4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812

General

Target

4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
Size

78KB
MD5

8c96d33d0a3ee3c6a9e762a87c47a560
SHA1

86976142da1bc564116819699997c4a6f6f86a62
SHA256

4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812
SHA512

8bcefcc9dc38b9ed49b05367def6a10f668681deb31a0690a3516839f8cfb96e1f2337ef0c43f8e5ceecabf0cb9c4837124ea355d2d2ebe8667b07853368d2cb
SSDEEP

1536:8PWV58Vdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC6J49/+k1bf:8PWV58An7N041Qqhgx49/Z

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
71	1848	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Control Panel\International\Geo\Nation	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe

Executes dropped EXE 1 IoCs

pid	Process
1612	tmp883B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp883B.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp883B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1076	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3080	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
Token: SeDebugPrivilege	1612	tmp883B.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 1348	3080	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	90
PID 3080 wrote to memory of 1348	3080	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	90
PID 3080 wrote to memory of 1348	3080	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	90
PID 1348 wrote to memory of 3012	1348	vbc.exe	92
PID 1348 wrote to memory of 3012	1348	vbc.exe	92
PID 1348 wrote to memory of 3012	1348	vbc.exe	92
PID 3080 wrote to memory of 1612	3080	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	96
PID 3080 wrote to memory of 1612	3080	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	96
PID 3080 wrote to memory of 1612	3080	4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe	96

C:\Users\Admin\AppData\Local\Temp\4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
"C:\Users\Admin\AppData\Local\Temp\4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\p-diffqu.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8935.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAEF2E069DACB4D489BF1119EA6F5653.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
- C:\Users\Admin\AppData\Local\Temp\tmp883B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp883B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4c19ee3e69b6b0712a37ae8abc2d5f2345e64f7360ee358e0cfa2e470f748812N.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1612

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODg0ODk4OEEtRTVBNy00RjAxLUExQTEtMEEwMjJBNEU0NjRDfSIgdXNlcmlkPSJ7RjExQjg5N0ItMzE0Ni00NzlDLThGNzQtOUI3Qjk1OTEyN0I1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUQ2ODQxODUtODM1QS00MTUzLUE5ODQtRTFGMDEyMjY4MjJGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTAwOTI1Njc3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8935.tmp

Filesize
1KB

MD5
d013e4537f0d9a40bd02be02ea7b128f

SHA1
df21047766ea82b3656fb822f220b9dcee07f3db

SHA256
166d1c3988bd5fb455cd578d658452959808275eb6ed9816570b71417748e842

SHA512
4debf05129c212a85b84678273f2b5f9fe32ee334bb0be8bcab78a4d542140fd8b5ad40710f293367f576fbb12748c3ed1c755315a3df2bd0175fe2f53e0ea04

Download Submit
C:\Users\Admin\AppData\Local\Temp\p-diffqu.0.vb

Filesize
14KB

MD5
c29e8a3670b19bbc0ace5ed19f2b2f93

SHA1
05c1952e28e8ffb133a83e4a969f82959dc19ad8

SHA256
327614740cbf5e94db96891504b3c7300bfc0e36c77af5b008c0eb1245bd7d7b

SHA512
0b43a95802a0c56065062b49fa0db4abd16ae3b7784b6cee4c16d5125ac30c24aa2ee6f0e8d67b65df7d29c657cd50bbcceb541da572e9f1059e34ec961823c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\p-diffqu.cmdline

Filesize
266B

MD5
979c1377a054c94c34ae16b9ec7d515e

SHA1
078bff60f1669b726ce048e95bd7f0e89e298636

SHA256
9d6ec1165237af529e2b884b7fa6ef01dea402fb5b27539e5e2184d581915a9f

SHA512
45201050668aa4cd5416075edae21aa62fd36dd841205f55c53a2ea77718264be30ba85ba77ba998773503924b901570638fedfa189ecc54aaaa7e7afac4d54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp883B.tmp.exe

Filesize
78KB

MD5
15219241a21cedb45f0352dadc243b66

SHA1
24e968f864fbef5def04a71b1bf12125ca8077ce

SHA256
5865026d11197ebab56418d71f91ddd1050456e7ff300c992cae9343d61a5ddf

SHA512
2dc466c9fca6a6bbeb446dfea246230330641ad3e34d19ed94043dd2660696781c699be1347d929d6f66cf304c602cade326e24df30bfcbba4d14070b732430b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAEF2E069DACB4D489BF1119EA6F5653.TMP

Filesize
660B

MD5
a241418e4d39831b5a54055de78c0f75

SHA1
a8387c421b498608fc6511492f7a9b23bcda2605

SHA256
f3bbde54e0bc1dc58e7a81c3292b2f2c59e89661b303280be919035d9cd7db16

SHA512
461b9349d66523ed94e665314e0f95988362a703a7b6c0d525a967e0012c7351ef9da0b0acb30a50e2e8ead636c47cbd98bc99e2f17330326d03b37bbf358cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1348-9-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/1348-18-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/1612-23-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/1612-24-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/1612-26-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/1612-27-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/1612-28-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/3080-2-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/3080-0-0x0000000073DB2000-0x0000000073DB3000-memory.dmp

Filesize
4KB

Download
memory/3080-1-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download
memory/3080-22-0x0000000073DB0000-0x0000000074361000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads