Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 18:27
Static task
static1
Behavioral task
behavioral1
Sample
08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe
Resource
win10v2004-20240508-en
General
-
Target
08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe
-
Size
12KB
-
MD5
7c5cd4cb63f4c237728207523f5dd646
-
SHA1
5bce38363c2e71c0bf7c9bcb66fabd3eaad91a26
-
SHA256
08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6
-
SHA512
e46a7ad81371125055caaae25f015ce59b69422763dc1a29dcf0380cb419836254b7a230845f29f1ee576eebf5d1455f63e63a9c56a06ba9895575af4871ddc0
-
SSDEEP
384:bL7li/2z4q2DcEQvdhcJKLTp/NK9xabF:PsM/Q9cbF
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2648 tmp20EA.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2648 tmp20EA.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1972 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 28 PID 2392 wrote to memory of 1972 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 28 PID 2392 wrote to memory of 1972 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 28 PID 2392 wrote to memory of 1972 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 28 PID 1972 wrote to memory of 1852 1972 vbc.exe 30 PID 1972 wrote to memory of 1852 1972 vbc.exe 30 PID 1972 wrote to memory of 1852 1972 vbc.exe 30 PID 1972 wrote to memory of 1852 1972 vbc.exe 30 PID 2392 wrote to memory of 2648 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 31 PID 2392 wrote to memory of 2648 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 31 PID 2392 wrote to memory of 2648 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 31 PID 2392 wrote to memory of 2648 2392 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe"C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xkpl1rai\xkpl1rai.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES228E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc502B0C5212AE4C46AFE976B0F9C4922E.TMP"3⤵PID:1852
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fed096e92b299eb75f5a7e4d1a10e4a5
SHA1598d93301191c3efbd7134269385e37164c914f5
SHA256249dfaabaa15f5194aa1b2a3fddd7292d6d3e3b0787dd8b1a50130774de63b30
SHA5122a99b78f9359e20ef168130864f12366d12701ef8c40c1ee5c72f134d17c3188e4a625538f4a64961c493ed1240c5aed679ac665ccc1bc251f8595e506c86322
-
Filesize
1KB
MD52d2fc08364ddd7c167b9e425f5ea186e
SHA195eb9db7b84983e2ec9a8fc0601998d1fb9c54db
SHA256b691e6f1641c27fd816e9b6783ad2130f31f1fdd58be19e8e30763aae58c6d8e
SHA51220445bbc12533d7798f61d83e3c279c85ec5fbf996b69d3d451615025134393ac626d4fae4193485d425ef3dc67686fb46e2cba692b917d5e96bf7117d480581
-
Filesize
12KB
MD5eacd57e1ec2fed7c47e7ecbbd148672d
SHA1159d3c7ead7d4b9d7857e8388b5ac680960de1bd
SHA25678eac6876005ea164a7d26f680d22a58bdaafbcef44e2a57113374ddd8fc6e0f
SHA5120b5994dac9eff91062019e68be76488f79daa7cc319fe9b527f9bebc5976f52c9d79d598bbbeea55bfa48afaa4f7aa36cf4c39de5f2a6a4a241c4f91a787a514
-
Filesize
1KB
MD576ef68a3683ef8739a9fa52629f19b4b
SHA13b742c5ce47b16f76366cdbdd504be3403522c55
SHA256ab97973a53229de80356e217e9584f3cb55ae8f5da5adbd9eca5e97ca6abeb75
SHA5123ab50b8e634ba88ec127344214e7380f2b0fc91152ce90cd24c957001957e480ddb541b8e679ec0eb3eaa7f7ae9319449b30c05b323dfbb16014d3fe36c44e1d
-
Filesize
2KB
MD580af92fd4bc6642983024ef611fae21c
SHA1beb66176ece391ec767db33651b3aaafac6cc951
SHA256881e88f523e12130aaac6630867889453297c0d4b618d4dfaaaa5f66ae65969d
SHA512f19700b12bd5faeda800a3a16ac34d0c63e64f535a8e1c367a659bd681ee215ee2c2536ff09ad1b2004196b198c4e0aacccdbe64b9f7c0ed6d9cde560940281f
-
Filesize
273B
MD52359a46450c8dae7988b6c775b3cacf2
SHA17726bb3c4a2b7fb003616835bccd391fac23d6f0
SHA256dd3defe5686a13d10eb96223319bea3de325f7c08586c630db63d8b06118769b
SHA51217dadcdab659bc5454f68b98c195472f4cd063e212ed7e65f888052214e84d8e393769f9f47bb6479d39ce091f45e9fb4fdda88fa514e76fdb1015ccf57e25bb