f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41

General

Target

A bit Smarter 4.6.1.exe
Size

1.3MB
MD5

7e8236fd0047d8c807d0439b0b77d1d5
SHA1

6a33b3aeab36d5158c7a3dbf1ae306cea1642025
SHA256

f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41
SHA512

04e565721f07201fff2af942279c5fbb523e85d1069ad3188ac4111fa8eaa31b970955882b81bc42364f1978a3032c066cb392a5352628b8f58aaa1e4c62da4e
SSDEEP

24576:SMXAF2jHlk02cIwiW0eKGepqMY8QZaYXhGuWLl/n1DFYkI5:S0IOHlUcti/PGoaXYuAtK

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	A bit Smarter 4.6.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	netprotocol.exe

Executes dropped EXE 2 IoCs

pid	Process
4568	A bit Smarter Public Version.exe
1376	netprotocol.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 4872	1376	netprotocol.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netprotocol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A bit Smarter 4.6.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A bit Smarter Public Version.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4568	A bit Smarter Public Version.exe
4568	A bit Smarter Public Version.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4568	3996	A bit Smarter 4.6.1.exe	86
PID 3996 wrote to memory of 4568	3996	A bit Smarter 4.6.1.exe	86
PID 3996 wrote to memory of 4568	3996	A bit Smarter 4.6.1.exe	86
PID 3996 wrote to memory of 1376	3996	A bit Smarter 4.6.1.exe	88
PID 3996 wrote to memory of 1376	3996	A bit Smarter 4.6.1.exe	88
PID 3996 wrote to memory of 1376	3996	A bit Smarter 4.6.1.exe	88
PID 1376 wrote to memory of 1896	1376	netprotocol.exe	89
PID 1376 wrote to memory of 1896	1376	netprotocol.exe	89
PID 1376 wrote to memory of 1896	1376	netprotocol.exe	89
PID 1896 wrote to memory of 4156	1896	cmd.exe	91
PID 1896 wrote to memory of 4156	1896	cmd.exe	91
PID 1896 wrote to memory of 4156	1896	cmd.exe	91
PID 1376 wrote to memory of 2292	1376	netprotocol.exe	92
PID 1376 wrote to memory of 2292	1376	netprotocol.exe	92
PID 1376 wrote to memory of 2292	1376	netprotocol.exe	92
PID 2292 wrote to memory of 4420	2292	vbc.exe	94
PID 2292 wrote to memory of 4420	2292	vbc.exe	94
PID 2292 wrote to memory of 4420	2292	vbc.exe	94
PID 1376 wrote to memory of 4872	1376	netprotocol.exe	95
PID 1376 wrote to memory of 4872	1376	netprotocol.exe	95
PID 1376 wrote to memory of 4872	1376	netprotocol.exe	95
PID 1376 wrote to memory of 4872	1376	netprotocol.exe	95
PID 1376 wrote to memory of 4872	1376	netprotocol.exe	95
PID 1376 wrote to memory of 4872	1376	netprotocol.exe	95
PID 1376 wrote to memory of 4872	1376	netprotocol.exe	95
PID 1376 wrote to memory of 4872	1376	netprotocol.exe	95

C:\Users\Admin\AppData\Local\Temp\A bit Smarter 4.6.1.exe
"C:\Users\Admin\AppData\Local\Temp\A bit Smarter 4.6.1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe
  "C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0d9oc_dz.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB41D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF599FA05198048638694AA4FC57340.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4420
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d9oc_dz.0.vb

Filesize
3KB

MD5
900786350171abc675d131ec7800fcfc

SHA1
ba08346708a18f2007f784145ccc40e109cddcd7

SHA256
3179cb6eb51a8be5bb60cc7b40182cc24db339d7131104b06d2dab0014afcb03

SHA512
20b88b3dcf52bce9ab8a34f7e78db6c54bdefbfa77c54c9c5a06a9ec6b77bf912809b564a1a1a4cac0b98cfccccdb4496d822c12b8cabc3b4861034d33267845

Download Submit
C:\Users\Admin\AppData\Local\Temp\0d9oc_dz.cmdline

Filesize
200B

MD5
e8170eec614b71775d31151a70c8214e

SHA1
781247c63e51dc983131d31081401285eec16ffc

SHA256
93823814d5462824efd91d4f88b29826e1a2cca42e5f7b801eb3ee5b97313a4d

SHA512
2208f85581092eb4548c0bf4ab4a90137f9ee16f450ec00aec580f29645308b55ea9cc6b46b329c1bddcddb88faece681ffa875d12cc1af2ee6689ed4d216d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\A bit Smarter Public Version.exe

Filesize
496KB

MD5
9ab9b5b94fd820b4d1a642bab1c6d667

SHA1
d7cb65462fa1bc213c3c499925b4dae0e6d3c0a9

SHA256
172341e4b37b0555b4ad2def2ad2939f402c80c91ee6a270feb741a8b9379c94

SHA512
160361057f3b4038260f0038e5fab5167b7a12ca1445eb0e0153587e57e6bbf4753b57e1900abf3664851e27961d3b2182a2eb9bde3f7bad32968f6cbf0523bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB41D.tmp

Filesize
1KB

MD5
d805e1fc98893757124a619aa6bf3379

SHA1
1bad86cf89adcba9c25fd873468ebe54a9f806b6

SHA256
370ff7d8e3ab8f14ea423374100c0d943dafc288b7b0e213020b38ef91537dc0

SHA512
f61ae6f587e4a88f6a99af25b337d35b9c9647f7b3abae04b39c1fc1596a7828a5be061d5d2183b0c1f951898f477702d3a73bcd646154ccf8c8da4895f1449d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF599FA05198048638694AA4FC57340.TMP

Filesize
932B

MD5
a4f1b6d3bf61f6ce1983cf7185422302

SHA1
1ed985cc7a181dc850cc34b1e93ae8e78d350255

SHA256
49910004977b290d4e70d3179bae001ecc38ae455f662e05b5a56d4592bc8125

SHA512
bbb184d02e291fadc27547321b386cb7bfc83ebb64cf26f3058f119dd5de1384f1b514415ac88295c9ccc434f68bcf0a7107760e92eeba53ec26ea7a5e583a4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe

Filesize
1.3MB

MD5
7e8236fd0047d8c807d0439b0b77d1d5

SHA1
6a33b3aeab36d5158c7a3dbf1ae306cea1642025

SHA256
f8d5d2a97dcf6dae00ac56d1d8732065af21623a97e081e6518d1e1e878e1c41

SHA512
04e565721f07201fff2af942279c5fbb523e85d1069ad3188ac4111fa8eaa31b970955882b81bc42364f1978a3032c066cb392a5352628b8f58aaa1e4c62da4e

Download Submit
memory/1376-29-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/1376-27-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/1376-28-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3996-26-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3996-0-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/3996-2-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/3996-1-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/4568-14-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/4568-13-0x0000000005FE0000-0x0000000006584000-memory.dmp

Filesize
5.6MB

Download
memory/4568-31-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/4568-12-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/4568-11-0x0000000071D4E000-0x0000000071D4F000-memory.dmp

Filesize
4KB

Download
memory/4872-45-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing