1a39f936c4251650de14098056fa5c99680bbd99c6da372bd0d57d98fc68c6ef1874608fc419cdf205a1668b7be3f18d8cae221a3d5b48b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEDFA.tmp

Filesize
1KB

MD5
887a5804ae139e96a38bd2c4fd11bb3e

SHA1
96ceba725ac89c85e437853244081d71a8ed91ef

SHA256
687bb9a8d60d00f342214e07b3dbbc70e6c186ae43b3b17bf8d369a3a7f32948

SHA512
442d561e2187e93f163e44aa6b96203a21227041d15bcdbde92b968493686dd0f1147d6012228d40278d426271d0142af8413d9946dae973de911d44e6a7e585

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqp3icup\cqp3icup.0.vb

Filesize
2KB

MD5
c0a65d04ee182454ca333b78e39971c7

SHA1
352020d9013df5023ba0cf71e72eaa4d3cb0f050

SHA256
34e4a2ad9224afa4c2bf83c665ad265d4f5e2b01f967858a269254ccd9213bfa

SHA512
6c8b39d435c6c45ec6df037ffe5f644bfdad1d2d003765d16aa9a4305fd2235a91132b095acf1d450f8bc421c090bd0c71cd86a9f7110aa1573f1ae0af22b63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqp3icup\cqp3icup.cmdline

Filesize
273B

MD5
f3cba5e916ccb69dc259ac6bffc39c84

SHA1
0a6d6d891040749b221c04aab795028961cf3cb8

SHA256
1e978591bf5f610e8e8c970ef4a3aa173669b1196f3c13b226729d14748a3252

SHA512
d61a4603c21e884cbd1698f506661afa26d821a805d0d26e3a6d2497f673940b4625d56b4e44e2c7ce102ca74951f4d4a68cce1e6533e56d7aab7ab9958dc2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpECF1.tmp.exe

Filesize
12KB

MD5
444ca4d95e667f276268af2809602219

SHA1
69b541f20ebbd8c237a9d88175fb33d61f4db592

SHA256
ff8e8e63af278ee08dbd04290cc774e3d4a4210dcfac59b31b54fcb9d877d899

SHA512
86f74eb482d873da39324ff65c8b61f168c445c3dd8c1192741b7af0341b85a64e5222f6e96c676a5404200421baaf52e39385291efd481ada071b55cde626b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB5481E43BB3B43B2A43D8021FF888E9.TMP

Filesize
1KB

MD5
0d8516827b0d4a358a1f7f72dc25aae0

SHA1
c47113f9c9d7b2e52712767f284b67504c9507b3

SHA256
76c4ff2a4574436c626d23a8bc0ac14ce700440a94514edb6d4385fab4ff9d1b

SHA512
6845a26b68db3c83f9d7c748f85a67eec0c719fb4d8220a31c8db26e66cf81ed4347974af0fc253195d51e878aaeaa5c22999c80516b5b4976e276be0dca7301

Download Submit
memory/1404-24-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1404-25-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/1404-27-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/1404-28-0x0000000004F90000-0x0000000005022000-memory.dmp

Filesize
584KB

Download
memory/1404-30-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1584-0-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/1584-8-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1584-2-0x00000000048F0000-0x000000000498C000-memory.dmp

Filesize
624KB

Download
memory/1584-1-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1584-26-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing