Malware Analysis Report

2025-04-14 00:32

Sample ID 240601-w31htsbg63
Target 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6
SHA256 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6

Threat Level: Shows suspicious behavior

The file 08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Uses the VBS compiler for execution

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 18:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 18:27

Reported

2024-06-01 18:30

Platform

win7-20240419-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2392 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2392 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2392 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1972 wrote to memory of 1852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1972 wrote to memory of 1852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1972 wrote to memory of 1852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1972 wrote to memory of 1852 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2392 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe
PID 2392 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe
PID 2392 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe
PID 2392 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe

"C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xkpl1rai\xkpl1rai.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES228E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc502B0C5212AE4C46AFE976B0F9C4922E.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe

Network

N/A

Files

memory/2392-0-0x000000007443E000-0x000000007443F000-memory.dmp

memory/2392-1-0x0000000000230000-0x000000000023A000-memory.dmp

memory/2392-7-0x0000000074430000-0x0000000074B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xkpl1rai\xkpl1rai.cmdline

MD5 2359a46450c8dae7988b6c775b3cacf2
SHA1 7726bb3c4a2b7fb003616835bccd391fac23d6f0
SHA256 dd3defe5686a13d10eb96223319bea3de325f7c08586c630db63d8b06118769b
SHA512 17dadcdab659bc5454f68b98c195472f4cd063e212ed7e65f888052214e84d8e393769f9f47bb6479d39ce091f45e9fb4fdda88fa514e76fdb1015ccf57e25bb

C:\Users\Admin\AppData\Local\Temp\xkpl1rai\xkpl1rai.0.vb

MD5 80af92fd4bc6642983024ef611fae21c
SHA1 beb66176ece391ec767db33651b3aaafac6cc951
SHA256 881e88f523e12130aaac6630867889453297c0d4b618d4dfaaaa5f66ae65969d
SHA512 f19700b12bd5faeda800a3a16ac34d0c63e64f535a8e1c367a659bd681ee215ee2c2536ff09ad1b2004196b198c4e0aacccdbe64b9f7c0ed6d9cde560940281f

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 fed096e92b299eb75f5a7e4d1a10e4a5
SHA1 598d93301191c3efbd7134269385e37164c914f5
SHA256 249dfaabaa15f5194aa1b2a3fddd7292d6d3e3b0787dd8b1a50130774de63b30
SHA512 2a99b78f9359e20ef168130864f12366d12701ef8c40c1ee5c72f134d17c3188e4a625538f4a64961c493ed1240c5aed679ac665ccc1bc251f8595e506c86322

C:\Users\Admin\AppData\Local\Temp\vbc502B0C5212AE4C46AFE976B0F9C4922E.TMP

MD5 76ef68a3683ef8739a9fa52629f19b4b
SHA1 3b742c5ce47b16f76366cdbdd504be3403522c55
SHA256 ab97973a53229de80356e217e9584f3cb55ae8f5da5adbd9eca5e97ca6abeb75
SHA512 3ab50b8e634ba88ec127344214e7380f2b0fc91152ce90cd24c957001957e480ddb541b8e679ec0eb3eaa7f7ae9319449b30c05b323dfbb16014d3fe36c44e1d

C:\Users\Admin\AppData\Local\Temp\RES228E.tmp

MD5 2d2fc08364ddd7c167b9e425f5ea186e
SHA1 95eb9db7b84983e2ec9a8fc0601998d1fb9c54db
SHA256 b691e6f1641c27fd816e9b6783ad2130f31f1fdd58be19e8e30763aae58c6d8e
SHA512 20445bbc12533d7798f61d83e3c279c85ec5fbf996b69d3d451615025134393ac626d4fae4193485d425ef3dc67686fb46e2cba692b917d5e96bf7117d480581

C:\Users\Admin\AppData\Local\Temp\tmp20EA.tmp.exe

MD5 eacd57e1ec2fed7c47e7ecbbd148672d
SHA1 159d3c7ead7d4b9d7857e8388b5ac680960de1bd
SHA256 78eac6876005ea164a7d26f680d22a58bdaafbcef44e2a57113374ddd8fc6e0f
SHA512 0b5994dac9eff91062019e68be76488f79daa7cc319fe9b527f9bebc5976f52c9d79d598bbbeea55bfa48afaa4f7aa36cf4c39de5f2a6a4a241c4f91a787a514

memory/2648-23-0x00000000013B0000-0x00000000013BA000-memory.dmp

memory/2392-24-0x0000000074430000-0x0000000074B1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 18:27

Reported

2024-06-01 18:30

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4376 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4376 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3688 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3688 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3688 wrote to memory of 2252 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4376 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe
PID 4376 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe
PID 4376 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe

"C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpyiz2lp\qpyiz2lp.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BF2B0A9510C45DB80A3969CE72B9278.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\08f5b50dae00490b58d66243343bc93ff2ab474d2b79a79be9cfb05b1c9e66e6.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4376-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

memory/4376-1-0x0000000000900000-0x000000000090A000-memory.dmp

memory/4376-2-0x0000000005280000-0x000000000531C000-memory.dmp

memory/4376-8-0x00000000751E0000-0x0000000075990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qpyiz2lp\qpyiz2lp.cmdline

MD5 6a303628ee9096fa86974245cf90dcda
SHA1 b8b559181cb304cddfadeec0aedfd7b46425ebce
SHA256 ca2faae180d46204acf9decc4a656a66dc9598d7a9db1a36e12616e04e0b3cd8
SHA512 ffe9c0e8c1001a1b37b1b9cbaa49ab5eda727031f93dc40ce2fb683a87c0dca1deb429b15bee46f4726c8293b4ce51cbf6299ebc368c1c74a0b12cfece857d15

C:\Users\Admin\AppData\Local\Temp\qpyiz2lp\qpyiz2lp.0.vb

MD5 7ab119867f6ab2b66a14adc47ba0e3a7
SHA1 c1dc93d6cd94a0c163a1a95d89240a61ea5153ac
SHA256 9f4345f6b5061210a784a238a70a997d37a999df063be0dbdf2dd3fa16b3609d
SHA512 571dab1b75e7e2058f97afb071a9935eecf1882447b258ff17638df997db5b975d8448909933b073d88105468ee77e32d3e4091e8ef88b43b6c4cee9b72e3822

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 e4ca94cac2ac82bb1d4838d81949ed7d
SHA1 a1ab0b2e864948a6c5f7ced778994c20a451b5bd
SHA256 187c3da57885ba972bb6ce615045e9877b71ba401764ea1ef3a64a79d9ad661f
SHA512 3c12c66491f50b2a67429e31118a107d12ced9755056af4fe02de250fdbb4f60ed7a9b5950f1615fb00afda5dac138ae326845570d4767396757942642423f6d

C:\Users\Admin\AppData\Local\Temp\vbc9BF2B0A9510C45DB80A3969CE72B9278.TMP

MD5 3d664e7192a4ae26d58bb6c9c8bb7a57
SHA1 f2b9bb1829a2705fb561942bc69a22ce1ea75aac
SHA256 cac73106800620b0f6d7f3d6cd9abfcec6c5b02a4eb684cdf9cf103931f87aff
SHA512 27c3aa74dbfa68923884d1675ff1c0554b9ecfcd30a451bc1eb2621ebb7e321b9aa8b2efa9c410c52ed3439074ad0154a4eb00d17d51de3360168b30afa7b664

C:\Users\Admin\AppData\Local\Temp\RES56EA.tmp

MD5 9e4fdfd8058b5685585db1a23e30061f
SHA1 6370e94e0c8308a69063dd0f57b26e909fc104e7
SHA256 75e9929a3e2af694ec2fb998fc3b88dda96225fd971b78146c2a692f5678e1e0
SHA512 41d5b3f2d08d1f7fe690026ed63a03c4d52e38acafb1ecae75675a6960b8939be9c256bd930000d615a706531740c3ae03cba7dd5ca56c414b7ecc3edcde1f35

C:\Users\Admin\AppData\Local\Temp\tmp54E7.tmp.exe

MD5 bfadd015b89b6f0bdf3298dadae6664f
SHA1 c1073a2e0a51cc518e176e1a6ece46d3e5013e72
SHA256 1912dc93ebf24b00f013eb835b76d6bb97c9e695332d9ccf56edb60ad93618bc
SHA512 54fb217cadbbcf8dd1e69815dcf5fadc50ab8d517fae78869b730e685116a57a17f91d910b1b2c69415ef9ce64646c7c8e0a36942de459606f3a9f2b2852dfa1

memory/1592-24-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/4376-26-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/1592-25-0x0000000000C20000-0x0000000000C2A000-memory.dmp

memory/1592-27-0x0000000005B70000-0x0000000006114000-memory.dmp

memory/1592-28-0x00000000055C0000-0x0000000005652000-memory.dmp

memory/1592-30-0x00000000751E0000-0x0000000075990000-memory.dmp