Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-04-2024 18:44
Static task
static1
Behavioral task
behavioral1
Sample
0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe
Resource
win10v2004-20240412-en
General
-
Target
0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe
-
Size
12KB
-
MD5
ca5d26edf6e7ff89481ea62dc2caeb8e
-
SHA1
9a7b87ca52c33290b3ba82be0d7d35285efe2fa0
-
SHA256
0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212
-
SHA512
52dc39dfda468124e206459d80bc6acaefd6d98b7b3858f0ed4c82566e590d98a11913f079166a517ebe41e7618f0946de29518dd163d86b3e8fdaf88292c1cb
-
SSDEEP
384:PL7li/2z9q2DcEQvdhcJKLTp/NK9xajx:jFM/Q9cjx
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2412 tmp1546.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2412 tmp1546.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2012 wrote to memory of 1984 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe 28 PID 2012 wrote to memory of 1984 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe 28 PID 2012 wrote to memory of 1984 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe 28 PID 2012 wrote to memory of 1984 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe 28 PID 1984 wrote to memory of 2624 1984 vbc.exe 30 PID 1984 wrote to memory of 2624 1984 vbc.exe 30 PID 1984 wrote to memory of 2624 1984 vbc.exe 30 PID 1984 wrote to memory of 2624 1984 vbc.exe 30 PID 2012 wrote to memory of 2412 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe 31 PID 2012 wrote to memory of 2412 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe 31 PID 2012 wrote to memory of 2412 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe 31 PID 2012 wrote to memory of 2412 2012 0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe"C:\Users\Admin\AppData\Local\Temp\0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\skpfcb24\skpfcb24.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES164E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CBAB04DA6E458B8DAC2520CFE0AF35.TMP"3⤵PID:2624
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1546.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1546.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0f70aa47920eb58a085566a176585556aa8ba7a20093a8eae021f643e775b212.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2412
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5365c7983475eed51e845803d1ecbafa5
SHA12e342c8cf7fecd9d7e3d17d92754b19ddf388ba1
SHA256786353305c82c899892470576e29f2e861f4fbf3003fcfcce3826f41f327144b
SHA512ee228bfb2b1f8f1fa1fd53d919a51dff18bd6b9d706664fcc014e3af5387da1818a15e4d9e83fe51ba8ad0237155366c5b057a8ec941c92afd4a3360c12a20cb
-
Filesize
1KB
MD54f732ac14ca3402f5e80e77bc0bc1927
SHA11d1095e68116e4e83ddf77539e0b1bbc2f6faa1d
SHA25696eca81365012053d2a2692b5c636430bee739d2e3e12e84ca8029dd914742d3
SHA5121fb728b365b68e9aacb7112256cbe37b4718f444f7c61ac7853227da4faa1fa701fca11a8d23ea76ca54f02badc3d67e450ba96b808d3a25d143b831e85c01b4
-
Filesize
2KB
MD5b5696ca4a5e64b6afaf74d1afb70ebe7
SHA1dbede78edfe198811eb35a9f9ce0c4c3e98e2120
SHA256dec6a25bc98b00894a298e84423e614bb8b453859c2a3eec5caadd8cf8902a56
SHA512451713d9330374c8f1a7fd4bc65b1ed09b8d1b453840e1b570ae45fd4a1c09ad62b0d29af163498d4320c6b9e75c51ce92f7842ceff8d35e790e1ea4977bce99
-
Filesize
273B
MD5998b1970b49e85cb8842aefc648a76dd
SHA1c12915cd68808bed3a629dbe2e728f0e56e077d4
SHA2569a11aeeb7b03e44c8f725198168077d3e083d8d2707816c95dc2bdaa4f0935ab
SHA5128e1ee3db169bad8de54918e82d63c8aac6b319ce6b7d6edf54fcba6f3b2f41e80375c95fe2992bf01e87bbe2ac4f5293f6cd0a18707ad6f3ca6b0fcf9c52b596
-
Filesize
12KB
MD5e2258249359c85915df3e92b9c44dd4b
SHA159a1be489ea8a258333947602bb5291bc666e352
SHA25628c75f9bdc155e6edee46058bf05db932bea61dd6a1ad2d053a8599e55cdb3c8
SHA51269c8fffe7d3cfa66e719d4520979031a2ac5b80033df3deea71f9fe2da5855cb3b53892d5a54e7f327c0c9b55ac40fe30d4c5b9cec50c568c1381a5d74af17ae
-
Filesize
1KB
MD5d0838b02133c5f00826f45d8cc992b27
SHA1d7cb8ce68655cc9e8692008fae01f15379e4c0b9
SHA256a8f4b029246fff9bba073c3b548b5b8c6e6cb765aac786e50fe633da8be3ab21
SHA51222c335d1f2884b3906b342371dbb44187c77dbaa24d59c670de270bab323bd36a7df36fc69a111b29bf159d2cbb91c47ccf389292e26c6a05ce0c8ec05ee6a07