f6290981f571b2e93b6d6875bf05397d118d300b1948bc23753787bc3b46b25c

General

Target

0b20aa206d2d4c85aaa233297994edc0N.exe
Size

95KB
MD5

0b20aa206d2d4c85aaa233297994edc0
SHA1

d0c147fa3baa72353defa4a94a9fb3a17f78a55e
SHA256

f6290981f571b2e93b6d6875bf05397d118d300b1948bc23753787bc3b46b25c
SHA512

55f1a1252d7f3ff8c0a192f2cb763cfef41e9eae7eec1d19e3316187abe41eeefe05be050c895360a48476af0616038c7be01e0d7bf961e6e0649061e9e98a56
SSDEEP

1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU6p:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/AE

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
3256	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
812	rMX.exe
3732	rMX.exe.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	0b20aa206d2d4c85aaa233297994edc0N.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	0b20aa206d2d4c85aaa233297994edc0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 812	2576	0b20aa206d2d4c85aaa233297994edc0N.exe	83
PID 2576 wrote to memory of 812	2576	0b20aa206d2d4c85aaa233297994edc0N.exe	83
PID 2576 wrote to memory of 812	2576	0b20aa206d2d4c85aaa233297994edc0N.exe	83
PID 812 wrote to memory of 1552	812	rMX.exe	85
PID 812 wrote to memory of 1552	812	rMX.exe	85
PID 812 wrote to memory of 1552	812	rMX.exe	85
PID 812 wrote to memory of 2968	812	rMX.exe	86
PID 812 wrote to memory of 2968	812	rMX.exe	86
PID 812 wrote to memory of 2968	812	rMX.exe	86
PID 2576 wrote to memory of 1472	2576	0b20aa206d2d4c85aaa233297994edc0N.exe	87
PID 2576 wrote to memory of 1472	2576	0b20aa206d2d4c85aaa233297994edc0N.exe	87
PID 2576 wrote to memory of 1472	2576	0b20aa206d2d4c85aaa233297994edc0N.exe	87
PID 2968 wrote to memory of 3732	2968	cmd.exe	91
PID 2968 wrote to memory of 3732	2968	cmd.exe	91
PID 2968 wrote to memory of 3732	2968	cmd.exe	91
PID 3732 wrote to memory of 1316	3732	rMX.exe.exe	92
PID 3732 wrote to memory of 1316	3732	rMX.exe.exe	92
PID 3732 wrote to memory of 1316	3732	rMX.exe.exe	92
PID 1316 wrote to memory of 1448	1316	cmd.exe	95
PID 1316 wrote to memory of 1448	1316	cmd.exe	95
PID 1316 wrote to memory of 1448	1316	cmd.exe	95
PID 1472 wrote to memory of 3256	1472	cmd.exe	96
PID 1472 wrote to memory of 3256	1472	cmd.exe	96
PID 1472 wrote to memory of 3256	1472	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\0b20aa206d2d4c85aaa233297994edc0N.exe
"C:\Users\Admin\AppData\Local\Temp\0b20aa206d2d4c85aaa233297994edc0N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2576
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\51.vbs
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\51.vbs"
        6⤵
        
        PID:1448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\56.vbs
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\56.vbs"
    3⤵
    - Deletes itself
    PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\51.vbs

Filesize
162B

MD5
c62dfa660bac6895cf009e2e33265347

SHA1
c0ca35400dcd7e7db069d63f08169adef99b1f6b

SHA256
8db28e197fe38cb938ac70cf19d4be19ed1a9e6386cc7fa5c67566928b00a73e

SHA512
683f8f388f2392413b980777539d4db12fcccea7fb752bebdf4f40f21164a4e5a02d5ac1c8b02fdc74698587de179753c027b0a74ae915724a2af9023803245e

Download Submit
C:\56.vbs

Filesize
205B

MD5
794e671f5d83988c6b3dbab94632f0ed

SHA1
5a2662ad360017e2d74745fd48bfa560ce2beda6

SHA256
0b57d9f320836db8e3640295e0823a938601e90d15a2ad60c052abfb66ad2720

SHA512
d2ad3486b96e5afe56c05d49c9a28c436e4d92688630544b6ae58059096c7a567f1bfdd7b8b6e405b6d8161e2f6a8408635f99c9a2952e5c6dc53d2b0d1fc982

Download Submit
C:\Windows\VWFLH\rMX.exe

Filesize
95KB

MD5
0b20aa206d2d4c85aaa233297994edc0

SHA1
d0c147fa3baa72353defa4a94a9fb3a17f78a55e

SHA256
f6290981f571b2e93b6d6875bf05397d118d300b1948bc23753787bc3b46b25c

SHA512
55f1a1252d7f3ff8c0a192f2cb763cfef41e9eae7eec1d19e3316187abe41eeefe05be050c895360a48476af0616038c7be01e0d7bf961e6e0649061e9e98a56

Download Submit
C:\Windows\VWFLH\rMX.exe.exe

Filesize
95KB

MD5
a7d25c818b60185a4b1d89345b1ee155

SHA1
ca6be50231398284eb843a4d557df052879e357b

SHA256
76d200aee73e87055a7b43fb68d58a521107945d0a060fdf1f12c4fdcda05d92

SHA512
9442f00de150f7f8f5d2867beb01366a1b6e949ca41e572249dc7ba0668fc1ba5554fc9bc3278f737d53447a065cc71667e4f2ea7516f1bc6f7575214fb55bfb

Download Submit
memory/812-9-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2576-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/3732-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing