3cb5ea28d34556fc91bf400ca39dde6a8266fb8bcf937ef0b05c991c94135d5a

General

Target

virussign.com_127b09e4113d207b9e5edfac515028e0.exe
Size

12KB
MD5

127b09e4113d207b9e5edfac515028e0
SHA1

370f3b990b119ea9f114485015953eee2c70e53d
SHA256

3cb5ea28d34556fc91bf400ca39dde6a8266fb8bcf937ef0b05c991c94135d5a
SHA512

916bccff48dc8ad426a2fefb9fc9ec91a275881ad35b984dfa3024582d5edad08d1fd2d35222bc34a33655fe5c93fa0b71d6f2b2962cd6966c9e26f4fe4d914b
SSDEEP

384:VL7li/2zjq2DcEQvdhcJKLTp/NK9xa3w:1HM/Q9c3w

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	virussign.com_127b09e4113d207b9e5edfac515028e0.exe

Deletes itself 1 IoCs

pid	Process
1384	tmp5C88.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1384	tmp5C88.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	virussign.com_127b09e4113d207b9e5edfac515028e0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 2120	4344	virussign.com_127b09e4113d207b9e5edfac515028e0.exe	86
PID 4344 wrote to memory of 2120	4344	virussign.com_127b09e4113d207b9e5edfac515028e0.exe	86
PID 4344 wrote to memory of 2120	4344	virussign.com_127b09e4113d207b9e5edfac515028e0.exe	86
PID 2120 wrote to memory of 1508	2120	vbc.exe	90
PID 2120 wrote to memory of 1508	2120	vbc.exe	90
PID 2120 wrote to memory of 1508	2120	vbc.exe	90
PID 4344 wrote to memory of 1384	4344	virussign.com_127b09e4113d207b9e5edfac515028e0.exe	91
PID 4344 wrote to memory of 1384	4344	virussign.com_127b09e4113d207b9e5edfac515028e0.exe	91
PID 4344 wrote to memory of 1384	4344	virussign.com_127b09e4113d207b9e5edfac515028e0.exe	91

C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0imvpfsb\0imvpfsb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E3D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8133B6F4EA25481089347C5AA4258270.TMP"
    3⤵
    PID:1508
- C:\Users\Admin\AppData\Local\Temp\tmp5C88.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5C88.tmp.exe" C:\Users\Admin\AppData\Local\Temp\virussign.com_127b09e4113d207b9e5edfac515028e0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0imvpfsb\0imvpfsb.0.vb

Filesize
2KB

MD5
e36b72f006c76e07cd11cbf270cafb10

SHA1
950f24ed06452e61a9fb7ec002fa87a64ac74996

SHA256
2556ea2b963c1b2a9026a2150495ee714e37ba25cb61fe07241cc60b67ef4eb2

SHA512
71007337aca7e6f6b86195bdd1d4c3892ad30f810e9f13605bc01024313ab6b92882016102029c76e55e514d89c9cdd49c75b5a8fd00cf19836ccdb2abf662d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0imvpfsb\0imvpfsb.cmdline

Filesize
273B

MD5
f740276a813c0fb7f0926070a2efbb54

SHA1
5bab4bc02360757e9bd42133f2c939cd5bf328b1

SHA256
8235764069a668de96f484c7ae981b9204936ec85fd9fbcb45b186049338fec2

SHA512
4228b4f8260c7ea0b22dee6310b6310b47149ef4cb2884b913b70f8eb116610cd12cf6c1c5eda56f65661614a20ee5f0f9d05539097d743ae1012061f8a1f696

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
0d61a36bb7cfd33c7f46d97685d64608

SHA1
d46513ac829b7c54bdae060fd372cbd8f6d0cdd9

SHA256
6787a8a3c2fc4d58f54464c1788b250db6ada3e2859ecd8fcfd021dd17170789

SHA512
d8dc4073cbccfaa2d31003670ff7055331fc47783a30239690c3e5061008fcf1bb4c810629a66926dc960c52ea03e624a2ff90898d89f500c7a2ef6252dd6d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5E3D.tmp

Filesize
1KB

MD5
ebccca1c6dc51d53a218b36db1181ef2

SHA1
d16c6b50fc0bc8ff71fcbc40f412294a1abb7592

SHA256
6fb8cfeb965edd9ce0a7dcfd98b6c7a4b0642bccdf7f444e208358cc8ebb5922

SHA512
a90825a5125e21785721e03182d78db69883ac69096a92d17c3b65038b71cf8f9416e1cc043b79bfbf5463265fc8b36c8a1bd41638d2aae836b078f3969a92b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C88.tmp.exe

Filesize
12KB

MD5
1cc99de8bf36ff21ff6c2c51f2d0167e

SHA1
523ce28a4ff172657e9c624bf1c99570ae925934

SHA256
e1c46ac52c7dab8c1a1280f53e386a4268b25a0b18e07511da26b937337710f2

SHA512
e19c52e9b6fc0c988883008d9d8ceef3e06028c22aeab7d95ed96968367b4b5bb39ad8fed0fc6d8278f0ea2f95f67c25d3f869165d67a182c70a352643db4df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8133B6F4EA25481089347C5AA4258270.TMP

Filesize
1KB

MD5
116add55a680019d9b7aa6ca4949afe4

SHA1
006a4b79ed1502e881a80307d4bb3110f87de775

SHA256
630e7084d3b9b6bfa865eb9b1dd2165946641a0abc72fec83ed349da981aecf9

SHA512
73df4cf794e9e843bbd6cdd00770a8ef531ec14c3853df046d341dc86149683e5464ef9b0d97a91c1c51dc54a67012c3e97d2b7879a3a2c586d0b42a6637198c

Download Submit
memory/1384-24-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/1384-25-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1384-27-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/1384-28-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/1384-30-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4344-8-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4344-2-0x00000000055D0000-0x000000000566C000-memory.dmp

Filesize
624KB

Download
memory/4344-1-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/4344-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/4344-26-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing