b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119

General

Target

b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe
Size

12KB
MD5

61761a6fa4f356b695d52f997e1c6eb1
SHA1

a746decf7f36d9c74c76599fc3cf7b37277bf97d
SHA256

b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119
SHA512

67b96bc5e4612f8e9c127bf64afe06b3d3e2d3eeb34425fc9136713490be7d9d5ad2f2a9e87e1189d4566bc3e36266b42b3738abbcb110d0c0a752c7c55f2ef6
SSDEEP

384:nL7li/2zJq2DcEQvdhcJKLTp/NK9xaj5:LJM/Q9cj5

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe

Deletes itself 1 IoCs

pid	Process
1484	tmp4B81.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1484	tmp4B81.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3596	1972	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	87
PID 1972 wrote to memory of 3596	1972	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	87
PID 1972 wrote to memory of 3596	1972	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	87
PID 3596 wrote to memory of 3172	3596	vbc.exe	89
PID 3596 wrote to memory of 3172	3596	vbc.exe	89
PID 3596 wrote to memory of 3172	3596	vbc.exe	89
PID 1972 wrote to memory of 1484	1972	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	92
PID 1972 wrote to memory of 1484	1972	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	92
PID 1972 wrote to memory of 1484	1972	b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe	92

C:\Users\Admin\AppData\Local\Temp\b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe
"C:\Users\Admin\AppData\Local\Temp\b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vyo43eer\vyo43eer.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CA9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB821AE30A2BD4179A4CD7F36155CF1F7.TMP"
    3⤵
    PID:3172
- C:\Users\Admin\AppData\Local\Temp\tmp4B81.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4B81.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b3c4029ddbd2f994f8ef4bf7342f3ce9814e3185143e4e059d296f9afd499119.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
16ff3ef6ff9020e570f42b94ef6ef59c

SHA1
78e1667064c3ed8a785af24fd196f982b152d19a

SHA256
6cf02b097ed3365b52fcb21506872030f97f6091741a4b0aa639e6168c31c1b0

SHA512
d519f85d8b82dbedac27607777226a528de1a14de7f624eeddf95ae22424a5021a33fd3ca02f1edfcf53f4f7783f52e1a5e394bc855240b1da96fd8dafda817b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4CA9.tmp

Filesize
1KB

MD5
2c8eecc62b05ae240a2fcebf8060a84c

SHA1
086405736f0cf8eb0ffe3db2162e0514be92324d

SHA256
536610724aca8881c19c35eb1f81055bb084da582e7d987d312fd193cdbf0dfe

SHA512
82d031d1ca5c2797ba1fcca64d3768f88c1c9e18b5022a969c70bcc691b8ec195e1bca8e3f7ecd8c87ac5319f1ba6367a753ac064bf8cdc2f93930feca7b5cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B81.tmp.exe

Filesize
12KB

MD5
a7768cca9ec2e3984039f894f545c807

SHA1
799f64534bc619d35528708e331692168935d7c8

SHA256
f5a11ad6db0418bda5591a31afd0c64f938ae1ed78ca6dcb85e573adc441e154

SHA512
95ad27c9d1d4fdf08f6ea374cb53a7a088f3ef1a20b2513fccefcdb2ede42e0ea71ff4a465b7b12fffc347a745d89bb0d42100685c8a075fd017684db394de6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB821AE30A2BD4179A4CD7F36155CF1F7.TMP

Filesize
1KB

MD5
c6b974844d2cdd4a69bd0cc522f49adf

SHA1
495bd985aa5b48fab669b6f1a596b3ac3143bf2a

SHA256
c04dc99246a392565bfe37b096e0322fa7fcf473a89252296f4a163c49f0d3d2

SHA512
8859013ff013de54986c5694341991b9a9b65c19bcada10510acbfdd3ef150b4bad5e1e608d763bf3394949682c78927b0a74722b49ec0f5a9d7ee9f2ba80dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyo43eer\vyo43eer.0.vb

Filesize
2KB

MD5
18c89170270aacd60db1f787b316f45a

SHA1
5b98b6ce3cf6767285fc54c6dde61f1170946e5f

SHA256
71552cf5f196e9162833e78a6ef53ce86e947143acfc972090644e240846f88c

SHA512
cdc4a923d39e6cd24d831d22723ced222615dee308e2593497a8a1ccba1f4fa44660dcf09a3e112d589a38362e9f2b63c1408333e54df5c3d4f522994f72895a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyo43eer\vyo43eer.cmdline

Filesize
273B

MD5
b0c14e39aa8e2614a94c42da67b99019

SHA1
fe6dd95498f737ddf3be5d36b240221f0ef3bef2

SHA256
6d9d47b0fca8d978457e58b8a2e79c3a1e0418f0634effec583006bb2ef3a469

SHA512
b5b06a164fdfb997458a8c2a76cdbfe99d3310e9d7c1c08f9e5230d72dadef6d1b46e7975f2657a0b230012eb148a2ab3efaf1bc162a06458765a24c4a0cd34b

Download Submit
memory/1484-25-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1484-26-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/1484-27-0x00000000059C0000-0x0000000005F64000-memory.dmp

Filesize
5.6MB

Download
memory/1484-28-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/1484-30-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1972-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/1972-8-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1972-2-0x0000000004E90000-0x0000000004F2C000-memory.dmp

Filesize
624KB

Download
memory/1972-1-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1972-24-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing