Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 19:21
Static task
static1
Behavioral task
behavioral1
Sample
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
Resource
win10v2004-20240226-en
General
-
Target
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe
-
Size
78KB
-
MD5
489c28346117bff8775f7bc03e031a01
-
SHA1
dfa5db753944597180ebff7bd4517ad5f0c5797b
-
SHA256
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd
-
SHA512
70a8c4be0af7b41ad2cac2aa46ead0e5fae7142b1c131cfad2945199632c7ee3313e205595c417d35fc241b0ccd9c3d5079e7b482ca6723d877f525d6cd3bf28
-
SSDEEP
1536:qCHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtea9/Y1cY:qCHa3Ln7N041Qqhgea9/8
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
tmpCBD.tmp.exepid process 2636 tmpCBD.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmpCBD.tmp.exepid process 2636 tmpCBD.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exepid process 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpCBD.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpCBD.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exetmpCBD.tmp.exedescription pid process Token: SeDebugPrivilege 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe Token: SeDebugPrivilege 2636 tmpCBD.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exevbc.exedescription pid process target process PID 2512 wrote to memory of 1320 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe vbc.exe PID 2512 wrote to memory of 1320 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe vbc.exe PID 2512 wrote to memory of 1320 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe vbc.exe PID 2512 wrote to memory of 1320 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe vbc.exe PID 1320 wrote to memory of 3012 1320 vbc.exe cvtres.exe PID 1320 wrote to memory of 3012 1320 vbc.exe cvtres.exe PID 1320 wrote to memory of 3012 1320 vbc.exe cvtres.exe PID 1320 wrote to memory of 3012 1320 vbc.exe cvtres.exe PID 2512 wrote to memory of 2636 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe tmpCBD.tmp.exe PID 2512 wrote to memory of 2636 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe tmpCBD.tmp.exe PID 2512 wrote to memory of 2636 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe tmpCBD.tmp.exe PID 2512 wrote to memory of 2636 2512 22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe tmpCBD.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t8v6dbhs.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD88.tmp"3⤵PID:3012
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCBD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\22df46f11c1472546378ffd4b69269c8035abcdc34523613c18b0e8bd547c7fd.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58a82b5c613f4d536d8892c7b59cc2a4b
SHA104b9afd567731a192c4c1e7012fa37a39271cfe9
SHA2566326889209f179edc4ab7127b66d734b2dae6104d3a3f4ccb3ec3be575be575c
SHA512d75f11577a77baa41ce7b64331e439a390aa5d0deaac0ad4cf6dd8808db2fd6f3e1e4e659ef68a52f211791a27389a8cbecc0b380f2d6eeac866275342861513
-
Filesize
15KB
MD5b36128e431979e8a1424fdb926e0b8d9
SHA1002600b66643f0dd41e1dd3a0d9ba301838ced66
SHA256c062b72d38097b3c9feaf248f3d5998406830b6cd284d8710f020614463abf4b
SHA5123162a27e2f1ea8daaee0850d05226c524ad32c879d72c3fb84334c222fcc01c7adaa16dbc459d14aab9cc33ec53d369b6a6001b81e9cd0b40b56f119e97be585
-
Filesize
265B
MD5e8640abadb0cb8455c4b7bf95c5e5b16
SHA1d0d6e74af394eeb91b083e0f20d07bd265e07cdf
SHA256b74dfc71636439e793c2fd52dcee2a9f3df8edd5fac2156d6bc1dff45449d9e2
SHA5129b80b79ffc9e60dc29827f2285bc4492428050b1fea86137b667d28798029d6aebedd328194b4d0524760717938132adf04545d8bb6e55f2c453ca0cf07f5442
-
Filesize
78KB
MD52f80f9bb07be63199692e00ba35c4eb5
SHA19b6518b4948f9918ec36676835d57af5487a8aae
SHA256b7be93899a31badbd6c325ef24b4d261cd3a2128e8d6c48146e9192b69c0f36c
SHA5125a8307dea52134e196b875fa56764e50e0bcc126eafff8cc36e85bcac64fe5aee7f22306f44735f6843ccb83b024dd318095b55feced35e92e17c7da844cc6f6
-
Filesize
660B
MD55283ce8a47c4454a76e1b82de2659e4d
SHA1d56de127e55ea3562a132783b1c3566ce77dfb23
SHA256fd1871e35e4d14c0eb4d4809b3d600538ca5e8041275f2ace98265d92f7ba4b9
SHA512143888465906427a868df196990b4646ccc4bbcd71fc1e6d349f865e967c96ba4b9e0b50c722530f2d9669e8f25b33fac0a657d658e3fd2c04498939526dcfe2
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65