Analysis
-
max time kernel
142s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 18:30
Static task
static1
Behavioral task
behavioral1
Sample
06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe
Resource
win10v2004-20240226-en
General
-
Target
06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe
-
Size
12KB
-
MD5
21cb7e841d8dff22cbd87812e681667f
-
SHA1
6b201959421af1b4356763e5fcae1cd8e177b173
-
SHA256
06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec
-
SHA512
9200471ba6341ddbba67243fd2064bea0767cc30d5003794f287e531280be0a94f30a107c847bbf56e52328b5180efb1052504efcf0f1c1eeb99cb1ee11c084e
-
SSDEEP
384:CL7li/2zvq2DcEQvdhcJKLTp/NK9xaQx:cbM/Q9cQx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe -
Deletes itself 1 IoCs
pid Process 3228 tmp6F50.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3228 tmp6F50.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 956 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 956 wrote to memory of 220 956 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 91 PID 956 wrote to memory of 220 956 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 91 PID 956 wrote to memory of 220 956 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 91 PID 220 wrote to memory of 3288 220 vbc.exe 95 PID 220 wrote to memory of 3288 220 vbc.exe 95 PID 220 wrote to memory of 3288 220 vbc.exe 95 PID 956 wrote to memory of 3228 956 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 96 PID 956 wrote to memory of 3228 956 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 96 PID 956 wrote to memory of 3228 956 06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe"C:\Users\Admin\AppData\Local\Temp\06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l2lrccfh\l2lrccfh.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8855.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95BA6CA08DD34040B28C7974DF04288.TMP"3⤵PID:3288
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6F50.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6F50.tmp.exe" C:\Users\Admin\AppData\Local\Temp\06aa5b00daefd22f99f24d794178a50212fd57a76f7084610af6cf98db766dec.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:2900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD552627d163bf47398918c344c0f486765
SHA15c6d1e4884aa1c65e3b2f8c52efab110ebd22040
SHA25667360b0661c53bb2dabe317ece26d065ea34266543e1b2f105b632f85cfcd5bd
SHA512488b86a1d59b514ee4adabeadac26f925405bebb97101c5f78bf1dfaf3f6b6534f4f54fb8636b6e6a2ef69f22436b601e11b6f40893127f2780a3ca0c1503d9e
-
Filesize
1KB
MD55f0c0ff14fd49a8ac6d0b9e08470ab38
SHA18488f70d4bcd449d4017cec928b0c75830195747
SHA25688b5292e614fa5ae6d7df34722fa3e301df4c9448625059a4077d8f3c548bdcb
SHA512d4f0331d87d069a24c9316d0f8a5fbcb2b12bead647d097ecb58a47d4078199f7bb1e5a9f464bd4ffe2a48dc967f8a6069c1f2a91a8714c06ef9f6b2f8ac2c2a
-
Filesize
2KB
MD5d1d41b41635c27a39a4ce224a34576e6
SHA172efdad2ccea7f3c1ab98a59d4f9fffa68dead8e
SHA256718d73da66e72c512ad900bb30a4b3544bf462ee8a14ac10191040e2d134cb9a
SHA512f0aaa9156394ac3fef2b569299cf4db522327c647dc90728ad95dbf4b2fa878f545b1ea951a69f883698cf87c854fa3fd764fd002405b7e11da82db6af04baf6
-
Filesize
273B
MD5fbf6b0510770834eaa24a1797f7be207
SHA1d2650c4ae592e2d3d2f88dae9711cdec73666de8
SHA256e7051ec5e95518bf4c92f237a9d09904b2344a3cf8e02f2d7aa66c28b9743b0f
SHA512c42f9d728f6651657946a9c174a4d6b1b770e08e3e0a1cca8a7c6fdc723d334bdf7d794b291b57f61abdd270ec0e6658cea6bc11c22e8ed7d8cccf45f5352245
-
Filesize
12KB
MD5a3bccb9b16e908af8435d2daa048c8ff
SHA1d4fbef098d5cea233713903b0174d80e90385a0e
SHA2563e0cef46b60b72b49c7e44ff7f84007e786f53b0be84611b9cb0cea0bd61e78d
SHA512184a50c471d6dfde5ea8061f76927d16236df7b16586bacf4f3e4ec3fcb52a896a125fbcf72aa2d9bd748e89baabdbe8a007419cc6f2cb1ec7a9544486dc0e6c
-
Filesize
1KB
MD5cda0ad7d391345e13af12857fb3aafe4
SHA15d03b181c1f8f08a3ab309b395628cfb68a3b673
SHA256f157cfb51bbffc2cf0b8a7ca222303afb20fe9a150230ba94fcc6495fb964545
SHA512c0d931df1407442750e073a22c4624cc28652e2a452858db6e63c091e7cd4feb47dd701203c2a2e2d56235ebc6ab343641cb3731fb4d302b442356d456a1c26b