9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4

General

Target

9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
Size

78KB
MD5

b747158e23a0fea4441da26bf0aa6640
SHA1

f9688cabec432f1f88eb5d1c7f123ad5df1f05f4
SHA256

9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4
SHA512

ab66a528060c7078c2c17b14d8fc32b4ded0d27e7f258fbc08a3147af2242b2f31cd54c6688839352ddd21713e5a20c228bf7a245cfae0d111107fc5f2771f3a
SSDEEP

1536:Je5jSgpJywt04wbje37TazckwzW4UfSqRovPtoY0BQtC6R9/nb1iH:Je5jSeJywQj2TLo4UJuXHhZ9/nm

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe

Executes dropped EXE 1 IoCs

pid	Process
5108	tmp6BCA.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6BCA.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
Token: SeDebugPrivilege	5108	tmp6BCA.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 4172	3608	9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe	83
PID 3608 wrote to memory of 4172	3608	9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe	83
PID 3608 wrote to memory of 4172	3608	9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe	83
PID 4172 wrote to memory of 936	4172	vbc.exe	85
PID 4172 wrote to memory of 936	4172	vbc.exe	85
PID 4172 wrote to memory of 936	4172	vbc.exe	85
PID 3608 wrote to memory of 5108	3608	9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe	86
PID 3608 wrote to memory of 5108	3608	9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe	86
PID 3608 wrote to memory of 5108	3608	9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe	86

C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
"C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oi6to-vh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E3B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDB32D55AA86C427C8EF7777DA2C39ED4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:936
- C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9b7cf938b99a7aa201d4f3955941fcab57d8991de49a3e72150268d74d190de4N.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6E3B.tmp

Filesize
1KB

MD5
79d8952620bf6d0995f99593c375df94

SHA1
4936833786c64491698fcf7605ddde5059388e94

SHA256
90bd4ca85f725de8680141ec1e1ab57027261c4d5e8a89c72744265399aef86f

SHA512
e34a0b07ac491e0c4487cd3782c23a3240507610a34a433497a72fba584236d0ab4eae2112267cb36db81a7456f9166e43604f949d895c4aff0ea64002ad0d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oi6to-vh.0.vb

Filesize
14KB

MD5
d858874e6fedd9dcd36f7782d84304fa

SHA1
82aa28fe8e5acaca1782cb8b66cc40331481f8b1

SHA256
cb1a74e2d2bc97c765246b0e708343423727a14bd90b6321a798770af510bcdd

SHA512
bc44d3f5b32d6508f9e7950a8b872c4f153b133048519f984d8468df07bf7c7f8e5b2714f14f47d5db899baadef3c859fe5f49299f732d9c048a5fd2f5feb390

Download Submit
C:\Users\Admin\AppData\Local\Temp\oi6to-vh.cmdline

Filesize
266B

MD5
d610c8d7dcaa3aeea411cec96e4924c1

SHA1
d5e7e9e626bdd7540f33b63db396eafa92ce874c

SHA256
81b1eae818e434a62b242964a9b54fa26a634190aaba2015438ae0753a746e2e

SHA512
aaa6d50685036c1eeeb6057bbdc9dd768eb733649eef19f209ff11c48c037ff691d20971d621e18348b5611ce5ec8175bad11c71cc1f85f47f4536234eb8274d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BCA.tmp.exe

Filesize
78KB

MD5
98dc8f8e9150e5a85ef5e27e0b8066ca

SHA1
9f3453d995835080d4970a51d4e7998c933ff571

SHA256
66d54a16dd19741c0015b91c929d114f26cda37fa0d95761636acc8dc2ce96aa

SHA512
6d188b42c56b8528d7ca342d05d4a8a0c6c67eec0774a0250567af54fb72c883474d3812ad03dae7dad586d4185e3692f5041b350a0a865c994c6079ff7ef7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDB32D55AA86C427C8EF7777DA2C39ED4.TMP

Filesize
660B

MD5
e9d7619c1d2546e2dab4628ae1f0ea1c

SHA1
29a59d5f2898abdc304d38b31527f231554eab63

SHA256
d1e956b1bfca28ee13b6fe03ee4a5f603b54a6603ddad4a17faacaec5131900c

SHA512
9aa985f1fc3a03b96c7484b8d1a594427cce6ded3f62ec10607349d1a6a2e77c570e27a7b2495c9bcf6224420f8fd78ebd94a9e057d54381c4d96c8a6e51affc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8008b17644b64cea2613d47c30c6e9f4

SHA1
4cd2935358e7a306af6aac6d1c0e495535bd5b32

SHA256
fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55

SHA512
0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

Download Submit
memory/3608-22-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3608-2-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3608-1-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/3608-0-0x0000000074892000-0x0000000074893000-memory.dmp

Filesize
4KB

Download
memory/4172-9-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4172-18-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5108-23-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5108-24-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5108-25-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5108-26-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/5108-27-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing