97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f

General

Target

97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
Size

78KB
MD5

4aa46b57e4b1c31ae996afdd8e28f03b
SHA1

0a49f02e2b13a0d06f6133ca05266317c6ea460b
SHA256

97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f
SHA512

7521aa642f56e222be96a7f9dd571684ec41e31a452b18babdde5775b917c32415731f37082941836ab9a9a344f3b1d7e31aa559c2d95f8d048d1e1d21f18bd9
SSDEEP

1536:aPWV5jBpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtd61K9/R/1n+Y:aPWV5j3JywQjDgTLopLwdCFJzmK9/RQY

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe

Deletes itself 1 IoCs

pid	Process
3320	tmpB9BB.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3320	tmpB9BB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpB9BB.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
Token: SeDebugPrivilege	3320	tmpB9BB.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 868	116	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	82
PID 116 wrote to memory of 868	116	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	82
PID 116 wrote to memory of 868	116	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	82
PID 868 wrote to memory of 528	868	vbc.exe	84
PID 868 wrote to memory of 528	868	vbc.exe	84
PID 868 wrote to memory of 528	868	vbc.exe	84
PID 116 wrote to memory of 3320	116	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	85
PID 116 wrote to memory of 3320	116	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	85
PID 116 wrote to memory of 3320	116	97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe	85

C:\Users\Admin\AppData\Local\Temp\97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
"C:\Users\Admin\AppData\Local\Temp\97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\krfnsm-k.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7F8CFC82922842C195ECE37E867814A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:528
- C:\Users\Admin\AppData\Local\Temp\tmpB9BB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpB9BB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\97d276a8641d4bf8e288de02df79423e315f9635f675e34017d6acda0c28eb3f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBA95.tmp

Filesize
1KB

MD5
cd390f71924026db2af78e5c59d1317f

SHA1
d0cbf6eac366ede10b3c8be66e260ae8dff64bba

SHA256
66633f584ce61edad2a7130b1730812437f58f2075f3d3cd458b037cdf8a91d1

SHA512
58023a365e3e0028382f203db1434456e0ac1af5786b7ea157e467e9e28bb695c9c48cb42cbbc61d6b09e748d857bdeed40bcd62f0c5be2df82dac304a5aa18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\krfnsm-k.0.vb

Filesize
14KB

MD5
31de5f7365adb37f09bb01c696fd30cc

SHA1
c3f5585940773f59b26ca17413c5ff8b45939c27

SHA256
9f432f1ec684d5c482911ab61643a45e190b98ca0b95a95ce8dbfd90ce03291c

SHA512
16628c02009630a2bfb58705111baf7bd5597d78f76d5f37671c3bff643529895cc30a93806ec544256b6a08936f8b67bd7e4fac70ffade2f61f749e2758fd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\krfnsm-k.cmdline

Filesize
266B

MD5
2102e6902d1f9cdd1b2fa3224342a6fb

SHA1
0f61e597f9d9e6a84f8884b37cc1322ea74b0d80

SHA256
48eef92aacc6b4ede4218321d1da53cf83e36d1abf39cccb187462a7ecc02d56

SHA512
144f08860642483bbc983ea4d2abcbdef106500dbc8d8ffd8261a460174644de451865757825ff6b47e9aa318a5847d24a0c14c7b78b50db915cc7f5b7ef75e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9BB.tmp.exe

Filesize
78KB

MD5
4cb3f29e01604edfc2c69ba560260f1e

SHA1
c65c4f3ddb8802a027f62dc6ddf8e8182183c049

SHA256
0f3bcf89fc0b52e9d18db76b24b441279e1264e82e8a335767705235f1f666cf

SHA512
7edf56455c15f3d4097694d0f4ad05eff8c2a5013bdb7e46d9a42f6802065b7896a4e81f93ca27236e7261e65663fe658a4410a6c53f2a5e440ab97d8b5e9402

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7F8CFC82922842C195ECE37E867814A.TMP

Filesize
660B

MD5
1731526fc7d839723dac2aa5a782892e

SHA1
a4df5aa32151240b1ad55111d26de5d87e67ffca

SHA256
4d7a7a081887bb67a801d3ca984d4a32aad17c1fdde484d9fd605a69fac44d80

SHA512
017b4f5aab557eb0051284be50e40eaa45a3f0c7906bf10ca3b080b46c0091933ec96d76e3e25d4bf02064ecb3b7bf9e246630bd52b434e145c9b5205e3d91a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/116-2-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/116-1-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/116-0-0x0000000075522000-0x0000000075523000-memory.dmp

Filesize
4KB

Download
memory/116-22-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/868-8-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/868-18-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3320-23-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3320-24-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3320-25-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3320-26-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3320-27-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3320-28-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3320-29-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download
memory/3320-30-0x0000000075520000-0x0000000075AD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing