Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
Resource
win10v2004-20240226-en
General
-
Target
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe
-
Size
78KB
-
MD5
5c31bc8753446e3b507dbfdee6d9270c
-
SHA1
2469bb398e293b0c9be5585272e99837c2138b96
-
SHA256
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170
-
SHA512
238e63ffb5e7231b968443edb19adc5e396e2ac30f514a52977c64806288170bd40f3d727b02eaf1ab5ddf927997e6d3fa14a263310d69cb46a511c74ca4f966
-
SSDEEP
1536:kWV5jS/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6i9/y1Fa:kWV5jSen7N041Qqhg69/j
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmp7FC.tmp.exepid process 2612 tmp7FC.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exepid process 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp7FC.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp7FC.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exetmp7FC.tmp.exedescription pid process Token: SeDebugPrivilege 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe Token: SeDebugPrivilege 2612 tmp7FC.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exevbc.exedescription pid process target process PID 2748 wrote to memory of 3040 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe vbc.exe PID 2748 wrote to memory of 3040 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe vbc.exe PID 2748 wrote to memory of 3040 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe vbc.exe PID 2748 wrote to memory of 3040 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe vbc.exe PID 3040 wrote to memory of 2104 3040 vbc.exe cvtres.exe PID 3040 wrote to memory of 2104 3040 vbc.exe cvtres.exe PID 3040 wrote to memory of 2104 3040 vbc.exe cvtres.exe PID 3040 wrote to memory of 2104 3040 vbc.exe cvtres.exe PID 2748 wrote to memory of 2612 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe tmp7FC.tmp.exe PID 2748 wrote to memory of 2612 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe tmp7FC.tmp.exe PID 2748 wrote to memory of 2612 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe tmp7FC.tmp.exe PID 2748 wrote to memory of 2612 2748 87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe tmp7FC.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\smp-owm7.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc889.tmp"3⤵PID:2104
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7FC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\87f01bf0a9bcb58861dff18fce3cdca8e62568b03f5bbec49ad6b5b290465170.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50fc173cff110e340b2bc236a456cc410
SHA19a05da13df61d79e6eb8d962eb60063a80ebee6f
SHA256394bc77b34f56cf960c32a33e8024b74c0668dbed89664663179346d00d75962
SHA512263f31b4dc5c4a6b3511d3355d10ae5f2fbf20c61540329f2b2778ed1a4d0594f3c88ca409b72f70113d4e85e3a8b672f38bc27c2667a231d21e131be3d6dbca
-
Filesize
14KB
MD5c01f9a12a067f9e810fff6da1159cd7a
SHA1abec896c9b69a6253dc4c7ac8686a30bfc787fc6
SHA25626901d3d408e4ad1eb5fc6b62d1df4b62db4d7f033f73f450811578c8edd199a
SHA512509b8928fedd3376d9960535c98ca7b8a55202b6408ea28a40bf94d2b4c4125b43a19753d2ae3c48efde56b2038cf7bc90324de91f65d7866c36257a01558c32
-
Filesize
265B
MD569e7cb35a2cfb4bbe5691028a44700a0
SHA1ea242c2d1cd5b81fc95538aa481710b1d8e23785
SHA2567e54d23bb3dd80d6c3e838ed7904442dfef3ef7b8b3de70ed782c5185e690104
SHA51250c390fc5c25d48ea3fc0561cc60061342276c329550b7975379fac02591cce3688804054cde3fce4bf3e60989b20cb4fd3b6ec3bc2626546b05de13f3dc737c
-
Filesize
78KB
MD540606f2ec6a461dc4acdf4721e352c4e
SHA1a743259c48602a3fe6646124b87ce80d8eb58cc9
SHA256209938774aaa18492b4179808660a9f18aedc4e4fddde3ed98df9812c4a86ef6
SHA512f82752316542359febbdd7759f239bd791614347cdb5a78314838bd70551d100a8aa9a9267bf0ea9bef42a14d01dab5bbe63acfa847f69fa8068160b06a61022
-
Filesize
660B
MD5aa1532241685f324fcc7bbb98141f702
SHA131f519675391565279d44ecb7e03f54beb26869c
SHA2567c2d21d3efccb4e9510515aa5939d3ebf6735f51a12833387d2b3b8f728545ac
SHA5127f960a3f4520390b304e8f00298efe2fc4e78bd607cd946e7038036c1ba88141203e81dc9516e240d678768552ae253084140b087c2433326d952a9be6b98750
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65