004842faaa5d44c233f6b8b9b873cb8ece34f82c3e560a47ddedb3cf7eaea685

General

Target

004b1bf039d5156a874ba3d8cfeef360N.exe
Size

78KB
MD5

004b1bf039d5156a874ba3d8cfeef360
SHA1

d1c8bf057b2eb71b34ae55cf4d2a0505ae9fa461
SHA256

004842faaa5d44c233f6b8b9b873cb8ece34f82c3e560a47ddedb3cf7eaea685
SHA512

a54a5ef26685cde8321aeda0d2e5465e8b7cc7a3dfd942ce22d27664f813341b60988b82ff4d04a656e056040e3726ecbf017fbc1bfcc8508a7b1974b42979bb
SSDEEP

1536:BPCHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtAU9/k1v+:BPCHY53Ln7N041QqhgAU9/f

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

004b1bf039d5156a874ba3d8cfeef360N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	004b1bf039d5156a874ba3d8cfeef360N.exe

Executes dropped EXE 1 IoCs

Processes:

tmp337.tmp.exe

pid process

3424 tmp337.tmp.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
3424	tmp337.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp337.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp337.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

004b1bf039d5156a874ba3d8cfeef360N.exetmp337.tmp.exe

description pid process

Token: SeDebugPrivilege 1688 004b1bf039d5156a874ba3d8cfeef360N.exe
Token: SeDebugPrivilege 3424 tmp337.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1688	004b1bf039d5156a874ba3d8cfeef360N.exe
Token: SeDebugPrivilege	3424	tmp337.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

004b1bf039d5156a874ba3d8cfeef360N.exevbc.exe

description	pid	process	target process
PID 1688 wrote to memory of 4140	1688	004b1bf039d5156a874ba3d8cfeef360N.exe	vbc.exe
PID 1688 wrote to memory of 4140	1688	004b1bf039d5156a874ba3d8cfeef360N.exe	vbc.exe
PID 1688 wrote to memory of 4140	1688	004b1bf039d5156a874ba3d8cfeef360N.exe	vbc.exe
PID 4140 wrote to memory of 3344	4140	vbc.exe	cvtres.exe
PID 4140 wrote to memory of 3344	4140	vbc.exe	cvtres.exe
PID 4140 wrote to memory of 3344	4140	vbc.exe	cvtres.exe
PID 1688 wrote to memory of 3424	1688	004b1bf039d5156a874ba3d8cfeef360N.exe	tmp337.tmp.exe
PID 1688 wrote to memory of 3424	1688	004b1bf039d5156a874ba3d8cfeef360N.exe	tmp337.tmp.exe
PID 1688 wrote to memory of 3424	1688	004b1bf039d5156a874ba3d8cfeef360N.exe	tmp337.tmp.exe

C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe
"C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hmmekqwj.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES422.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3EB49971C97D4CC49374DA95CA6F7ED6.TMP"
3⤵
PID:3344

C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe" C:\Users\Admin\AppData\Local\Temp\004b1bf039d5156a874ba3d8cfeef360N.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES422.tmp
Filesize
1KB

MD5
98be2d105c10f8d137e215ce22cb768c

SHA1
0884de0cc0cfb51223c8440b0be74dc82a7374b6

SHA256
0e3859310624be0df10407459ed0a1b46347bd8b2fa7a5aec179d1694ed12533

SHA512
cc8c32331b67f40baec2dff303d960b9b5a1ccdc31840e3005cbf29fb335196732ceaec735be104dcd9483f8673ae0a814b75cc708c7a4b94a548e0a8b211041

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmmekqwj.0.vb
Filesize
15KB

MD5
e25703dd8d710fc4e40dbd6f18449a8f

SHA1
9875911354c33b5594011566001eea7aea4b4f96

SHA256
b4269d6260bcc6e00f2b69a345dd1ad481903126f56f72830f0ac2b530ba619a

SHA512
dace14e0f77ecf46648353ef890669f3d9d8e1c90fe614861fc43abd08b2308b2c2a791137cfdc2ed0e8ffef5f50333ba87ae3a53866258786dfcaa2024b5b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmmekqwj.cmdline
Filesize
265B

MD5
f9d30196dc7019ca6fdc4475e37f048c

SHA1
87292ec58028c795db02debc7785aa265a5b3935

SHA256
f610eb7009bf20ca9b3e426c325e23c221d73c0ab3f87ec7e9b13337ee92f48b

SHA512
7b47dd01e7590ec8381b306c2212d9f502553c63d0e09b10a9fda33386af210e40dd6de7f5eb9ef7555c2675c489b4b19a9de102438135df3dc47d25f46e133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp337.tmp.exe
Filesize
78KB

MD5
bd70df23d46abfa66c4f11754b8835e8

SHA1
28d01f0dfe4d474ba8b4334c823c08a9fd6a3dc3

SHA256
05c96422bf2517ebbc74faf54b0d81b750f627122b2048fa6dbf10e4feefab17

SHA512
ca518747cc1c8dc7dbe1d8adb438fafb9a32b84981930255517c2544919a541d22458a804774ade42286c9ac560b1b64e1ecfa733e7c8b51c8d0c35db1f26ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3EB49971C97D4CC49374DA95CA6F7ED6.TMP
Filesize
660B

MD5
6f8992e132ef6f6f1a52542bac011b4c

SHA1
62de486ad2681df88d2fe2742b466eaad2bd0271

SHA256
3ea2fa0a4c87138afd132c1ebb3fade0434250d7dc03d70f0b19f50b0b5d8394

SHA512
ba9189d586ae34b28bbe6170c16b0554a66250acc93f583f26a8efa674c5f479c143d709b5344f7f30bb070e89faffabbf6a6af0ac69b82e880e04643d97ba8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources
Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1688-1-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-2-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/1688-0-0x0000000074912000-0x0000000074913000-memory.dmp

Filesize
4KB

Download
memory/1688-22-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-23-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-24-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-25-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-27-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-28-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/3424-29-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/4140-18-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download
memory/4140-9-0x0000000074910000-0x0000000074EC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads