Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 03:02
Static task
static1
Behavioral task
behavioral1
Sample
8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
Resource
win10v2004-20240426-en
General
-
Target
8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe
-
Size
12KB
-
MD5
0933031630e50ec92eef7af126b1dd3f
-
SHA1
d53b767ce9430f0f061a1b943382eac82dfb9664
-
SHA256
8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83
-
SHA512
c9f43e5ea9d56e4b937f51d22d89d6cc01b2d2510c326d36f2e37671173ae7e771072819ce91a1bfe7cabdad892d2973097744df64b3335e916d18708b689d3e
-
SSDEEP
384:dL7li/2zUq2DcEQvdhcJKLTp/NK9xaqI:NIM/Q9cqI
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
tmp2D58.tmp.exepid process 2644 tmp2D58.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp2D58.tmp.exepid process 2644 tmp2D58.tmp.exe -
Loads dropped DLL 1 IoCs
Processes:
8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exepid process 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exedescription pid process Token: SeDebugPrivilege 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exevbc.exedescription pid process target process PID 2128 wrote to memory of 2476 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe vbc.exe PID 2128 wrote to memory of 2476 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe vbc.exe PID 2128 wrote to memory of 2476 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe vbc.exe PID 2128 wrote to memory of 2476 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe vbc.exe PID 2476 wrote to memory of 2412 2476 vbc.exe cvtres.exe PID 2476 wrote to memory of 2412 2476 vbc.exe cvtres.exe PID 2476 wrote to memory of 2412 2476 vbc.exe cvtres.exe PID 2476 wrote to memory of 2412 2476 vbc.exe cvtres.exe PID 2128 wrote to memory of 2644 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe tmp2D58.tmp.exe PID 2128 wrote to memory of 2644 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe tmp2D58.tmp.exe PID 2128 wrote to memory of 2644 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe tmp2D58.tmp.exe PID 2128 wrote to memory of 2644 2128 8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe tmp2D58.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe"C:\Users\Admin\AppData\Local\Temp\8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bdwlpskx\bdwlpskx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc867E029284FC4FC5917481A7EE3A1F0.TMP"3⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp2D58.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2D58.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8f8a82ce520c28a685e4261410d53481c3bb6a5790422e84980388feba3c4b83.exe2⤵
- Deletes itself
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RE.resourcesFilesize
2KB
MD5f77602eeb5dfd8d5331f89b51006957d
SHA11d3eeddd01c7c1acece87b7d4c2f3ae3ee15d49a
SHA2565159b2149ef7241ac000f83f99020b1b74853f6ad93edfef4bd22341335d6f98
SHA51299a847781f0450b99ff52492aed8c53e45248ff2b8a4a947833a12baebb1b6365506ab5afb2a133466cde7168e39cbfb196510b8b3e0670749301d686dd6b2ab
-
C:\Users\Admin\AppData\Local\Temp\RES2EED.tmpFilesize
1KB
MD5641a2d629de0984b1b916e3cf2be48bf
SHA1e15bab9154e62e08b66273818446dc2ddc59805a
SHA2561a7b0c3a518031e8dc66efe5f7e5d48200c0fdb9e86b2d1263bbbbff3d2e3748
SHA512e1122bfc66a3ad1f995ebc6aa38012a2debf99d89dd7331366aaae39ea723ba7d01ddf479745a30aa89a123e67ab0821e398eb6acf9a401c946c55dbea5172ae
-
C:\Users\Admin\AppData\Local\Temp\bdwlpskx\bdwlpskx.0.vbFilesize
2KB
MD578688011e7bc26f5b0ecf073d20301a9
SHA1c6e054b132eb32b289cca8648d1e309ce55ebb82
SHA256a2e10214d5f3563077f786ebd7fc986fba92129384e3635c833d8d29717aded5
SHA5121b465f2774f386d0a0fd0477eca17748dea1ecd22185e7a1e5b59f7155e3e868d8671dfaae0bfa8aa26efa5690285c23fde44cad3d910c3558c5ba56251528c8
-
C:\Users\Admin\AppData\Local\Temp\bdwlpskx\bdwlpskx.cmdlineFilesize
273B
MD5224147f6728c671cf6929c67605ab6cf
SHA1f763b2eb6478e2a46a5a38ab8c30b4105bc3d448
SHA256b02fb3734f30dfb29a6f7f2ab7b5ea069f8bb6330bf7cddb160e037cffd881f7
SHA512d5b2f71e44db406f798fb2cefac7549fe67db14b9c48603ee3ace07f8a31c28c8e403ac58ee8a2a1bfdcc5567e40ff9749ce11cfe2383be7fcaa9c78add1a7d1
-
C:\Users\Admin\AppData\Local\Temp\tmp2D58.tmp.exeFilesize
12KB
MD52c2baf1aa49d2c9a6f851045d40c8b63
SHA1edc1fdbeaecf252d06d00e213a1a5854116ecccb
SHA256142d6be64fa548060c85cd83fea4fe089aad4fdc3beeb4b67c08b90a748fcfc9
SHA51262549b4e730f951e17b8deba725e9ce69d3ddeacae750810e994e326dd5eb5b6d7801416f71b2bd3a12456471e493b628d64d1e0a3cb69809bf29cec0aadaf77
-
C:\Users\Admin\AppData\Local\Temp\vbc867E029284FC4FC5917481A7EE3A1F0.TMPFilesize
1KB
MD5abb933a2f3f97df8cd7bfe14ca773501
SHA12e2bec1732e96ad8f99786939a1a7ff2ebdea8ba
SHA256fe7e1707558a6e832f37a413ac78f64488f57466c8f77f4602d1cb26a6547024
SHA512fbba4c7040b41c2c3026d5ce2c6402014a03a1baa1c3b9ca4fe4c464aba536d2bbe072579335b4942e9e30dbfb8dd0b305012c8c00b1c4cb630bf464ec6de280
-
memory/2128-0-0x000000007434E000-0x000000007434F000-memory.dmpFilesize
4KB
-
memory/2128-1-0x0000000000AE0000-0x0000000000AEA000-memory.dmpFilesize
40KB
-
memory/2128-7-0x0000000074340000-0x0000000074A2E000-memory.dmpFilesize
6.9MB
-
memory/2128-23-0x0000000074340000-0x0000000074A2E000-memory.dmpFilesize
6.9MB
-
memory/2644-24-0x0000000000EA0000-0x0000000000EAA000-memory.dmpFilesize
40KB