Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe
Resource
win10v2004-20240508-en
General
-
Target
aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe
-
Size
12KB
-
MD5
a6c72fa59cc5bab41b7ae6d0b4b5c1be
-
SHA1
796a496a1b1b4d1be2b3f6a4b1050760eac62036
-
SHA256
aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764
-
SHA512
836e33e23ed324641d4a7ff9739f43574f8108bbbda30759bf4489ff1da30dd70aba4a45f915d7e105beb42d7bfeba00da8a39b89ec8aacb6ee8467636637cda
-
SSDEEP
384:fL7li/2zyq2DcEQvdQcJKLTp/NK9xaLYIj:TaMCQ9ckIj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe -
Deletes itself 1 IoCs
pid Process 868 tmp58EE.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 868 tmp58EE.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3320 aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3320 wrote to memory of 3856 3320 aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe 86 PID 3320 wrote to memory of 3856 3320 aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe 86 PID 3320 wrote to memory of 3856 3320 aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe 86 PID 3856 wrote to memory of 1716 3856 vbc.exe 88 PID 3856 wrote to memory of 1716 3856 vbc.exe 88 PID 3856 wrote to memory of 1716 3856 vbc.exe 88 PID 3320 wrote to memory of 868 3320 aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe 91 PID 3320 wrote to memory of 868 3320 aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe 91 PID 3320 wrote to memory of 868 3320 aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe"C:\Users\Admin\AppData\Local\Temp\aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nuihzoce\nuihzoce.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1DC92E64ABA64E35A954B477EF1C6B.TMP"3⤵PID:1716
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp58EE.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp58EE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\aea427c70191d19f294d3cbb9f86bd853b7d6bfa17616cee0147e5b79f9ff764.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:868
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD571b7df11cb5d2142da017bd1c19f1910
SHA19f19afb7ddace40f88abdd6caba3c962cd55ace0
SHA256533a7a2285c070e7f0d6b6231fa828140ef0659205ec287dd8300eb3cfcc06f7
SHA512cde7bdc76393b8a0a0579268a661ea465f1f9e748a5535dbaa11d52fccc798c30e346021f26878b6102d56d0f4f4034c3ae2ff490b3df9bf70b7dd9c2e4658a2
-
Filesize
1KB
MD59f21ed57923d4f1fdab58571b7e1b8ef
SHA10aff55f723c762fe178346db6f7645bc44cf663f
SHA256ebdf50cd80a9b6b31eebf0efa955fad423a0a2684501143e60058a7dfde92886
SHA51227189a1c302edfa507e7a061594051c2b066a90b24ca1b16c6044f270c736e5d5837b3ad6bc4b2ff017099df63b66622a79c92e45c78a74498adcc8e993f23ff
-
Filesize
2KB
MD5dc33e80a3a777c6747787ae44bf67456
SHA1921489cfe33408b6ea09284765f9c161eb321541
SHA25693a9d5527b695a7a3b13c5fac9a17beddce08907f41b3c5cb9d0517351c5658b
SHA5121bdd72c5f229df503239b67ca61a393eabaf674eeb5601fb5a7dc0e38c28cac47ae1f66b809f8fbec955b17ef684bec974919e2605b1258ed92e67ed79d8c101
-
Filesize
273B
MD5a047d6799a1010b42b7edbf3dbb3b612
SHA19edb16a385b50fd23ef10c5f75235baff89cdecf
SHA25636c4dbf87510e15a3328ddb2e6aac5c49a920dbb09f6844e442d84e70732e108
SHA5126a8383bd45837d1adcd748f3f1bb7a941556ecfecfbd5606b53b6b32801f19998d8649c57ce4083e4c5a5eaf4aba071f29fc3a677725058c1ab7ec44ba033a47
-
Filesize
12KB
MD5fe0c9fbae32e4e84da64f4f87667bd37
SHA177ee4013c4c94809a2510d31f45fd3223afab916
SHA256262a7d116dc126d7ad25a737930b59c727465b7bcdf00ec7013117f0820837b6
SHA512998d3c738b638518632ca5dbb17bab0f4aeeea2497048fa996ffa6769c26479e9b4563697021d254b9ca620c93756f1a6e9eba980030ba32cc8ccfc3f4a4d49a
-
Filesize
1KB
MD5f96339fe087cb9669af295685c7d2624
SHA1b80ede571eabace7b510450c1c709afb87017382
SHA256e5eef5f4607f1da44d625b9bf3b61c653415ba1d4ac61133793ef21ed4550a6f
SHA5120e89a3cf0b334f3baaf41f687894e8ffb4765b02f29cfba115009ce9b79092ce5ecba025b308f0c12b8777111bf23af6dc014e7eed3f0eeaa1cd9e3790d75d3a