a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d

General

Target

a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe
Size

12KB
MD5

32ef744add96941cc35885142148a7e3
SHA1

db291a3c755305cbc672e81f7a8a8330df0c781f
SHA256

a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d
SHA512

814fea67a55f00ee0dcbb9f9e2192e4f8ff02e606604b8c5a282373614764bf7125a9079a802ca0c323f316e0e184afff9ee465edda81ac1fc94aad8aa4fdb37
SSDEEP

384:6L7li/2zbq2DcEQvdhcJKLTp/NK9xaMe:k/M/Q9cMe

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe

Deletes itself 1 IoCs

pid	Process
4380	tmp5EAB.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4380	tmp5EAB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 3176	764	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	85
PID 764 wrote to memory of 3176	764	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	85
PID 764 wrote to memory of 3176	764	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	85
PID 3176 wrote to memory of 4772	3176	vbc.exe	88
PID 3176 wrote to memory of 4772	3176	vbc.exe	88
PID 3176 wrote to memory of 4772	3176	vbc.exe	88
PID 764 wrote to memory of 4380	764	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	89
PID 764 wrote to memory of 4380	764	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	89
PID 764 wrote to memory of 4380	764	a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe	89

C:\Users\Admin\AppData\Local\Temp\a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe
"C:\Users\Admin\AppData\Local\Temp\a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1dz04j0v\1dz04j0v.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6031.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF94DC48FD895499F9A836F668E44E22F.TMP"
    3⤵
    PID:4772
- C:\Users\Admin\AppData\Local\Temp\tmp5EAB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5EAB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a536020aca828b0da3392819b5252b899c658a89e75905c9939790b9ddd23f1d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1dz04j0v\1dz04j0v.0.vb

Filesize
2KB

MD5
0ef9421226eca9b3e480854fc6db0bc2

SHA1
ff2fd160a610897c24fea1a6f66a95cf98ee4364

SHA256
51dee201ac3a8fd7d32897d8c329c85901e8a73fd8affff1ac39a969079ece9e

SHA512
c2407d560f7f447c19952aa456341f9606b7396bcd5ad003517c4d6d3f92675b681c574557b27be6d5f29b3f6f33262551f32044d5605f1b63152bdf74d9278e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1dz04j0v\1dz04j0v.cmdline

Filesize
273B

MD5
d3b0c9346e59afa303528e556f44e51f

SHA1
7fe5f197df3dd9fc4b75406cfbda08d7ec4f1030

SHA256
0496c5dbd54a413ec67a482d4c43833917cb830fb5eee0bcc66486670c74fc14

SHA512
c428ca97d2772213bb8c3ad28c66c500e5c4ad873652d569a25740d6b30cab4d408113d2c893b5e4c186341aa8c2eabbedecc779735bb66fad8fa144a8e5a818

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
9b8443147e8d95a0a121a01da595b279

SHA1
b403e94aa353063b69a27f5b8b0ef830ea5c1a7a

SHA256
49ea19de0bb3fef9b3266c5bc285f7256bed503b26b9aa426165a93bce43fe42

SHA512
4f9f5189f1e491621f5ae45aa693d429e833254f622d9ef9ba85b8c0bfabffc49294b09b77bd24ddbd09634c687e3dc69cd35886d9adde4d4d899849887f8bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6031.tmp

Filesize
1KB

MD5
e84e869315a55a67999575557b85c9de

SHA1
0e6bf9f514107c48808265209744052236797833

SHA256
fc6f36ad139540846cd6f5d6a9e5ee1931aaa447e43da6f04d8b5d0e97dced89

SHA512
fa5b2a6d73629a85de778570a2da4fa6dd64090d367fe0338f23c57ee53f988c229066bf621f319f1f747d99d0e997e04ab841d33063fefb37ac9b1c112367e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5EAB.tmp.exe

Filesize
12KB

MD5
4728c1364057fcfdab202824a779f4ab

SHA1
961a6a0c420080d4ca455a577b27495e5a7a4654

SHA256
ab686e0aa908d462d63ec8afcf39b96f6abf3c631dc3d539f53b836fc920c7f2

SHA512
c048a39102e6c6836ebb57783c716146c1e8b3b9a6e5d42a3c7afe7eaae85ede9f8a808b7101434efa2e83f34b151991ce5ab732ca76607ce17588db12bb6087

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF94DC48FD895499F9A836F668E44E22F.TMP

Filesize
1KB

MD5
ac1cd706f755af6fe1d1b412ee6849f2

SHA1
70ee7345ee72c2fe5c7562065e0213e4899fbff4

SHA256
442b62a737ef0d1572e9959f0e1742b8555223e0579c31ec93be507c95aa071c

SHA512
1f2da300aa0d03ed1a1be253d0c6d11ea8daedc43fd494fff8c88967450fb3d72fc387b2a2d557081b39435f7ce341e3597db37c0ef6e277d6c1c410916db0e7

Download Submit
memory/764-8-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/764-2-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/764-1-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/764-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/764-24-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4380-25-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4380-26-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

Filesize
40KB

Download
memory/4380-27-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/4380-28-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/4380-30-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing