Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe
Resource
win10v2004-20240226-en
General
-
Target
06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe
-
Size
12KB
-
MD5
21cb7e841d8dff22cbd87812e681667f
-
SHA1
6b201959421af1b4356763e5fcae1cd8e177b173
-
SHA256
06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec
-
SHA512
9200471ba6341ddbba67243fd2064bea0767cc30d5003794f287e531280be0a94f30a107c847bbf56e52328b5180efb1052504efcf0f1c1eeb99cb1ee11c084e
-
SSDEEP
384:CL7li/2zvq2DcEQvdhcJKLTp/NK9xaQx:cbM/Q9cQx
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2536 tmp1C87.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2536 tmp1C87.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2320 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 28 PID 2136 wrote to memory of 2320 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 28 PID 2136 wrote to memory of 2320 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 28 PID 2136 wrote to memory of 2320 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 28 PID 2320 wrote to memory of 2584 2320 vbc.exe 30 PID 2320 wrote to memory of 2584 2320 vbc.exe 30 PID 2320 wrote to memory of 2584 2320 vbc.exe 30 PID 2320 wrote to memory of 2584 2320 vbc.exe 30 PID 2136 wrote to memory of 2536 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 31 PID 2136 wrote to memory of 2536 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 31 PID 2136 wrote to memory of 2536 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 31 PID 2136 wrote to memory of 2536 2136 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe"C:\Users\Admin\AppData\Local\Temp\06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\khbuodu4\khbuodu4.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E0C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6BEBB17E929242009B852A1D383D1CA5.TMP"3⤵PID:2584
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1C87.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1C87.tmp.exe" C:\Users\Admin\AppData\Local\Temp\06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56d6f6e3f42f44836003a4e59c6821534
SHA1821db764008bddddcf848c15a84717766300fd56
SHA256cd09ddb9e90f574d8e0eab5e38faea4c5bafc3b99ed55e24d65e8547ec85ade9
SHA512d6b2a8070c4604b0853ee0045903123b17fb7fc6fba8cacb77cda6a0e169170d951e891ed8c1ef1c63f197a08dd9b2f98e236eb800b3b77adc68ccea9611193c
-
Filesize
1KB
MD57037789814c5743ac7b830e65cc5c8d7
SHA17a8490451b4e42b78abfbd7832c8307807a13a15
SHA256722b2c9d5b5bce76221b64049233566a87f5ece3d462716455498d8072b70925
SHA512113bf91e028d0d4db08dc833c1821a48b46976343c8dd00f31747ffa1b42e8d7cef24b361f420acf30b1a6b0279939bad1b1c3b37643b034947b2dbf53d94a94
-
Filesize
2KB
MD53435a517505f78579db858338e9f1502
SHA1fba6eeacea768366641bfdc3270bfa226276e59e
SHA2560adafdf0f6f94dab872a1dc17063c8c6020948fc422fc9ce7191915a7f15fd6c
SHA51232b28cc1e91e8ef7e5ab31755c34463b535545902f0dbba9a0dc5ff3f728773a03c1739af9636a47688efe043ef9940dad64f39c8d9db326ee832ba52556cd73
-
Filesize
273B
MD5d9d6b70905a112398aa0ce74fd50b91e
SHA1e57e377640de000f0aa123825dba1d53757295bc
SHA256379ee9b4442eaaa59995013ed2eb8a9aeacaaca1bd55f3b8fd38d4d2c6975f5f
SHA512591954c8d61770ce5acfe0ab9a768fc3c43a77a59f5e7be88b036591794f9ba306d79b6bc9fb95c156c56a32a91ad9845e42efb92ce9964e97af2c1e83ad7856
-
Filesize
12KB
MD56e5bc10f871fea640ecc4211db63cf24
SHA113ed2a500cd1922982b5fc566dd67da2896d8486
SHA2567944e78ec8e0dbb1706bf8665bfeb493b856524bc5d9babe50fd2621048ce685
SHA51286d2ea3c43d73e2a413dee288ab2bc496273a6cb6dc77354512c021a95e9f0723fb85c9d03d89db11999c7c326674fe5fe57b09aa641798638b0c4c9456ed5f2
-
Filesize
1KB
MD5980f39b941a8d439652c491f80f53dfb
SHA17970df85835353d57dc50a99e4ff48153cbd7940
SHA2569c1a14a1c206666bf6509251dffe54e234d819116abee3365adc748ae080a2b1
SHA51294ce7bfc1e1e5cdcaa0fadb1ce69ad2016ccaadcbd28f6eea1aa3663d3d1b5e0fffffdf88810a6be8085d62dfe930ec59b058026afdce31826ca6703ac52a8af