61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3

General

Target

61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe
Size

12KB
MD5

25f8cbbdc8845ad0b76974f7f2553e27
SHA1

df7fa9b527671275f3f3c770aae96e8234c58a57
SHA256

61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3
SHA512

05b085793200fb0e873754a3d0f422b6969fd781a6e997c6e8463c4820a81ced4a4c7d047fc0af6fd61e9f54b4bb559048084ed4304ad666dc8b841d421b4055
SSDEEP

384:/L7li/2zMq2DcEQvdQcJKLTp/NK9xaYX:zoMCQ9cYX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe

Deletes itself 1 IoCs

pid	Process
760	tmp4DE2.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
760	tmp4DE2.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2544	1272	61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe	85
PID 1272 wrote to memory of 2544	1272	61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe	85
PID 1272 wrote to memory of 2544	1272	61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe	85
PID 2544 wrote to memory of 948	2544	vbc.exe	87
PID 2544 wrote to memory of 948	2544	vbc.exe	87
PID 2544 wrote to memory of 948	2544	vbc.exe	87
PID 1272 wrote to memory of 760	1272	61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe	88
PID 1272 wrote to memory of 760	1272	61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe	88
PID 1272 wrote to memory of 760	1272	61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe	88

C:\Users\Admin\AppData\Local\Temp\61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe
"C:\Users\Admin\AppData\Local\Temp\61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3z2xrxud\3z2xrxud.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EFB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC0AD86EAAA9458EBC4CA98AE6DC74D1.TMP"
    3⤵
    PID:948
- C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe" C:\Users\Admin\AppData\Local\Temp\61ae765dc8cc81c064cacc7847c65a26de252064199635ef220c840fc313fcd3.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3z2xrxud\3z2xrxud.0.vb

Filesize
2KB

MD5
9934edec8f92299ab4cdf70744dd1d85

SHA1
1de0f7bf320637974c77c7f68f85e92a3afe9701

SHA256
d8b8199bceeebcc58b6f3a203ec6f63b55468d3b9c3e8f382751e65fbad7f73a

SHA512
b905ffe6740cc6eccb5d6ab5c2840f452a849783abb6d755cb1c7898659b36f9b9da02f2245be725ce4adc634081004552abc1f7ad82ffbb0ec932d4e4775ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3z2xrxud\3z2xrxud.cmdline

Filesize
273B

MD5
4857b302234856b9ff59dcfe82ca189e

SHA1
0211ff3a4c2f8c111842251a13f9202b480d4338

SHA256
1e2db655b6f0344b7722b5a7800d90fcda3e44d3cdd5079dd5520a419aaeccbf

SHA512
c5d01a7dc511e27177a8400158b898cc3612a37356320edd539967ac6355e8eb61c1f6a6b8645fc6f4a2acaff2ba613ac868cc3f3c43ebaadc767ff11328f75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
20f5c8a14116e2ac70b01e5e070bd826

SHA1
bfb57aa39f99d14fd99095cd209ecefd694e95ab

SHA256
46373699d27ab476a62a811b3329edba98923f068052ce88322ed44fd100daab

SHA512
40a9921fa914efd78715f1a98eb6fff4a3c13d388771aefa775ccfee125bb4b1847c9f4fbee039f7c33522f034cdb8bdbb48af35292d2974ef0cd621c09b0ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4EFB.tmp

Filesize
1KB

MD5
a7b8f8eb95bec5ab616b3cb19f35b52f

SHA1
02418823b74ad610678e2deaefb5ac78f212a9df

SHA256
363218b8bdb2888b4b5fa58ca128f9544d0c276da7795bcde6ebbc4f628dc640

SHA512
8f703d762fb6caed42ff3c8d8045128cce3958a548ce42ad9bf592e1eb56b12ec8f3dd75c0d99c008e6ad1f6e5dfb1bc9586c5d844ff534461bba1a1c847bf9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DE2.tmp.exe

Filesize
12KB

MD5
38d701235028ac7894d000df8e7f4f20

SHA1
0b13394ae6fa92ea37328d0cf32fbb331f98bfcc

SHA256
172db9dfc2f8fb6e025ab9422d3855a545d414268c1b80b98211cbacfb696ade

SHA512
549be19739a8fe32f82791dfaf2a007f335ea660fdab2d94e229b13904f4c9b2fc312307e55cbc5edef00b8299b20b5f546725cd415705b47d13134d801fd3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCC0AD86EAAA9458EBC4CA98AE6DC74D1.TMP

Filesize
1KB

MD5
7ca3abf5e1669f6273fbe5ad027b0131

SHA1
5cf5e7dcad9c73536776f05331519f1af6d3653e

SHA256
79d40d63870b09f409db5125ee2c646bcecf168a6400dee4a6b7e58649da94c5

SHA512
b99ef3d94dd83b45846cfeaf2000edbfb448aedc904651cd62e93c5f863e656c8609c96e8c550d17f184e26ab6f2aed7788e40c9353e38ded496842b5b8950c9

Download Submit
memory/760-24-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/760-25-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/760-27-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/760-28-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/760-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1272-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1272-2-0x0000000005300000-0x000000000539C000-memory.dmp

Filesize
624KB

Download
memory/1272-1-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/1272-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/1272-26-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing