Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe
Resource
win10v2004-20240426-en
General
-
Target
328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe
-
Size
12KB
-
MD5
01b71b2c5db5a42ae9ec53f48b43a808
-
SHA1
3b1c203448b8b53e668d5de21d9fe7ada2a8ae3c
-
SHA256
328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5
-
SHA512
ad9cc4755d3e9897f9c6a4fc2a1b9cd5cdb4ac5ff8380a9bdef17a5bd6c6e86f8267ff2095bc0813c5eecf5a6a98e4cdb0e0132a9a739db807f46a0d507e7649
-
SSDEEP
384:9L7li/2ziq2DcEQvdQcJKLTp/NK9xaqR:tyMCQ9cqR
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2432 tmpFBB.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2432 tmpFBB.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2516 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 28 PID 3056 wrote to memory of 2516 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 28 PID 3056 wrote to memory of 2516 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 28 PID 3056 wrote to memory of 2516 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 28 PID 2516 wrote to memory of 2696 2516 vbc.exe 30 PID 2516 wrote to memory of 2696 2516 vbc.exe 30 PID 2516 wrote to memory of 2696 2516 vbc.exe 30 PID 2516 wrote to memory of 2696 2516 vbc.exe 30 PID 3056 wrote to memory of 2432 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 31 PID 3056 wrote to memory of 2432 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 31 PID 3056 wrote to memory of 2432 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 31 PID 3056 wrote to memory of 2432 3056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe"C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l4q4ecwe\l4q4ecwe.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES114F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc650EE4692EA84FA3BAD43E8BDCFD3B59.TMP"3⤵PID:2696
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2432
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5291ce671e59dd15cd582a80bf5f766c0
SHA190a82ccfed533d1fdbc118e9706bb8eac1c5cdd8
SHA256a9226b442476c16fb6224c02d6e88578f4f415db61355381fcc12c702217e253
SHA512c2c55b7501910dbf2af09a0e7e4349b40728709151c5e645b158e1d7ec9f29251cabd9ff71c62a6b79c8690c7bb73e2cb086d6f896f21a67a62bce293a590997
-
Filesize
1KB
MD5842bb751065cdd045d3393c57d4a18cd
SHA1d5e76ea92e232f66592c0dcfd9aa8dc5122035be
SHA256602b3c7cef493a075988a393c5a1321a700dd3403d825afe80814f87e20dbe1a
SHA51253434bb3276d333e2f05ed13e8d478d5bcb76c8601537ed4e7d4ccbf45c158f0f540b458ed1eea7e4dd1873512a16e7feac0032993950a31784a9084ea261f2a
-
Filesize
2KB
MD5c8dbd612fdbaf98e936d6940e4fb9d08
SHA1187b6e0f04ce21596e707486b204ac489e26e785
SHA2569a3b20fdedf220e1a40fe1fffb3ab1b37e1f19bd4b4fc08c363f86f7e328db04
SHA512c5489088f399b2eba801c4efe85b4961dccf4b48fda22ea83a9edd80c6977f6e7899fa613a05d84f0b49b2ddfcbf1bc4244d1ebe0b0d1f3db69f782add606cf1
-
Filesize
272B
MD5a2e403f9c434528447afa996c9f7b2df
SHA145cbfe298f7a2c342bddc95e4dd4e3fa6ff792c7
SHA2564cdc9006a2f88834a3763ed267c1f348014496411443d7b0998d4aac0ff45f2d
SHA5127e0401399d972c0a8c887539e4373d45a8b974702d99fdbe62b8d3272255bc7e384ebea4628418b022a8ace47baf856643a31dffc9c36e5b82c509b7a0dcec4a
-
Filesize
12KB
MD58845e7dac0b7de76b81a1a11f4baebbc
SHA17be59739f998f1f18adcb2e3e55e28c3270afd26
SHA256d4613ffa3388cc05d5b03a6a9a4b7c47ba814b1609062302e3523f5e9a70e200
SHA5123315b14d25a8f8b27dc4546bf79388073423d76409b004f303415734d9bfc7cc73381f6688dc41f8e21bb8e3ef0df0c2a834ea7f8412dd185d24e2e6040d7a9f
-
Filesize
1KB
MD5952229cd34be619f381e6e146f8cc0f0
SHA1ea0fe02fd76a6c2b1036c302a56d3105d108fb66
SHA256250c0f09ab905b122e7065352e526683622e12e7fe4e698cc3ba91397722d5ef
SHA5126f5707b8a7decca9b6b78f032ab6ab80d82787fa457519abfaf1343c45eaa1db86ef079b6eb10241b4724d1cee321db8fd3dbcc56175ec13673a17dd44238dda