Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe
Resource
win10v2004-20240426-en
General
-
Target
328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe
-
Size
12KB
-
MD5
01b71b2c5db5a42ae9ec53f48b43a808
-
SHA1
3b1c203448b8b53e668d5de21d9fe7ada2a8ae3c
-
SHA256
328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5
-
SHA512
ad9cc4755d3e9897f9c6a4fc2a1b9cd5cdb4ac5ff8380a9bdef17a5bd6c6e86f8267ff2095bc0813c5eecf5a6a98e4cdb0e0132a9a739db807f46a0d507e7649
-
SSDEEP
384:9L7li/2ziq2DcEQvdQcJKLTp/NK9xaqR:tyMCQ9cqR
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe -
Deletes itself 1 IoCs
pid Process 4068 tmp33B3.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4068 tmp33B3.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5056 wrote to memory of 1212 5056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 85 PID 5056 wrote to memory of 1212 5056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 85 PID 5056 wrote to memory of 1212 5056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 85 PID 1212 wrote to memory of 2148 1212 vbc.exe 87 PID 1212 wrote to memory of 2148 1212 vbc.exe 87 PID 1212 wrote to memory of 2148 1212 vbc.exe 87 PID 5056 wrote to memory of 4068 5056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 88 PID 5056 wrote to memory of 4068 5056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 88 PID 5056 wrote to memory of 4068 5056 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe"C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsjmwqd3\qsjmwqd3.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3548.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FFC9CF01CB24F4D9F407060AECD9E4C.TMP"3⤵PID:2148
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b7384e63897efb1b458d65802017484a
SHA1b3eb4995c0989666d911bbd8775967312b5313b2
SHA256c99b89c93ee659a1cb3051398a6998d2a048e8abb7eddca6cd94ea403b10628a
SHA512cb2028ffb62ab78c41364262ed47738a3b396d61657be71c5f25166e7c7bb8fbdebdf93957fb678e7cb669f9dca6cf898a81cc4e0c32476b5a71167ad9040a18
-
Filesize
1KB
MD54ec84b92ac6bb63a1d50f758fd683082
SHA127bfeee38d17de610b0fea8195ca79807bc8ab76
SHA25642baf09f7a5abbbf7fb51423efb5ecd68ca4316c7f8fed7bbdb333b9a3932c3d
SHA512413b193ab367ba96e50030fb0036a8f8d61f3bb1a5b7b310a62b24b53f8b288d33f9863e68bf7ed779299a40d85c003151bbd7e53775b8c602a127c041525ce8
-
Filesize
2KB
MD505dbe67eae3f64595aea0ba09e2eaaf1
SHA10367fd703bdd51d1e9d05eb5669e3112d1dcbee1
SHA25665321d304ce75589928b4861b6fae02a49972661a4331652bcd7c36ea7787545
SHA5122a611355a66e58d0222d8828e8fb6185cf5b9cfa707ec9b274667dee2857a2f1dce2f7dff1b1b0f2d6bf549d8da768c7d1628ab20f24b988d478ec64f649625d
-
Filesize
273B
MD55466d4fc61a5623df990cef7438e9f73
SHA14a00fb8c6d10ae102bc2f3df8cd55aeddb0413e2
SHA256d07fa0d288077516645757e2a764e03f338c1a5dcafaffa04d795580bc584992
SHA51230127e01761120cfc8f37200f1d3e591e1d0c10fa1325a56bcdf40ea2581ce125701b249fceca7feecb31f849d6c05702e8aa83241c7309e33051f66b16938bb
-
Filesize
12KB
MD5878a2ec5a0711a8451d733034e709c43
SHA10b7a9a04f80b7f0560796d0257790b6ee5053f30
SHA256fdd383d3a3acafc2599f1a40d3855cbed39b62763e729fc55d7335b749bb5c1c
SHA5125c427951bffe34ebe66ce6ec1a401d1474b55ecc4109cd7e72aa0f5991d78fac76342799f56a46c395563beeb32160588ca8d48ded7dfcdde1633ff48eb89e88
-
Filesize
1KB
MD5850f60f07e6a4690ef070007d42ba139
SHA154c7c5f1b8837d275fe91f443eded97936d5f848
SHA256b1a7b27e30301cd55a090bd1f4838f081be643493f4de4b0cbcbefd0195e20bd
SHA51265fe99abbbce113f01069f37d267d4f2165ac93db8948b5e0e48cbf85a1fb34fca5fa886cebf707b3ff3c7b1b3fe064d53be07770501ae7d014c162a8fd0da8f