420a5004a5f028905a474aea0c2e3e3bfd98cad9b233658d880e01bbdc15312b

General

Target

db642359fcba9d7062e6275c8eb735d0N.exe
Size

12KB
MD5

db642359fcba9d7062e6275c8eb735d0
SHA1

eca52bb2380c54a0f7a6e2a55fe10d1bf1e5c026
SHA256

420a5004a5f028905a474aea0c2e3e3bfd98cad9b233658d880e01bbdc15312b
SHA512

4f3068cc376db1a39681634756a3b18f81c6287779a090cb0123605f18afac42d1cb33191ae54b6179beee2933063305bf2bce1c099f63baf8044c12ee4b948c
SSDEEP

384:qL7li/2ziq2DcEQvdQcJKLTp/NK9xaym:06MCQ9cym

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	db642359fcba9d7062e6275c8eb735d0N.exe

Deletes itself 1 IoCs

pid	Process
2608	tmp55BF.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2608	tmp55BF.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp55BF.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db642359fcba9d7062e6275c8eb735d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4584	db642359fcba9d7062e6275c8eb735d0N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 2732	4584	db642359fcba9d7062e6275c8eb735d0N.exe	87
PID 4584 wrote to memory of 2732	4584	db642359fcba9d7062e6275c8eb735d0N.exe	87
PID 4584 wrote to memory of 2732	4584	db642359fcba9d7062e6275c8eb735d0N.exe	87
PID 2732 wrote to memory of 3440	2732	vbc.exe	89
PID 2732 wrote to memory of 3440	2732	vbc.exe	89
PID 2732 wrote to memory of 3440	2732	vbc.exe	89
PID 4584 wrote to memory of 2608	4584	db642359fcba9d7062e6275c8eb735d0N.exe	90
PID 4584 wrote to memory of 2608	4584	db642359fcba9d7062e6275c8eb735d0N.exe	90
PID 4584 wrote to memory of 2608	4584	db642359fcba9d7062e6275c8eb735d0N.exe	90

C:\Users\Admin\AppData\Local\Temp\db642359fcba9d7062e6275c8eb735d0N.exe
"C:\Users\Admin\AppData\Local\Temp\db642359fcba9d7062e6275c8eb735d0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\10cwwmjy\10cwwmjy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5735.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF37DDF09D64F404F94AFE44ED47AE8B.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3440
- C:\Users\Admin\AppData\Local\Temp\tmp55BF.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp55BF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\db642359fcba9d7062e6275c8eb735d0N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10cwwmjy\10cwwmjy.0.vb

Filesize
2KB

MD5
14cf0578bdd5ab16e00aa9431b9c6145

SHA1
aaf1a6a727cbece21ea6c278a76c06d9ec74a769

SHA256
2fa3f44b89dfa38717126180b73ae6a75cfd001b21dfb4b4e68caa0a366823ba

SHA512
6e639029e304ca696c5c168b8c770b1b2477b0b36f40925c01b8c2e91f6ccbd22ae0c412364f46a2c41b6f5cd9cf559732a695f188a1dfb3a6b358946dc4cc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\10cwwmjy\10cwwmjy.cmdline

Filesize
273B

MD5
5009080258b8e95fc426bdeda7adc591

SHA1
c612001312f8159acaee4f7243fc3822bb0455b0

SHA256
258a2e9195623c9efa2c54de9ff0d085f2166d1cf422c1f5c96a619d53d5a17e

SHA512
2e495ff2679fbe49cf31d164191737703ecdee6c25309b896106aaabee1fee39e8cee53e6ca9640361bcbb8430992fe6bf4cb9d0954dfc86e9141d729a7d4417

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
f19f5ce9c87c70da42142ed0b679042b

SHA1
e45cc034e49bad4d5ab4c224136f91bd4e7e68f9

SHA256
f52ca886b0683401e9e64c379f0a951c615ed5feedecc7f92088b7d5e08cc139

SHA512
5e87d087a4d1c8591107c58d93d47ec79d3221622ca48011204259c020f1b08d61e799014f87f7cc218d0b5fd9cb5128da93d04ddd3f3c7d04ad9c695a743a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5735.tmp

Filesize
1KB

MD5
f3b1ebdf404a3c38760904534b1b5cdb

SHA1
6a4ab601b0d30021168b00f2ca931d549299e8ad

SHA256
f22ec5954c5f84c5ad0e161c33c7c6dcfea7eeba205e6b951675c9935cb3c1c8

SHA512
bc24ca6e1f102400f65876667f00dce242e9e986ddcb549b2194e1dfdcb6e51f5610847dd5dad8f27631d1adb688aeb98e130398a6ebb6fee9c636842fb02cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp55BF.tmp.exe

Filesize
12KB

MD5
d821c501f7eaf3b1e5ec2ddde2f64bfb

SHA1
e5d146fd6a30fb6fc3273776d5bd8e1aedf133a1

SHA256
5561f3ffcb46d94ffd308e90a37831472a559ad689c921324b9a9f5ad8bfebc3

SHA512
31993e328c6c0283896c33ad267ae1ff5bf6d52ef4437a6ba73465686b3c2c6e1045b5a565187a86d5fd55459218d618325a49d27610e52852a4b26eef6bdd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF37DDF09D64F404F94AFE44ED47AE8B.TMP

Filesize
1KB

MD5
9315e1341d008897677098c391d140cd

SHA1
e6e4f10e43539d41067df7e001a06ddcc8c47b46

SHA256
840e14f3b544c32a68e2043d0efb565843671e0ba295d666d9b5c7e78a33e415

SHA512
e11899d71a422172b7215aeb6384ad07a825ace7c1fecc9e28b1efc9c54ca4698fbcbbc4d643d6cc937ea17f8b53361c19cd4588ad42f71f6e0d227ae824f083

Download Submit
memory/2608-24-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/2608-25-0x00000000000A0000-0x00000000000AA000-memory.dmp

Filesize
40KB

Download
memory/2608-27-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/2608-28-0x0000000004A00000-0x0000000004A92000-memory.dmp

Filesize
584KB

Download
memory/2608-30-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4584-8-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/4584-2-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/4584-1-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/4584-0-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/4584-26-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing