9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d

General

Target

9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe
Size

12KB
MD5

82702ee71a59679913a42ab5bf8d2a63
SHA1

b66c54737a6269a42264b1b9325b0a1397a81392
SHA256

9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d
SHA512

04aaf38cbe1053d775deea2de7c9dfeb0a40e70a4ef2be65b342af031a0f8bd1df412751e58028506dd4106240eb8fd549271d2276ebba202020b3111d471a53
SSDEEP

384:fL7li/2zmq2DcEQvdQcJKLTp/NK9xaHi:T+MCQ9cHi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe

Deletes itself 1 IoCs

pid	Process
3780	tmp59E8.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	tmp59E8.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	408	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3044	408	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	85
PID 408 wrote to memory of 3044	408	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	85
PID 408 wrote to memory of 3044	408	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	85
PID 3044 wrote to memory of 4308	3044	vbc.exe	88
PID 3044 wrote to memory of 4308	3044	vbc.exe	88
PID 3044 wrote to memory of 4308	3044	vbc.exe	88
PID 408 wrote to memory of 3780	408	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	89
PID 408 wrote to memory of 3780	408	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	89
PID 408 wrote to memory of 3780	408	9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe	89

C:\Users\Admin\AppData\Local\Temp\9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe
"C:\Users\Admin\AppData\Local\Temp\9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vmiesm2p\vmiesm2p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEC0EE47C8E034DF7B8D6FB5D88EEF397.TMP"
    3⤵
    PID:4308
- C:\Users\Admin\AppData\Local\Temp\tmp59E8.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp59E8.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9ea5faffb4a9c07869522c83bdd35d316e41e8548ecffe854e1fdff63d41fb0d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
a43aab54b2de01b4acf5920014617969

SHA1
112e2ab46864dab02cfa6bf41bb80f8bd9cf103e

SHA256
3e0fcbdf0cfb7095ad189a3dcaba0577b7a31875eee765b16709ed3fb57ede5c

SHA512
313daa0b5e51f3a4dbd32f7c7ccd34dab7a5ebb2950d4c225410dea3ba34e5a7a7a42a5b74d004bffeb60b38b752cc4fd18e9756dad000becf39a23a5219ba6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5C49.tmp

Filesize
1KB

MD5
3aa91dc069499d135039b1d4e5f612be

SHA1
8f98ee3baa0f1165015d1b2dc307df7ba1919d36

SHA256
5a68cb2fb5df9024f92b77d2609dd1ec0cf365a680e140ae218ce33e22ecda63

SHA512
3f25a27251f0acbdd58a1248556412d0ae341c84872bdb02672775ca5cb90fcceca91b88a14f6d19e5fcbe122e14898b77e297589da247a90d4a156d5df1f3ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp59E8.tmp.exe

Filesize
12KB

MD5
2eae8de067480f416945886cd3746fd9

SHA1
36f5ada4247ba1efcc7da543f8e81aabfc4ae2e4

SHA256
27c09a5dd151b9d92eb4c35d06c3efa89eef760009dc7ff60579ee7598644736

SHA512
1809aacfecf462b8fdd70ea6b11125c67b33be66426e31ebadb10b531bca1a8526da07d8391527b30d49a16ddc34090d670284cf7220e7285aee814cce9745f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEC0EE47C8E034DF7B8D6FB5D88EEF397.TMP

Filesize
1KB

MD5
3e31b1c89156d93870502c2e514ab392

SHA1
071ef1eab7edf5af006b8f517bb759666a4e3f41

SHA256
33ca87a9b27e1febf9f0cd418154c05f10a6b9ad3f83244988dfe93eb489813c

SHA512
d42b552933a2618f8ff4dbfdf22d2e078ccaeeb9ba8cfb441bfad1f5ac89259ed594845c8ee07e88584c4675f6af9dbbd6e3798076aace53be6915635f0d9a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmiesm2p\vmiesm2p.0.vb

Filesize
2KB

MD5
60a692e7069fd496e7d5be5427d70e31

SHA1
0fbf289b9fdb63b0e89173e25dff9f8ce7dbaa22

SHA256
45f136aedd5db6c5b4b3a062ec44e7511a8400ae5a4a26c5d18f18067f84491a

SHA512
adefa0ec6adc0817fb2cb1ded240e174f9accd1b7144b496793453314f0d28f939f037e43a447c7ae52c05e4f41fd3f21986724282e9b025ca75fe110f769bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vmiesm2p\vmiesm2p.cmdline

Filesize
273B

MD5
b762addbde2b039e03357f2ea946c9ee

SHA1
aea01e6a4253129aa404dd94a2e14844e2ca541e

SHA256
4796d4c67221a9bb756caa418218f4238c253ab41ce1645ea362dd741fc1e53a

SHA512
7e021a9d23fa95e0a3b784b77208890e1aad3e0efc968cdce213ca46234e2dedaa05cc6f6027873b2a7733f34b88add5792f7ceae447367dac355ad00eea7024

Download Submit
memory/408-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/408-8-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/408-2-0x0000000004C30000-0x0000000004CCC000-memory.dmp

Filesize
624KB

Download
memory/408-1-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/408-26-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3780-25-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/3780-24-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/3780-27-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/3780-28-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/3780-30-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing