c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2

General

Target

c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe
Size

12KB
MD5

370487c059ca4121883182b9013fdbe4
SHA1

3041faacb8cd97e60bd753f5e604070759881817
SHA256

c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2
SHA512

9b42847be7f44b84514a9af9210df60ffac350423507637441eae1ffa60a156942803fd8e67a43a16d3556c940a29c061cba5bcfa9150065ff87a560200d6d1c
SSDEEP

384:oL7li/2zyq2DcEQvdfcJKLTp/NK9xaZn:WSMZQ9cZn

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe

Deletes itself 1 IoCs

pid	Process
3124	tmpC814.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3124	tmpC814.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC814.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 3680	1264	c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe	86
PID 1264 wrote to memory of 3680	1264	c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe	86
PID 1264 wrote to memory of 3680	1264	c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe	86
PID 3680 wrote to memory of 4216	3680	vbc.exe	88
PID 3680 wrote to memory of 4216	3680	vbc.exe	88
PID 3680 wrote to memory of 4216	3680	vbc.exe	88
PID 1264 wrote to memory of 3124	1264	c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe	89
PID 1264 wrote to memory of 3124	1264	c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe	89
PID 1264 wrote to memory of 3124	1264	c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe	89

C:\Users\Admin\AppData\Local\Temp\c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe
"C:\Users\Admin\AppData\Local\Temp\c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4lny0koi\4lny0koi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC999.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4210E2531A80442E99EC2A780246E4E.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4216
- C:\Users\Admin\AppData\Local\Temp\tmpC814.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC814.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c1686e5f354a9445bf6ea2aed8ae2a1edf70797f6ba329d7d7fe1100bac0e9c2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4lny0koi\4lny0koi.0.vb

Filesize
2KB

MD5
05df6affd6480dd16113624408509d97

SHA1
36b3b67782376b702b78fbddb805b8e9874bfded

SHA256
c975f7febd0840868da219f5965aa72753725aa389e7d27636fdb7f4556e92e0

SHA512
9a6b66672ba04dc295ae5cf01579c7715500c36208d4f466efc89cc1f6a721b7dbed9e2f497510781695206d6d8b8e48d21722d656100acd7fcd49ac0c193fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4lny0koi\4lny0koi.cmdline

Filesize
273B

MD5
77554bc54a25d973c99c9e318c52e267

SHA1
4b255219149005bbf36b6d6ffeee450592b1fe89

SHA256
14acb327ddc0f858783bbc0efa1a734a028def5041df4c3e97dc95ca6d42fda6

SHA512
6edb5b218133c124c3e954246c651a6507d790bbb51fcc81a76c1d3b42b8ce6bff64192938d5e9dc339f7e760a27352dfccfc504313d22aa76d23b3ac6bfabbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
e358cce51112cded9ca862519874ac9f

SHA1
9bf3b210e5e9a866e3088a6d0b0854a231d40a98

SHA256
cc7223df1cf61d990cf269f0ff602ff54cfdee72c49ebe1a4482e04a782becf4

SHA512
dbb06aec2c25a40783f648322ab44af2c867f129d7502897d4e71aa28a3d493fe9ac27a7333d924a2e0b1776976286d80210ff2b23e4f4be739a76b082a43b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC999.tmp

Filesize
1KB

MD5
49b8caece27c029e5844ca0addf08448

SHA1
c1d680e017b9801c0c0629407db5e0f0f459ff90

SHA256
d066d95c485d6bb609b5f37a2fdca592e675b9e40a010be9c425cb9e01cb4591

SHA512
506d1e63d9df64a3248019658d30d01326106e575f951a0da5c86e60b595bb519b332207762cd90da8e3fb5ea84e35153dbca0e0a5e11358c99a5d19c47be627

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC814.tmp.exe

Filesize
12KB

MD5
52ea8c963c4f95822589873e0683626c

SHA1
93892a6a85af8f17ecab71fc6b4ce17558e09937

SHA256
ac77a0b0554064088ad974bcc06607c94270c0644e9370d7ad83954f6237169c

SHA512
65ed28c8db1f38a82c739cd32f5d9d360239a8f4eff54201653ea2ba7819d0a0ded1f0d96284be2da97dc61b5afb64aadb232a87a0ef0000df92f3dc85d35349

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4210E2531A80442E99EC2A780246E4E.TMP

Filesize
1KB

MD5
614b55a24bc9a669a4b4026d8a60877a

SHA1
55f1ef9d59bdaa6f55629de00ac62e0ece16a02d

SHA256
e6271a363b7a81a000f1f6ff39f494f6bdcca070cdac24f7dd5610b974d35c63

SHA512
ae5ee6f27fbdf199ba6a29412b64cddd2c3468dccfb9a0cd6489cb47c022b5377018c91909f3fff0451025cb4548548ac1af432b48f228871d23e38c65da71b5

Download Submit
memory/1264-8-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1264-2-0x0000000005440000-0x00000000054DC000-memory.dmp

Filesize
624KB

Download
memory/1264-1-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1264-0-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/1264-24-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-25-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/3124-26-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/3124-27-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/3124-28-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/3124-30-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing