Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 03:14
Static task
static1
Behavioral task
behavioral1
Sample
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
Resource
win10v2004-20231215-en
General
-
Target
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe
-
Size
78KB
-
MD5
3332a2ae097b0d6660aa538c321f856b
-
SHA1
4c911806ab593db9555b5417f3148f93aa52d442
-
SHA256
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769
-
SHA512
e702a7001db5dd51b48bde34922d59f6bf0a4247ffacfe450b66a29e18df0d8363680bfb0e38d29f23edbae0bcc8c2090547de8f50c5da9bc4f5b6d06ca05af1
-
SSDEEP
1536:4HH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtl9/41fr:4Ha3Ln7N041Qqhgl9/G
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmpA6C.tmp.exepid process 2564 tmpA6C.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exepid process 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmpA6C.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpA6C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exetmpA6C.tmp.exedescription pid process Token: SeDebugPrivilege 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe Token: SeDebugPrivilege 2564 tmpA6C.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exevbc.exedescription pid process target process PID 1940 wrote to memory of 2080 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe vbc.exe PID 1940 wrote to memory of 2080 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe vbc.exe PID 1940 wrote to memory of 2080 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe vbc.exe PID 1940 wrote to memory of 2080 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe vbc.exe PID 2080 wrote to memory of 2760 2080 vbc.exe cvtres.exe PID 2080 wrote to memory of 2760 2080 vbc.exe cvtres.exe PID 2080 wrote to memory of 2760 2080 vbc.exe cvtres.exe PID 2080 wrote to memory of 2760 2080 vbc.exe cvtres.exe PID 1940 wrote to memory of 2564 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe tmpA6C.tmp.exe PID 1940 wrote to memory of 2564 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe tmpA6C.tmp.exe PID 1940 wrote to memory of 2564 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe tmpA6C.tmp.exe PID 1940 wrote to memory of 2564 1940 fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe tmpA6C.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tyuihv_p.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB18.tmp"3⤵PID:2760
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA6C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fd7e99d561ff9f8d9b03d80b3c11af17ac5fe5ef7427857ead85fb15adaf9769.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d28241c13f5aa20a570794010e817478
SHA1438177627f8d6a68a607ecbab0edd1a2c35177df
SHA2562437f5d812a4580924c62d5558e5712d21d8e512ead21f40d557a176a7226311
SHA512218915808338621ed495c7a1ad8a3b9c11beab4037840891dd3965c009200410d959fd8c04b0e9b8931f4fa0ca0ccb5bcba49217e573c23851029f270973addb
-
Filesize
78KB
MD56975fbefbb40f2e023285a0cdb9438fd
SHA1ec31f9608283a6b455a237c17b99cb173eeefde4
SHA2569433d7e543bb577a2b432fe120d20c6444fd74ce5383a30075674a0b48d65d88
SHA51223c30678c3c8721a0f0505dc83ed41df387b0ce308c4bc3f631fe6259f159b28fd72bd45ca8c5b44b4d479879cefaad9684e74f4d2bb7b185be407ddf89dfb15
-
Filesize
15KB
MD5248b4d232330d666dfaceac3247a5a7b
SHA1175f1e58d1579662501c34bc0e1d4b100808e0a6
SHA256db3bd0e0a9ddf9b61ff5a91e35239dfa6c8e58b85b9d20a7b34a0b05ea0e7ab7
SHA51256e9337fe91dcccc0e5fa223d9085504b0f2df166aa06d3e6202240bf72c6f5a5831fa03ecee4beba48b1185b8fc8bb7a2a9596266c37cef96b3759ae61f4e90
-
Filesize
265B
MD58ff46869f21bf6c1ebc69473e0c96ff3
SHA160661446f918c0aaae207af687f4c8d2d84eb435
SHA256d4fc687a2c915764beb89440acef5c446fa0738bf934d439eab6a8586a84e5d2
SHA512d07790c382193e5675e3ace85c26ed0666266079af033edfde4c2bbd300446cdec61367756b54062c90af662c167d9e90fc2569c344dc2d92ac2ca55f0156e41
-
Filesize
660B
MD59481288a162efdcdc652eafb5386d82f
SHA14d39808b589ae7916263e8806111a76c2c27db9c
SHA256b727259aba1b573e974ec564a4360a0892c3a336be9dcdb7dc78206f0f60f54b
SHA5122f6be049267886f1a2321447500392e8182e7b8de0f09b7b0c44ef0022f010857eed40c935e818258924c101b67ca075376287eddeee43ee9362524159a340ea
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65