Analysis
-
max time kernel
132s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/05/2024, 01:23
Static task
static1
Behavioral task
behavioral1
Sample
a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe
Resource
win10v2004-20240508-en
General
-
Target
a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe
-
Size
12KB
-
MD5
ebcdce6deefac15955381a64d77e3e29
-
SHA1
54bbbfca014a2f793d081ca498eec3fac5924c13
-
SHA256
a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9
-
SHA512
1913c0b6fbbc161a44c34d59a72e31b96fa73a3d407e0fb3e9d82f8eaaf940ea266a0daf689bdb79e77e53cb2c517c41f1f63ea868c34ad164f1dde51a0a7955
-
SSDEEP
384:8L7li/2zgq2DcEQvdhcJKLTp/NK9xaZF:aEM/Q9cZF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe -
Deletes itself 1 IoCs
pid Process 756 tmpF02D.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 756 tmpF02D.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 216 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 216 wrote to memory of 4640 216 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 95 PID 216 wrote to memory of 4640 216 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 95 PID 216 wrote to memory of 4640 216 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 95 PID 4640 wrote to memory of 3048 4640 vbc.exe 99 PID 4640 wrote to memory of 3048 4640 vbc.exe 99 PID 4640 wrote to memory of 3048 4640 vbc.exe 99 PID 216 wrote to memory of 756 216 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 100 PID 216 wrote to memory of 756 216 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 100 PID 216 wrote to memory of 756 216 a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe"C:\Users\Admin\AppData\Local\Temp\a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f5zd0wql\f5zd0wql.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF211.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB576C2ACE714992B538EFCEBC653C83.TMP"3⤵PID:3048
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF02D.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF02D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a85a28cc800025b71c750ef4e6ff7cd183be6854bd9589c74a28b2a2a39655a9.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:81⤵PID:4008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cbd7b57c2280f69333a82d3a6fdfac69
SHA16ec39946ba6595b1412838a83776e08fd3c8f8f0
SHA256d63c8e287a291be58e64bd94dbb64de4f85b456cdcc1715b1655090f16bf1271
SHA5126f27cd58226e3816fda51cf1594ae571a491530e80fcfb18ff3bba887085dbd46d0f642660b48b5fa32d3f80cd27835bb0373a3251d73a60ff1ecbb66b81ed28
-
Filesize
1KB
MD56ad475ce7c1767827a54bab1ab77d00a
SHA1a26e28182f0d06fad96fdcfd012137ee3f39fa15
SHA25684dd54737e80d01512ec08caf2400378dfa3ddcac17bf1bbfd94b30176d7dc73
SHA51283ea38712ca002b6c4ff7ba2f280a7fe284cd685daabb05f49728d64ef53bf9454c7486beabbed9c66093d77d8f2769286a57d394ef9c2f6ae79bf537540158d
-
Filesize
2KB
MD57613f4ab6c7f5ed05598bc32b3ffd345
SHA11b3ba08066d5dd8bc15c67d2572154d3da841aca
SHA256d282dfae22a0a3521428b731d2c3dbd7b4f1b700033fa40f494773291aaa88e2
SHA5120167c5e71d795e24cb862d6a0e3318cb3bb73a4842246152bfbaf45b3b4502da434884eca00a4c28dba947a2af9f1075174a586185037316289a6a878ecbda85
-
Filesize
273B
MD5f206b976f2b6bd147aadd380f5b638e4
SHA11565efc0b646948cfded9e2397544679e20a65b7
SHA25637cf671654d163733dca989804928bfe15958b0aec93c2d914f98dfe35a61d39
SHA512d1c291ef9e6a97ac7a35401d8dcc17cabaf4d7d89e4dc0f3888866e96693192910389e0bb9bc5f10eaf9266dd138bb5db3fc211062bea4c72a7f9fd23404ed42
-
Filesize
12KB
MD5c14bf883094935549a3bd2ff97f64a12
SHA1035257a173637715b73b47d6518a07b3e0001e5f
SHA2560973144c894a34e8646ced501162e607b80d8763648d3d471835a70e2cad3901
SHA512425315f367d31f09b73161d1788d9d1240f58be4391c3ba8cb459e6440546d4f1b634b93fa749dd0d06b6c46c5b31ccf9c22c9bf52f5f74bb8edb7e88046458e
-
Filesize
1KB
MD50b81b4a2d91517df8da1c03f51a38445
SHA108be5ccafb91732501eea93393d7607d45553fa5
SHA25688824599c40972f47852d8855cd553cc5e0da73957a37bf6147efb689faf1b57
SHA51262e313845259acb21fd73a3cfc4fffec2dbb0d0b70c992b541dc7ce54d58ad1966bc48521b0004c24e64eaf3d70a6eaa26c7f8cb6d2a42fc39667c00018e9050