b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69

General

Target

b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe
Size

12KB
MD5

7806a8806149ee00b896686c0f679b50
SHA1

6e8f67ebb0b728c46dcbf9e758e0a3824b3d658c
SHA256

b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69
SHA512

2686af62d3a767323642e11d7c2edcc1861bbb9c30de6a6b4a42e88f1572ffc81dfb36967bd9f9fb1858452f726853ef4cc8a09422caf0b0fce3be0b433b1796
SSDEEP

384:+L7li/2zHq2DcEQvdhcJKLTp/NK9xaJ4:oLM/Q9cJ4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe

Deletes itself 1 IoCs

pid	Process
1764	tmpE7B1.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
1764	tmpE7B1.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 1424	656	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	92
PID 656 wrote to memory of 1424	656	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	92
PID 656 wrote to memory of 1424	656	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	92
PID 1424 wrote to memory of 2068	1424	vbc.exe	94
PID 1424 wrote to memory of 2068	1424	vbc.exe	94
PID 1424 wrote to memory of 2068	1424	vbc.exe	94
PID 656 wrote to memory of 1764	656	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	95
PID 656 wrote to memory of 1764	656	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	95
PID 656 wrote to memory of 1764	656	b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe	95

C:\Users\Admin\AppData\Local\Temp\b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe
"C:\Users\Admin\AppData\Local\Temp\b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\myjalmya\myjalmya.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED0A5D98747B433BB76124DDD3FC63C.TMP"
    3⤵
    PID:2068
- C:\Users\Admin\AppData\Local\Temp\tmpE7B1.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpE7B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b0daffd432373323979bb917d9ef91a53fa097cfee6e33194c0166981c7d6a69.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
41388ddb1f85f5116ee9927215d49a8c

SHA1
b2d04229b21b457849a0ccce2c0e3aadbbbf3b2b

SHA256
973e878d38d8e4155949dfa3a3f81db2246884ee637bd4de94faca5fe0c3387e

SHA512
21c5f5fc300c67b5601e90a46322a6d6f44cc85bec9f158b5eae85497f8088456b4275bd60f352527e49c597ff14a35032e8b1cbc0f2659648a7a736016e28dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3B4.tmp

Filesize
1KB

MD5
ed70e94029d799be9ca0b5f1e5445c67

SHA1
487baee41027133579a1dacce4b642a760e7cde0

SHA256
f547efb2563057f916c3f4f97bb5bfa3e6a7437707479107b153787994598655

SHA512
d23366b2e80e3b6084db0120811d1349fded9bfb513668318760b34072c455c987708b9486ed42bbd51b1fb8170cfcfd6d05dea694229892147b572706b6700b

Download Submit
C:\Users\Admin\AppData\Local\Temp\myjalmya\myjalmya.0.vb

Filesize
2KB

MD5
f071aaf780452b2fd06982f91b5d321b

SHA1
ac78d596a24fb0ab9881f125762427ab42d76f2c

SHA256
709a0280a76d6e09b2b1848b97602d1e7e1a57441675ba33cf97ce1ac0c2c4a7

SHA512
7c142de876183d0539640d64d85e60dc8bc6e13edf41675d2f5204e0992b54f28e068d23bc74534b61960ac1ea8921fe1b93bfb116303c786ad7a9419fac62f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\myjalmya\myjalmya.cmdline

Filesize
273B

MD5
a483a86dab0c8220c12997ee29267287

SHA1
41bd3e61d1d363c11bb629d9edc962196eaf02e0

SHA256
b392124274ce00cf5d528eba341b6a9be0348fa6562ff67e407245f35324a534

SHA512
1c601d543f53e077d8c621d68315e5547c05901e822294e40c473a83113f0658aa620eb322b4def2a432fc991890a71e82de541a8f123f574c0682b07e11b323

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7B1.tmp.exe

Filesize
12KB

MD5
9b5cff4009f08fc0553450df5124c7ca

SHA1
80c165ea60efb2307481660a44a391abe4051e75

SHA256
96c2567f33afe9cdbd119f741a87db120e0b105d8ad877ebbe0747cf564b8ce2

SHA512
2d024cf9c315c5ed4aff3218a0d82a5cc020464a42b6a5a574ec993f988ff06c740d9d4c3e32efe0fb5530c994510c31f82ab2c3397c718f51d9e5020a3baa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcED0A5D98747B433BB76124DDD3FC63C.TMP

Filesize
1KB

MD5
fe2f8d24313afa7aa685dcd605d50e6e

SHA1
6071a2b06e44962c9873db5ffb221d7fcff44de4

SHA256
1b477af0fb9f24c465f5f0cbcfcd903065d2df8f3efefe0139aa19bf4d043aab

SHA512
62022aa4a73a51867be5761ab4b695aaa5af0e3f411b4a6ac302468f858ad58766b2bd3b42566e06645955c99318e2a45c01427769d38e1ce18df71cce0bbada

Download Submit
memory/656-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/656-7-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/656-2-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

Filesize
624KB

Download
memory/656-1-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/656-26-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/1764-23-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/1764-25-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/1764-27-0x0000000005C90000-0x0000000006234000-memory.dmp

Filesize
5.6MB

Download
memory/1764-28-0x0000000005780000-0x0000000005812000-memory.dmp

Filesize
584KB

Download
memory/1764-30-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing