Analysis
-
max time kernel
134s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 18:27
Static task
static1
Behavioral task
behavioral1
Sample
08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe
Resource
win10v2004-20240508-en
General
-
Target
08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe
-
Size
12KB
-
MD5
7c5cd4cb63f4c237728207523f5dd646
-
SHA1
5bce38363c2e71c0bf7c9bcb66fabd3eaad91a26
-
SHA256
08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6
-
SHA512
e46a7ad81371125055caaae25f015ce59b69422763dc1a29dcf0380cb419836254b7a230845f29f1ee576eebf5d1455f63e63a9c56a06ba9895575af4871ddc0
-
SSDEEP
384:bL7li/2z4q2DcEQvdhcJKLTp/NK9xabF:PsM/Q9cbF
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe -
Deletes itself 1 IoCs
pid Process 1592 tmp54E7.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1592 tmp54E7.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4376 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4376 wrote to memory of 3688 4376 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 87 PID 4376 wrote to memory of 3688 4376 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 87 PID 4376 wrote to memory of 3688 4376 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 87 PID 3688 wrote to memory of 2252 3688 vbc.exe 89 PID 3688 wrote to memory of 2252 3688 vbc.exe 89 PID 3688 wrote to memory of 2252 3688 vbc.exe 89 PID 4376 wrote to memory of 1592 4376 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 92 PID 4376 wrote to memory of 1592 4376 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 92 PID 4376 wrote to memory of 1592 4376 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe"C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpyiz2lp\qpyiz2lp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BF2B0A9510C45DB80A3969CE72B9278.TMP"3⤵PID:2252
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:1592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e4ca94cac2ac82bb1d4838d81949ed7d
SHA1a1ab0b2e864948a6c5f7ced778994c20a451b5bd
SHA256187c3da57885ba972bb6ce615045e9877b71ba401764ea1ef3a64a79d9ad661f
SHA5123c12c66491f50b2a67429e31118a107d12ced9755056af4fe02de250fdbb4f60ed7a9b5950f1615fb00afda5dac138ae326845570d4767396757942642423f6d
-
Filesize
1KB
MD59e4fdfd8058b5685585db1a23e30061f
SHA16370e94e0c8308a69063dd0f57b26e909fc104e7
SHA25675e9929a3e2af694ec2fb998fc3b88dda96225fd971b78146c2a692f5678e1e0
SHA51241d5b3f2d08d1f7fe690026ed63a03c4d52e38acafb1ecae75675a6960b8939be9c256bd930000d615a706531740c3ae03cba7dd5ca56c414b7ecc3edcde1f35
-
Filesize
2KB
MD57ab119867f6ab2b66a14adc47ba0e3a7
SHA1c1dc93d6cd94a0c163a1a95d89240a61ea5153ac
SHA2569f4345f6b5061210a784a238a70a997d37a999df063be0dbdf2dd3fa16b3609d
SHA512571dab1b75e7e2058f97afb071a9935eecf1882447b258ff17638df997db5b975d8448909933b073d88105468ee77e32d3e4091e8ef88b43b6c4cee9b72e3822
-
Filesize
273B
MD56a303628ee9096fa86974245cf90dcda
SHA1b8b559181cb304cddfadeec0aedfd7b46425ebce
SHA256ca2faae180d46204acf9decc4a656a66dc9598d7a9db1a36e12616e04e0b3cd8
SHA512ffe9c0e8c1001a1b37b1b9cbaa49ab5eda727031f93dc40ce2fb683a87c0dca1deb429b15bee46f4726c8293b4ce51cbf6299ebc368c1c74a0b12cfece857d15
-
Filesize
12KB
MD5bfadd015b89b6f0bdf3298dadae6664f
SHA1c1073a2e0a51cc518e176e1a6ece46d3e5013e72
SHA2561912dc93ebf24b00f013eb835b76d6bb97c9e695332d9ccf56edb60ad93618bc
SHA51254fb217cadbbcf8dd1e69815dcf5fadc50ab8d517fae78869b730e685116a57a17f91d910b1b2c69415ef9ce64646c7c8e0a36942de459606f3a9f2b2852dfa1
-
Filesize
1KB
MD53d664e7192a4ae26d58bb6c9c8bb7a57
SHA1f2b9bb1829a2705fb561942bc69a22ce1ea75aac
SHA256cac73106800620b0f6d7f3d6cd9abfcec6c5b02a4eb684cdf9cf103931f87aff
SHA51227c3aa74dbfa68923884d1675ff1c0554b9ecfcd30a451bc1eb2621ebb7e321b9aa8b2efa9c410c52ed3439074ad0154a4eb00d17d51de3360168b30afa7b664