ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8

General

Target

ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
Size

78KB
MD5

25948a6c3218dbfcaae96f2e3c3a14f0
SHA1

f57137bba0e9610dac65f2780f5ffde89f693618
SHA256

ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8
SHA512

d2a3d3d58bae8d1293c4afd7b93253bf2b377043c94740f6720991771ce350a4c448fbbdae9baebd3f4313b97635d3ab9289e94830f3698e07b416b5c7533772
SSDEEP

1536:nsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQts9/R1ss:nsH/3DJywQjDgTLopLwdCFJzs9/l

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe

Deletes itself 1 IoCs

pid	Process
2868	tmp9EC0.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2868	tmp9EC0.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9EC0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
Token: SeDebugPrivilege	2868	tmp9EC0.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2552	2140	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	85
PID 2140 wrote to memory of 2552	2140	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	85
PID 2140 wrote to memory of 2552	2140	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	85
PID 2552 wrote to memory of 2568	2552	vbc.exe	88
PID 2552 wrote to memory of 2568	2552	vbc.exe	88
PID 2552 wrote to memory of 2568	2552	vbc.exe	88
PID 2140 wrote to memory of 2868	2140	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	89
PID 2140 wrote to memory of 2868	2140	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	89
PID 2140 wrote to memory of 2868	2140	ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe	89

C:\Users\Admin\AppData\Local\Temp\ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
"C:\Users\Admin\AppData\Local\Temp\ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mt-huokp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA076.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB5E14BBC28A42879583C428C52DAD7F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- C:\Users\Admin\AppData\Local\Temp\tmp9EC0.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9EC0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ce9e984a86f425de286533d674207ddc19ca5df723d3dc2a4334b14eaed07aa8N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA076.tmp

Filesize
1KB

MD5
34db7441b79dd50e310dbb8d3c28a978

SHA1
8bf7b685b138761da7ae0d39e49323edf9fbc80d

SHA256
51fea2610b15c7d6d40972e61264d673a818876ecbc5c8b50a5e8d18838ed4ee

SHA512
10a13d68dfa8fa0ee17f76332425a5cb5007606103e8e57061942b72d0796acd1a092bcac50f22b059d134b18abdd29d7aea68fe0138d38afa99a8671530b1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mt-huokp.0.vb

Filesize
15KB

MD5
6135427a2479e41b5ddd1e781f77037c

SHA1
2f6fcf2a9c2d043f5cd4b201955fbfaf5e92a8e9

SHA256
5f82400f247b878b87479604cc7038db316bbbd99839b596200798d0170cce01

SHA512
aa079eb4463eb22eb835ccbb11401318f35f960d34994402083e5477c6f209d9b2b7f7e484e170ea60b79339a957bfdeaa6592730bdaae7543e85b580189b688

Download Submit
C:\Users\Admin\AppData\Local\Temp\mt-huokp.cmdline

Filesize
266B

MD5
eb63ade317276d7ada92e583423f772a

SHA1
e146b0fd9365eeb61bd68184b033529698def773

SHA256
25ffb42cf60e2c3c8dde5f774b6aede5c5a42fd5da5ebbdaa54abdbad7d30fad

SHA512
bdae934a432d751a45b85db94c9f6bfbc26688d577370d8f746673e66b3c01197b98ef5b1d9f5d52d7a292dc9736fe1ca9cb7f0f0c0cf784a841f9e48e2fc4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9EC0.tmp.exe

Filesize
78KB

MD5
fdb15180dd8784926993af3c0fc9dbb7

SHA1
865921d746c20169ad7b644ac4871b1dd8b20d8c

SHA256
97ea9b3871653a7356dc14234b13ed1e8a8e696aefb3f6b895cc8bac544dc298

SHA512
d72abbeb05a4598319497e8f471fb216f0c03264d6d64788518d4ee18740b65a71dbf1df932853b0c94c692e1b7aa1b828c9af007368e6fb29ba640d52d6feee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB5E14BBC28A42879583C428C52DAD7F.TMP

Filesize
660B

MD5
506eee38bf9f482ccdb0bd4f0a7fcfa6

SHA1
140294b0d6195302026931d0d9c8b1af1a896aed

SHA256
8ec902312f8d89c7d659ada0c03862c6e149acd5b5ddb05d2b3320b369f52d24

SHA512
279553ad2abebdef650f9af563d9f1ea5fef5bc5896f00fcac43ecae4ff3d1f96054ede617ab8edee0bb28fb2679f079a1adfeba675b1093f063c14e994f7b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/2140-1-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2140-2-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2140-0-0x0000000074EA2000-0x0000000074EA3000-memory.dmp

Filesize
4KB

Download
memory/2140-22-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2552-8-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2552-18-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2868-24-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2868-23-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2868-25-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2868-26-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2868-27-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2868-28-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2868-29-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download
memory/2868-30-0x0000000074EA0000-0x0000000075451000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing