a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91beba

General

Target

a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe
Size

78KB
MD5

c880c6ce4ebb7d80c8f9d380334aea30
SHA1

fb4e1c560988a663190bede3c3ab0be617de6d34
SHA256

a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91beba
SHA512

2c95a6c25e337eb21a5f291119b3eeaaf58940c99534fbf0ad4eae08f0c8ec4643de0f431d6de6c1e21f27999b2b15fd799dbc6854847fa349a37e34437f1217
SSDEEP

1536:XRCHY6M7t/vZv0kH9gDDtWzYCnJPeoYrGQteV9/K1Q+:XRCHYnh/l0Y9MDYrm7eV9/o

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe

Deletes itself 1 IoCs

pid	Process
4828	tmp7668.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4828	tmp7668.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\""	tmp7668.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7668.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe
Token: SeDebugPrivilege	4828	tmp7668.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4452	4480	a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe	83
PID 4480 wrote to memory of 4452	4480	a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe	83
PID 4480 wrote to memory of 4452	4480	a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe	83
PID 4452 wrote to memory of 4908	4452	vbc.exe	85
PID 4452 wrote to memory of 4908	4452	vbc.exe	85
PID 4452 wrote to memory of 4908	4452	vbc.exe	85
PID 4480 wrote to memory of 4828	4480	a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe	86
PID 4480 wrote to memory of 4828	4480	a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe	86
PID 4480 wrote to memory of 4828	4480	a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe	86

C:\Users\Admin\AppData\Local\Temp\a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe
"C:\Users\Admin\AppData\Local\Temp\a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_-4izblg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES780E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF907633E289F40DDB6F1F6B0AAFCC1F7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4908
- C:\Users\Admin\AppData\Local\Temp\tmp7668.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp7668.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a4b7d24e3a26d9b382d93270599e67d986004d274d85e6dd95c046b29a91bebaN.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES780E.tmp

Filesize
1KB

MD5
47c489b64477ff7b1d0d2158468b6349

SHA1
2ce4a6a66ea7563f425a86f8cffb5dc28f6e053e

SHA256
27a1341c373a0035268299de270de6f4ebfe9b676155ee872952f8f9300a9ae7

SHA512
fc660e5d317cb19b7e1fb2fc3630004d1f8d84b4f95fa97eda46772ffe5ba1d85354247f7d691fa81b2c9a5a23507890d3645e86f5d5e0ef1e14ae65bca3eefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_-4izblg.0.vb

Filesize
15KB

MD5
08586a8715784d14df5e056240263290

SHA1
d19c588be5cd0a7348d030fd5d4908614e8af2fa

SHA256
782cf5257c3c23758ea3a0282c6b8492f706ca89d71dd93f0b80439bcec054bb

SHA512
6ffde07357131ad8e2849beacf4d8bc82702bb69d14676c75ecfeced4e852aaa23a42a6e7c6a8e71e2ba942dfa004f5811a730f390f61fa7570c5616fde71222

Download Submit
C:\Users\Admin\AppData\Local\Temp\_-4izblg.cmdline

Filesize
266B

MD5
e964d84249eb9c6ec1e5b737953eefce

SHA1
50e163e4e640d662b54c11b90bf4dfd15a4f10e3

SHA256
bb3b23c339328e6e93f900e45f0fbac987211a631412a8f41e27ad8bb36f5ad6

SHA512
70a7fb3493b1a02ae0d17679ff35eb2d7d50a368cca881e3fde840d8bede56a404d3a4cc7608475ce976f61ad15a7075dd9f05c5506d4a0eb015f212eade1e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7668.tmp.exe

Filesize
78KB

MD5
aded5d19e6156b43ac596cab5ca58989

SHA1
d61a4847f158231df65ee3ae95e672c6bf31e913

SHA256
6ea9136c2a1c89336620ec1f3fd70baa0c6939c079c675b7b459306baa40f3aa

SHA512
31613f3d24b00aa6cfd097cfbb8fdaf9baab2be4d0e9b7eff32c06fa7d62232a4b6b58a641510a05d3cac2688fd6e47265e2a5f0b1269ca2f651ec3eceef6e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF907633E289F40DDB6F1F6B0AAFCC1F7.TMP

Filesize
660B

MD5
2aabf13998457721660e463fdc902cf1

SHA1
598f638cffd74432a8c00be92bbab931b8891959

SHA256
e12d76e05e8daa30b6b2e98d430d43218846d7d50586bdeb622b83e03b8ae0d0

SHA512
112d6c4556e4960809a4cda22d8982d371460b4796073061ec7eab54e41dcddc225865183a7bf36d5d60102db26ed0391da705fd65d1017f19af175c12b929e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
8b25b4d931908b4c77ce6c3d5b9a2910

SHA1
88b65fd9733484c8f8147dad9d0896918c7e37c7

SHA256
79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

SHA512
6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

Download Submit
memory/4452-18-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4452-9-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4480-2-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4480-1-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4480-0-0x0000000074692000-0x0000000074693000-memory.dmp

Filesize
4KB

Download
memory/4480-22-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4828-23-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4828-24-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4828-26-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4828-27-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download
memory/4828-28-0x0000000074690000-0x0000000074C41000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads