4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380

General

Target

4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe
Size

12KB
MD5

5c9b366cc7e7be89c42a11e73a6830dd
SHA1

13d3b1f2feead25033b64bcbaba2fbb7c0f1a356
SHA256

4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380
SHA512

6e49016adefdde07c76b8151aa2cbd309db53827a244fd8142cfd5d163d28709007f480da1a6ce66ce126582dd1fe6c78643d9873766ede1e3ee9da55718cfa0
SSDEEP

384:qL7li/2zCq2DcEQvdhcJKLTp/NK9xaCv:06M/Q9cCv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe

Deletes itself 1 IoCs

pid	Process
3988	tmp4BBF.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3988	tmp4BBF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 2968	5100	4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe	80
PID 5100 wrote to memory of 2968	5100	4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe	80
PID 5100 wrote to memory of 2968	5100	4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe	80
PID 2968 wrote to memory of 2868	2968	vbc.exe	82
PID 2968 wrote to memory of 2868	2968	vbc.exe	82
PID 2968 wrote to memory of 2868	2968	vbc.exe	82
PID 5100 wrote to memory of 3988	5100	4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe	83
PID 5100 wrote to memory of 3988	5100	4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe	83
PID 5100 wrote to memory of 3988	5100	4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe	83

C:\Users\Admin\AppData\Local\Temp\4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe
"C:\Users\Admin\AppData\Local\Temp\4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ojxpyrgu\ojxpyrgu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4CD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CEF5692BDF64A1E9C7FA25D50DCE45A.TMP"
    3⤵
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\tmp4BBF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4BBF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4833597953e891095e315e736d7e219dfbe73b6dd57e7b5d2b3fb3ff79cf2380.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6dd82777df79f49e17f057de40212e0e

SHA1
628a017684155292fdc2e3344c041202a963274f

SHA256
3ec5b01fd472d87acbd1745f0c8fe1a38fb7f5da0afacb85c617f53fddb013bd

SHA512
7827d86a5948a2bcddb3eb8d9eaee89e20878fc21b200bef6e367e819c05a69d99a1b098f68f5367cdc9d7316bf45bdd06ee03c054a6307a63f05cf50e4ddf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4CD8.tmp

Filesize
1KB

MD5
3922960d252ba6d0a96814f126784ce9

SHA1
fd61da83da08df2ee118110e0943b39f97bc9ebd

SHA256
ddc2a6978977903e27bd3bf6415678a0dfd562528bb59fe74b62f2be89063594

SHA512
e0a7147bd6d09748bf23ddf40dfa10dfada16cfe3929f20095f8e54f3c502c3b8ff443ed363edde44e5dbd6843212ffa030ce3692af73f829221ca4ee5d3f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojxpyrgu\ojxpyrgu.0.vb

Filesize
2KB

MD5
b201ca00e3e7b1019cf2b1f757193412

SHA1
9bc338896caa1f39f29d2a4c50fbaf5ba5aae7fe

SHA256
94f946554a3a2acfc3ebac8956035c8a03847404d70b959b0fa4014bc9455e09

SHA512
cd7a3ca66b79b97bf0d356a859fdb3db52091327fa2d3685b2931f091ccab887c3b3ad2e2049da7772d7fc9ee7ab7a07a89b57811cd61b42e251673a1289fdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ojxpyrgu\ojxpyrgu.cmdline

Filesize
273B

MD5
cd4b45a181909d47a1ebf1f64bdf3481

SHA1
24583cd8b05eada6e642867f985b2c4e14163b9c

SHA256
9971af6d20ee1c11f3d9accadf9896705224df62411c5b082cb1754b2747193e

SHA512
32a27b8153fb9380948b3145e82c48a387cfd2597a60c53db9194e48f3f46daf1e4b9170ee2a7983fdb1f240abff1492b76757482615da074ce3aa9e80843649

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BBF.tmp.exe

Filesize
12KB

MD5
3f1c573ad4ba58c02db6fbd842d569e4

SHA1
927a36c3e21f19a9c8b4716cdf358660b23516bc

SHA256
a4a816869dc7d886f139a9e3bcc7f5e6c11a9df8e2a20f8fb67ecb25a300712a

SHA512
87775dc6cb86aa04e3b8f6a95382d25cead14310e17963c365299d51027c6ef23e3c2752c395c8e05d9b9cd3f52179632d2073c3ccdf7301b88ac508ca57ff79

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2CEF5692BDF64A1E9C7FA25D50DCE45A.TMP

Filesize
1KB

MD5
9054a8202268c720c783c7ed77201004

SHA1
90436a454696b81572a85007984d2fc01bbbd675

SHA256
e126d7dace4a196e2bc393baac182963591f2d2d9de62facae0b81c6e891120d

SHA512
76c574a8413e8ed1a3262028e1b25c589910d041cf02896d9d28f953361da42243817791688fbb608b8290d5fc7d20ad1e7c9fc749433efa7045d98c766a2ee2

Download Submit
memory/3988-26-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/3988-25-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3988-27-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/3988-28-0x0000000005010000-0x00000000050A2000-memory.dmp

Filesize
584KB

Download
memory/3988-30-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/5100-8-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/5100-2-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/5100-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/5100-1-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/5100-24-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing