Malware Analysis Report

2025-06-16 07:35

Sample ID 240601-ysymlaec62
Target 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5
SHA256 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5

Threat Level: Shows suspicious behavior

The file 328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Executes dropped EXE

Deletes itself

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 20:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 20:03

Reported

2024-06-01 20:06

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2516 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2516 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2516 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2516 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe
PID 3056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe
PID 3056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe
PID 3056 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe

"C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l4q4ecwe\l4q4ecwe.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES114F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc650EE4692EA84FA3BAD43E8BDCFD3B59.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe

Network

N/A

Files

memory/3056-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

memory/3056-1-0x00000000008D0000-0x00000000008DA000-memory.dmp

memory/3056-6-0x0000000074BD0000-0x00000000752BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l4q4ecwe\l4q4ecwe.cmdline

MD5 a2e403f9c434528447afa996c9f7b2df
SHA1 45cbfe298f7a2c342bddc95e4dd4e3fa6ff792c7
SHA256 4cdc9006a2f88834a3763ed267c1f348014496411443d7b0998d4aac0ff45f2d
SHA512 7e0401399d972c0a8c887539e4373d45a8b974702d99fdbe62b8d3272255bc7e384ebea4628418b022a8ace47baf856643a31dffc9c36e5b82c509b7a0dcec4a

C:\Users\Admin\AppData\Local\Temp\l4q4ecwe\l4q4ecwe.0.vb

MD5 c8dbd612fdbaf98e936d6940e4fb9d08
SHA1 187b6e0f04ce21596e707486b204ac489e26e785
SHA256 9a3b20fdedf220e1a40fe1fffb3ab1b37e1f19bd4b4fc08c363f86f7e328db04
SHA512 c5489088f399b2eba801c4efe85b4961dccf4b48fda22ea83a9edd80c6977f6e7899fa613a05d84f0b49b2ddfcbf1bc4244d1ebe0b0d1f3db69f782add606cf1

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 291ce671e59dd15cd582a80bf5f766c0
SHA1 90a82ccfed533d1fdbc118e9706bb8eac1c5cdd8
SHA256 a9226b442476c16fb6224c02d6e88578f4f415db61355381fcc12c702217e253
SHA512 c2c55b7501910dbf2af09a0e7e4349b40728709151c5e645b158e1d7ec9f29251cabd9ff71c62a6b79c8690c7bb73e2cb086d6f896f21a67a62bce293a590997

C:\Users\Admin\AppData\Local\Temp\vbc650EE4692EA84FA3BAD43E8BDCFD3B59.TMP

MD5 952229cd34be619f381e6e146f8cc0f0
SHA1 ea0fe02fd76a6c2b1036c302a56d3105d108fb66
SHA256 250c0f09ab905b122e7065352e526683622e12e7fe4e698cc3ba91397722d5ef
SHA512 6f5707b8a7decca9b6b78f032ab6ab80d82787fa457519abfaf1343c45eaa1db86ef079b6eb10241b4724d1cee321db8fd3dbcc56175ec13673a17dd44238dda

C:\Users\Admin\AppData\Local\Temp\RES114F.tmp

MD5 842bb751065cdd045d3393c57d4a18cd
SHA1 d5e76ea92e232f66592c0dcfd9aa8dc5122035be
SHA256 602b3c7cef493a075988a393c5a1321a700dd3403d825afe80814f87e20dbe1a
SHA512 53434bb3276d333e2f05ed13e8d478d5bcb76c8601537ed4e7d4ccbf45c158f0f540b458ed1eea7e4dd1873512a16e7feac0032993950a31784a9084ea261f2a

C:\Users\Admin\AppData\Local\Temp\tmpFBB.tmp.exe

MD5 8845e7dac0b7de76b81a1a11f4baebbc
SHA1 7be59739f998f1f18adcb2e3e55e28c3270afd26
SHA256 d4613ffa3388cc05d5b03a6a9a4b7c47ba814b1609062302e3523f5e9a70e200
SHA512 3315b14d25a8f8b27dc4546bf79388073423d76409b004f303415734d9bfc7cc73381f6688dc41f8e21bb8e3ef0df0c2a834ea7f8412dd185d24e2e6040d7a9f

memory/2432-23-0x0000000000C30000-0x0000000000C3A000-memory.dmp

memory/3056-24-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 20:03

Reported

2024-06-01 20:06

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5056 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 5056 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1212 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1212 wrote to memory of 2148 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 5056 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe
PID 5056 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe
PID 5056 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe

"C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsjmwqd3\qsjmwqd3.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3548.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2FFC9CF01CB24F4D9F407060AECD9E4C.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\328bd3db843fbb6b8edf018c4a7c07fc272d87b81059be53071996b0c53d04d5.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/5056-0-0x00000000743DE000-0x00000000743DF000-memory.dmp

memory/5056-1-0x00000000007D0000-0x00000000007DA000-memory.dmp

memory/5056-2-0x0000000005090000-0x000000000512C000-memory.dmp

memory/5056-8-0x00000000743D0000-0x0000000074B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qsjmwqd3\qsjmwqd3.cmdline

MD5 5466d4fc61a5623df990cef7438e9f73
SHA1 4a00fb8c6d10ae102bc2f3df8cd55aeddb0413e2
SHA256 d07fa0d288077516645757e2a764e03f338c1a5dcafaffa04d795580bc584992
SHA512 30127e01761120cfc8f37200f1d3e591e1d0c10fa1325a56bcdf40ea2581ce125701b249fceca7feecb31f849d6c05702e8aa83241c7309e33051f66b16938bb

C:\Users\Admin\AppData\Local\Temp\qsjmwqd3\qsjmwqd3.0.vb

MD5 05dbe67eae3f64595aea0ba09e2eaaf1
SHA1 0367fd703bdd51d1e9d05eb5669e3112d1dcbee1
SHA256 65321d304ce75589928b4861b6fae02a49972661a4331652bcd7c36ea7787545
SHA512 2a611355a66e58d0222d8828e8fb6185cf5b9cfa707ec9b274667dee2857a2f1dce2f7dff1b1b0f2d6bf549d8da768c7d1628ab20f24b988d478ec64f649625d

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 b7384e63897efb1b458d65802017484a
SHA1 b3eb4995c0989666d911bbd8775967312b5313b2
SHA256 c99b89c93ee659a1cb3051398a6998d2a048e8abb7eddca6cd94ea403b10628a
SHA512 cb2028ffb62ab78c41364262ed47738a3b396d61657be71c5f25166e7c7bb8fbdebdf93957fb678e7cb669f9dca6cf898a81cc4e0c32476b5a71167ad9040a18

C:\Users\Admin\AppData\Local\Temp\vbc2FFC9CF01CB24F4D9F407060AECD9E4C.TMP

MD5 850f60f07e6a4690ef070007d42ba139
SHA1 54c7c5f1b8837d275fe91f443eded97936d5f848
SHA256 b1a7b27e30301cd55a090bd1f4838f081be643493f4de4b0cbcbefd0195e20bd
SHA512 65fe99abbbce113f01069f37d267d4f2165ac93db8948b5e0e48cbf85a1fb34fca5fa886cebf707b3ff3c7b1b3fe064d53be07770501ae7d014c162a8fd0da8f

C:\Users\Admin\AppData\Local\Temp\RES3548.tmp

MD5 4ec84b92ac6bb63a1d50f758fd683082
SHA1 27bfeee38d17de610b0fea8195ca79807bc8ab76
SHA256 42baf09f7a5abbbf7fb51423efb5ecd68ca4316c7f8fed7bbdb333b9a3932c3d
SHA512 413b193ab367ba96e50030fb0036a8f8d61f3bb1a5b7b310a62b24b53f8b288d33f9863e68bf7ed779299a40d85c003151bbd7e53775b8c602a127c041525ce8

C:\Users\Admin\AppData\Local\Temp\tmp33B3.tmp.exe

MD5 878a2ec5a0711a8451d733034e709c43
SHA1 0b7a9a04f80b7f0560796d0257790b6ee5053f30
SHA256 fdd383d3a3acafc2599f1a40d3855cbed39b62763e729fc55d7335b749bb5c1c
SHA512 5c427951bffe34ebe66ce6ec1a401d1474b55ecc4109cd7e72aa0f5991d78fac76342799f56a46c395563beeb32160588ca8d48ded7dfcdde1633ff48eb89e88

memory/4068-25-0x0000000000440000-0x000000000044A000-memory.dmp

memory/5056-24-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/4068-26-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/4068-27-0x00000000053A0000-0x0000000005944000-memory.dmp

memory/4068-28-0x0000000004DF0000-0x0000000004E82000-memory.dmp

memory/4068-30-0x00000000743D0000-0x0000000074B80000-memory.dmp