5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987

General

Target

5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe
Size

12KB
MD5

ee9e7173cbacb0a1e820d2a96887fa2a
SHA1

70253a73f5f84eec8d0c69989864a275157a5dd7
SHA256

5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987
SHA512

8c5761d23978e9ec15e0c5e07b872187ed3ca3a371706d607fac7bd7ad9f0d3058f772e8dcad67e4662e68f61c1b607963d264ae6f851e00d24563ad0ecb73bf
SSDEEP

384:XL7li/2zjq2DcEQvdhcJKLTp/NK9xaO9:bfM/Q9cO9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe

Deletes itself 1 IoCs

pid	Process
2408	tmp4ECD.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2408	tmp4ECD.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 4696	936	5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe	85
PID 936 wrote to memory of 4696	936	5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe	85
PID 936 wrote to memory of 4696	936	5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe	85
PID 4696 wrote to memory of 2740	4696	vbc.exe	87
PID 4696 wrote to memory of 2740	4696	vbc.exe	87
PID 4696 wrote to memory of 2740	4696	vbc.exe	87
PID 936 wrote to memory of 2408	936	5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe	88
PID 936 wrote to memory of 2408	936	5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe	88
PID 936 wrote to memory of 2408	936	5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe	88

C:\Users\Admin\AppData\Local\Temp\5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe
"C:\Users\Admin\AppData\Local\Temp\5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xembfusg\xembfusg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES513D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77C0B4093C7B40619EE4791EBC2813A.TMP"
    3⤵
    PID:2740
- C:\Users\Admin\AppData\Local\Temp\tmp4ECD.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4ECD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5d3cb91c7d784f67fdb5cf4275d96c36e4e331487e227d3682599856eb24c987.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
16ff3ef6ff9020e570f42b94ef6ef59c

SHA1
78e1667064c3ed8a785af24fd196f982b152d19a

SHA256
6cf02b097ed3365b52fcb21506872030f97f6091741a4b0aa639e6168c31c1b0

SHA512
d519f85d8b82dbedac27607777226a528de1a14de7f624eeddf95ae22424a5021a33fd3ca02f1edfcf53f4f7783f52e1a5e394bc855240b1da96fd8dafda817b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES513D.tmp

Filesize
1KB

MD5
abe18bf11a253db869dae01189eb5af0

SHA1
70823aebc9b383325b6ea33ada53710015cd7680

SHA256
f34995d3a3b16ac686f0f601e963993927579bf22c72ead99daef3d09086c989

SHA512
e490059600da8cc89796a9769a0d8920aa33a438578661669e6ba5b06c29ba52665b05c6ee822c55360074fa753490bdab0631946e036e242f23910a91983d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4ECD.tmp.exe

Filesize
12KB

MD5
b973bc908585a5835bfb5fa2c23963a6

SHA1
95b6cabffe7a106e42f5adec70415c746eb34c7e

SHA256
dbf9b91781ccfc5cdacf0aed6503273c6f8fe9fecaf3c34b440293b9580170cd

SHA512
b5c33567d2c89afdde68d1880bfb45a8c0a4713b938d00b28207e06f7815cdebf7c48c8a3ff6222aeec372d8aeb8cac2ae1370e9c2e466144d292e508116b5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc77C0B4093C7B40619EE4791EBC2813A.TMP

Filesize
1KB

MD5
0682cd1cbfc7d0ef1459ba1b16f25ae9

SHA1
14c167dbe6647e3be9171aa4b77a2050218d7a06

SHA256
5aeb2efbb8c6dcaca7e138437d131d7c6c48e3c2d190f83324e2b2b59b2ccc17

SHA512
95a19d85017e8fb0044771fcc769e4edb468763580de40262ac88f1d8d49b1a61a32e52c1225d67be40266c06c46c37bed7d337266e696d5f278398ea650264b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xembfusg\xembfusg.0.vb

Filesize
2KB

MD5
18c89170270aacd60db1f787b316f45a

SHA1
5b98b6ce3cf6767285fc54c6dde61f1170946e5f

SHA256
71552cf5f196e9162833e78a6ef53ce86e947143acfc972090644e240846f88c

SHA512
cdc4a923d39e6cd24d831d22723ced222615dee308e2593497a8a1ccba1f4fa44660dcf09a3e112d589a38362e9f2b63c1408333e54df5c3d4f522994f72895a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xembfusg\xembfusg.cmdline

Filesize
273B

MD5
527b2f8160ecc3355ed2afae3354fd69

SHA1
0ea8e84f546edba564aaa1db9742eaa7f2747e90

SHA256
4f8dfd8c46c5ce168a0116419ff66b64756c4616c82fb23c5195b24ee08f79fd

SHA512
b3b454454f8e24fc945508d76ca134df4876fc647ea05bfb5e13975dbf4ba7d5b50629c6d889c549619c9a73fb2c47c3ecf97f96255942411e78bfbba6039cf2

Download Submit
memory/936-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/936-8-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/936-2-0x0000000004E20000-0x0000000004EBC000-memory.dmp

Filesize
624KB

Download
memory/936-1-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/936-24-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2408-26-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/2408-25-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2408-27-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/2408-28-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/2408-30-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing