Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30/05/2024, 01:23
Static task
static1
Behavioral task
behavioral1
Sample
a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe
Resource
win10v2004-20240508-en
General
-
Target
a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe
-
Size
12KB
-
MD5
ebcdce6deefac15955381a64d77e3e29
-
SHA1
54bbbfca014a2f793d081ca498eec3fac5924c13
-
SHA256
a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9
-
SHA512
1913c0b6fbbc161a44c34d59a72e31b96fa73a3d407e0fb3e9d82f8eaaf940ea266a0daf689bdb79e77e53cb2c517c41f1f63ea868c34ad164f1dde51a0a7955
-
SSDEEP
384:8L7li/2zgq2DcEQvdhcJKLTp/NK9xaZF:aEM/Q9cZF
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2552 tmp8161.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2552 tmp8161.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2072 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 28 PID 2168 wrote to memory of 2072 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 28 PID 2168 wrote to memory of 2072 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 28 PID 2168 wrote to memory of 2072 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 28 PID 2072 wrote to memory of 2916 2072 vbc.exe 30 PID 2072 wrote to memory of 2916 2072 vbc.exe 30 PID 2072 wrote to memory of 2916 2072 vbc.exe 30 PID 2072 wrote to memory of 2916 2072 vbc.exe 30 PID 2168 wrote to memory of 2552 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 31 PID 2168 wrote to memory of 2552 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 31 PID 2168 wrote to memory of 2552 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 31 PID 2168 wrote to memory of 2552 2168 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe"C:\Users\Admin\AppData\Local\Temp\a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mjt1spn1\mjt1spn1.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8527.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6437F59AAFB45D39B96695D7CA826.TMP"3⤵PID:2916
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8161.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8161.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fc1d2c43471c2cc7def37311b4a7b2dc
SHA11a56d0ca7ce6ab351ce996e29e96553c23222c8c
SHA2562efb6b83655ba8ef82c59ed2a2dd92e549b4792885b5c84dcaa02f0b11e73b4e
SHA51255a8832a852e11f5538bc479b9a29978d78135bb6d5c72b9fffee69a3033ae6357ea941f42fbfef01fa4975897af312f93322ee3be930e26d3b2cdc166a7abb8
-
Filesize
1KB
MD5b253778983896e09c844908ebd46c85d
SHA1fd64bb6f8f688db259c9f3d9818842b56f891847
SHA25606b2a98af744b7fac966bc72eb5779422570986fd5da11478ea3d0f6fb99ad93
SHA5123cf2306220f5e2fa7aa9a3d3e1aa82fd00483f16616b050e3caf18ff8ecfa852ce43d18d3da196101256af982d94357a8e2e271a88fe54469c45acd07bc3098c
-
Filesize
2KB
MD58219bb6e64b6646c82d3822b92d106aa
SHA1794c435b3484631c49863b680845d51bb1742c8e
SHA256ca84046ab8ccde446ff4046f9b8a8e5b3e6470ee4c87890c55727acded39c694
SHA512180f22690088ecb3fafd8d4539da1eebd3e4a7bc22e9e9edc20af0d653bd39e4b4265e8b26dfd9c7c2defd00c90abb1c26c13c0d5861a13de929ad792baba14d
-
Filesize
273B
MD5069ceebeff14f7cd0d1342c8e61c211d
SHA1eeabbe070785a82bc27ed47f9aaabd4911a7b2b3
SHA2561e136370823200a3bc2253964f9bc5a6fdd5cd6e1499157308a1e90da23d43cf
SHA5129573df164eeb45bb11892046157d42cb40d7c7f7401bc10393b36c12f4c7502ddd0b616bfaa2762712d5cbb07ddb97c0c7e95f9a8a4f177d5f83f112fcc1d49f
-
Filesize
12KB
MD5288cb96b8024af9c1aca56839417ee2f
SHA1c0ac51ecce3b69f07bec24ec311802179175c676
SHA256a50149b79cc5d8c08d23a230c56a00a3a8bf41478eb5fa069a2a1815626f5476
SHA512abcaf2360468e19974d5cd80057c05fd4baf856518ce12f3151d53c9c5cc6e32aa32ce8f6cd5ebb2ad14cbd8a102adc6e5c8283f1958ecaa5b5757da61df2a31
-
Filesize
1KB
MD5f1eae47aafeb7535f8b3fa488e286704
SHA17cadff1686550d9377fb288cd58390cbd4b4bfaa
SHA256bbd78bfffa78faf6da1acb6e7bb57109a9ba9a75e7655fa89c94130fb40107ac
SHA5129f53b27818079d45c90d69fa8e248cbe3ab55316b75608422f2d5de697252788bdf805fcdc56c75600a15f2fb6d9b170cd611ab6708947fd547c4a44e8754c40