Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 00:49
Static task
static1
Behavioral task
behavioral1
Sample
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
Resource
win10v2004-20240226-en
General
-
Target
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe
-
Size
78KB
-
MD5
cc3ad847921295c623d421afe0aa980d
-
SHA1
86e8e13535d6da57e96fe080454ba4b4797e933d
-
SHA256
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f
-
SHA512
687de735dbf4425c8c6c873a86c3b768f467d0360e81154e0fc202b3dad9526796179016d0b458f2dbfc6ca5a614b95cea9584f9ccd817b8178420eab5f21dd4
-
SSDEEP
1536:cHH638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtC9/h1GU:cHa3Ln7N041QqhgC9/v
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmp4B43.tmp.exepid process 2724 tmp4B43.tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exepid process 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp4B43.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp4B43.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exetmp4B43.tmp.exedescription pid process Token: SeDebugPrivilege 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe Token: SeDebugPrivilege 2724 tmp4B43.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exevbc.exedescription pid process target process PID 2208 wrote to memory of 2736 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe vbc.exe PID 2208 wrote to memory of 2736 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe vbc.exe PID 2208 wrote to memory of 2736 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe vbc.exe PID 2208 wrote to memory of 2736 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe vbc.exe PID 2736 wrote to memory of 2088 2736 vbc.exe cvtres.exe PID 2736 wrote to memory of 2088 2736 vbc.exe cvtres.exe PID 2736 wrote to memory of 2088 2736 vbc.exe cvtres.exe PID 2736 wrote to memory of 2088 2736 vbc.exe cvtres.exe PID 2208 wrote to memory of 2724 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe tmp4B43.tmp.exe PID 2208 wrote to memory of 2724 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe tmp4B43.tmp.exe PID 2208 wrote to memory of 2724 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe tmp4B43.tmp.exe PID 2208 wrote to memory of 2724 2208 a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe tmp4B43.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lw-jk5w3.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D47.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D36.tmp"3⤵PID:2088
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a6aea35c6d136985bbfd76449954d6014c1e6f0f0d73e7e38fb11ae279b26d5f.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD555eaa7613bea5b99569a8f50319ac3ec
SHA18a52b810fb2f5cd105da2e51a71a1984a7867c5d
SHA256f12eb0ce3185562ebe17d6736380a7dcf86762be700da34aa011fcb031060f59
SHA512a104c89324e8e9702982594c0a36ad9ee833e99735bb3332c37a4432d3d1c8d37ee0e603bff749e6a47d4edeb75638faf911c65594a7f25026e74dfeea8e5466
-
Filesize
15KB
MD56cf0a9485f36cfd64d7d8cd56f84ccd6
SHA1501185e02d2009f5e7ab134470ed5027ec71c617
SHA256dd07abf561e5998804796c116e821b925061ce03de1535a70a9d61b08e7ff56f
SHA5127d18b763b2fbff71d237e1397e5ca1b916a9e069a445c7375fbdf6997328299c7bd0efb286015eabedca061ab6357c1248109b2fa89fd6ba041376942f55cdd8
-
Filesize
266B
MD5fb1c2cbc19c23ea533659e14c1005bc8
SHA1c90a648a1e14393a2c95838fdc53971db42258fa
SHA256369c5a832c5c07f31a9586d25060ad437ec337d9e1ae0c24828f006da93d05c8
SHA5129f4ecb8d6fb6ec4f96cb29db1cd8124f206bf574e0b2d4466c7392f7cce0901b93234b7f530f95c31a53fb14ef51e75cacf72ba2171f23c3fbe6f91d207f2324
-
Filesize
78KB
MD55c7f75ac227b53670db1af6e21e195cb
SHA10db3017524b890089f98a416a8ee36e4a74f5068
SHA256ef7c13240043a54500bbb52f477e216ff17944f4123d04d1c4ca450eeb8fad71
SHA512a935bba635e50f0bceb02fe38716ca604184d398d29272eeb6b897488cf2418c325d1a6bdc81f39cfbba4031af57ab112dd7aa46628ab95913753102fa4b4ec2
-
Filesize
660B
MD5b98e079761d2dc73bcf7675bb272bacd
SHA1dd03d30a8bb4ab2a09a5e739b40bd97648c5098d
SHA256f657fb8c6c316cb4dcb4ecb0170cdf4437a31f3e08ff737b755984eea87a2a35
SHA512278e91f4264c9c6d2c3e0ef58df428bbda1bd2279dfd0562560ba0c6c4b02a2d5b07baad4b29d1a32c2e4b3b13a0a518b8611044b6e6d0dcdfc868cd06a73f32
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65