Analysis
-
max time kernel
138s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 03:41
Static task
static1
Behavioral task
behavioral1
Sample
96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe
Resource
win10v2004-20240508-en
General
-
Target
96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe
-
Size
12KB
-
MD5
89b1b2d257aff854463e39c0d28153c0
-
SHA1
5831ba6d5404ad10e80c804dce52d3ba85604389
-
SHA256
96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d
-
SHA512
4d6b446d5ed2a0d9c0f99c34f3f2290a73886ba73ea4cdd1945af1f2a8f08bf7051b15f4bd224b520ac76262eabd2211ff25c718cb99cc47e46c17650628dfc5
-
SSDEEP
384:jL7li/2zuq2DcEQvdhcJKLTp/NK9xaEUc:nmM/Q9cxc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe -
Deletes itself 1 IoCs
pid Process 4232 tmp494E.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4232 tmp494E.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4016 96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4016 wrote to memory of 4664 4016 96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe 85 PID 4016 wrote to memory of 4664 4016 96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe 85 PID 4016 wrote to memory of 4664 4016 96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe 85 PID 4664 wrote to memory of 4420 4664 vbc.exe 88 PID 4664 wrote to memory of 4420 4664 vbc.exe 88 PID 4664 wrote to memory of 4420 4664 vbc.exe 88 PID 4016 wrote to memory of 4232 4016 96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe 89 PID 4016 wrote to memory of 4232 4016 96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe 89 PID 4016 wrote to memory of 4232 4016 96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe"C:\Users\Admin\AppData\Local\Temp\96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yvxzqk4m\yvxzqk4m.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B13.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEE3ADF1A41E84AD2A3A546A99A9FFED1.TMP"3⤵PID:4420
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp494E.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp494E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\96e996b3f1be63ded8f9731feca578cb51ee29aee05c507ea860eb485211f67d.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f6793bfc64d1bee5e91ee9a7c05ef77d
SHA1b15e57baff96cd9fa187bd2138bb37f17e6c7907
SHA25651cb5a06cce538d48202816d9b0ca987e119dcb052bde45630ae77e3d2cf19ae
SHA5120eccd473143a6ecfe58493c5a8ce33dcb00b8b49c80610693b2431c94a76d2a19ba14c552bcbdd91e6081c9c5acb8e81567b960fc1608a64c018dacdcd9c33c2
-
Filesize
1KB
MD5c45cb3bf0f5db8cd331fb8545167932e
SHA1640c1bbf7425dd7e124697a9cd338a7754687b3f
SHA2562f5cd20652b36e327c2619d8d434eeadf9986f44856e112010f7ada68ddbda73
SHA5125fddea08f653c948aa7fd11f4fa56fc7258933e5294e16b32471bc88826b79321234d546b4b1010773a0dc475c740dbd3014bb6c897d8f967604d5e5330a7d4c
-
Filesize
12KB
MD5cf868423609d8b3c157ac9364b36af0b
SHA16076a721b778bf73bf5d5fdf9af8c7d16b74dce3
SHA256e8852010443cd006472444baf8f9051f395862d2e246d78200bb86464a08e87b
SHA512fd18da981761e269baa51b912c8cda7b7caf95f2ab4a216cc3f18d2352e4bcaaf2d21fbafa116183a583ba4f63cc9c31e96d82f15d55d3df1ca5890ec474d6fa
-
Filesize
1KB
MD5b030c93d3eb3adbe068cbcfe5f07caa0
SHA156a3e5fbe88c8e93a6ba867f8527b1fd5279b20e
SHA256a16794406cc0dc37352bc5af78dd7761f27c1a13fe4a1f6a2e8fb05320993034
SHA512d09fbc5babbadde3050a2b19ebb9c5912be947971539ab94817b5652e14e98e16f5a6e605a99692605b2fe00a73e2aa6c7f33b2953a70ddd02989cdc29079eeb
-
Filesize
2KB
MD56d86f8d46eed341be89767d2c5eb470d
SHA1ebbb87be6658e5dfadf6ef8f1dcbfa55d465846f
SHA256c41d508918cc4935c74271d430a79556fd25fde891a572634091972653d9fc8f
SHA512f31c933d7eacb3396da067a28fa0d45fffbd25972bbccf36a7fee68f60409f4896c13b2606f8514d9aaa3f17366257a0266d117a53b7da06c22872d886c0950e
-
Filesize
273B
MD5d22716aafd8904671f4470cb138adb72
SHA1f4f235d2e04f57fa423f5f6fb0e6ace5f2498e5b
SHA25629be2c5100755be74643278d0d3e02f17774bc7a7721f0cd0673f3b6365971e7
SHA512ca6fd7bc59630b50a6078f6f8b7f3a006a961df8b553993312ad3f2915e40f30a4e7b7ede2bd9d14df867959d30bd6605066ff09c64071d3fbae882ec24fc688