1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2

General

Target

1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe
Size

78KB
MD5

7fdcc3007e44d2843dfc7427df94fe23
SHA1

78c9c85dd9c41c8fc20512af7ad403ab63f3e99d
SHA256

1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2
SHA512

08d7e8bc9f6560d1daba1552419ab53a9d9846af4cc3f5d59543565a39077e03f97ec6b9b94caf81eb825cda7177142321a56448da59503a682f91f21dd91e7a
SSDEEP

1536:7RCHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt/a9/s1Wa:7RCHFo53Ln7N041Qqhg/a9/g

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
43	1972	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Control Panel\International\Geo\Nation	1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe

Executes dropped EXE 1 IoCs

pid	Process
4868	tmp8608.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp8608.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8608.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1696	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe
Token: SeDebugPrivilege	4868	tmp8608.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3788	4932	1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe	87
PID 4932 wrote to memory of 3788	4932	1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe	87
PID 4932 wrote to memory of 3788	4932	1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe	87
PID 3788 wrote to memory of 4828	3788	vbc.exe	90
PID 3788 wrote to memory of 4828	3788	vbc.exe	90
PID 3788 wrote to memory of 4828	3788	vbc.exe	90
PID 4932 wrote to memory of 4868	4932	1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe	92
PID 4932 wrote to memory of 4868	4932	1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe	92
PID 4932 wrote to memory of 4868	4932	1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe	92

C:\Users\Admin\AppData\Local\Temp\1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe
"C:\Users\Admin\AppData\Local\Temp\1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-ofn8in9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86F3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD133699B20F74EB3B0BBFBEB4EAFED6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4828
- C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe" C:\Users\Admin\AppData\Local\Temp\1224ffbca592bf647ce27559e827497a6eaf7c7247f8ac4cd9d3523b08a599a2.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4868

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0I1OUQyODAtNUM1QS00N0IwLTkxOEItNzk4MkVFREI5ODc1fSIgdXNlcmlkPSJ7QjdGNzc5QkItRERCMy00Mjc2LTlGRkQtMkQ0Q0Q1RjhDMDg5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NTk4QkFBQTctM0VBOS00QUZCLTlGMjYtMzI2MjJEOUVCQ0YzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI2IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTk1Nzc0NDA0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-ofn8in9.0.vb

Filesize
15KB

MD5
d64e30efc2b956b5042981c564551206

SHA1
b2ecfa1f41cc34756908cef0e97a38d3ee3fa328

SHA256
a920469c533320d6b1657fa0ac4c7e06afe8eee06b8b07cce3d989a1a666cbc8

SHA512
4494a3230e1ff5fbc47ecbf5f29847d141399cfc54c700b8203b91fb146201cdd9eb8585c4f82a31ace885ced85005da980263324298670a7194e0e89c800546

Download Submit
C:\Users\Admin\AppData\Local\Temp\-ofn8in9.cmdline

Filesize
266B

MD5
5023578c9b8a5858290ff9681fe1258f

SHA1
e0b25b07a42822777cd58d569b257c4307f298af

SHA256
d435cc79848be43bbc1cc793d694f0420228e3655bd83eca733dc210ed6a0094

SHA512
3629d6e987707dde61c4ce569f828637390f75d36c428056fda9080c5f3d79a518c87849252f5c67b1b3ccc18c7995978cbe435d264e034fec8f352a6530c703

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES86F3.tmp

Filesize
1KB

MD5
8fa7b325c691a8cab86711b3fad19a52

SHA1
9518634e0c6d6aacda3e79f742863226578b014e

SHA256
bcc4619ef7c8108f269c3c9143f9f04815f134a658b329c4f7dde5a2a883e26a

SHA512
96dac88b54c6ed0b30a53117e8ebd1f2f57381795b68ec946b25053944a32e3b87014ede524afdca456adebc3b22ef68ab64c57f831da260f1cfa859f1101f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8608.tmp.exe

Filesize
78KB

MD5
0381fd3d3b53841d10adb4c883426eb9

SHA1
d929c135f6061879ada6055435c8cdea408d2e4c

SHA256
1ff3c1d73dbce0fbe0698c9f4ff906d234d5cd4d93d25a3539b6602c3386121f

SHA512
9601b5fed1bf0345171b2950ce292bf924859dbf0526be1e28a516d7dbe10735f5db53009876420bb349524ea0e39ed7ad209f8c0dbf05cf032bcd7608865508

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD133699B20F74EB3B0BBFBEB4EAFED6.TMP

Filesize
660B

MD5
511761bc67de9d7d3c0c13fdb3b1b7f8

SHA1
0957d1eb99b5bc3aa0fad888400bb1ac6a91499f

SHA256
f34d8d467ee3b03fe0430ee6c7d06e5db44a7833590dbef360feffd7033f0e6d

SHA512
7d04d1f35678140ebe25d637a43c247f9f221ebd9d97de0c59e8a639502a3de5ad96af5fd12ce1fd32c82ed436f7ae1b545fc73834a4073b802900c3f798368c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/3788-9-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download
memory/3788-18-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download
memory/4868-23-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download
memory/4868-24-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download
memory/4868-26-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download
memory/4868-27-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download
memory/4868-28-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download
memory/4932-2-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download
memory/4932-0-0x0000000073A82000-0x0000000073A83000-memory.dmp

Filesize
4KB

Download
memory/4932-1-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download
memory/4932-22-0x0000000073A80000-0x0000000074031000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads