Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe
Resource
win10v2004-20240508-en
General
-
Target
5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe
-
Size
12KB
-
MD5
b5ddbd05bbacdaf2340fab88d694a093
-
SHA1
a655e9819d7c7bb1b981ab7d188f03ddd656e28a
-
SHA256
5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83
-
SHA512
53af3e1fee8482e1b2bbd71e954dd3e73ef1fa82aac8479e7ce8e5111fa2a7ea869f3aa0f9dbba28c0cb7dd388ac6f6af30dcab918272bfe2a7143254bf54a4c
-
SSDEEP
384:yL7li/2zPq2DcEQvdQcJKLTp/NK9xaJi:sTMCQ9cJi
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2672 tmp146C.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 tmp146C.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2724 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 28 PID 2372 wrote to memory of 2724 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 28 PID 2372 wrote to memory of 2724 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 28 PID 2372 wrote to memory of 2724 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 28 PID 2724 wrote to memory of 1276 2724 vbc.exe 30 PID 2724 wrote to memory of 1276 2724 vbc.exe 30 PID 2724 wrote to memory of 1276 2724 vbc.exe 30 PID 2724 wrote to memory of 1276 2724 vbc.exe 30 PID 2372 wrote to memory of 2672 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 31 PID 2372 wrote to memory of 2672 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 31 PID 2372 wrote to memory of 2672 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 31 PID 2372 wrote to memory of 2672 2372 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe"C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hlf5wpw2\hlf5wpw2.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1564.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD11244C3041426583AFFE5CDACF70.TMP"3⤵PID:1276
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD515210095f5e51b3906c35a952adf4f34
SHA1db24a64ca980bacaf27ac433a6ca10158517c687
SHA2564f9b289383403695bf11ceb1eb524332372abac476d9ada4424177e27a93ab05
SHA51231a92760e1d70800d79f802e52076218a01ee5bdb7c1093a687005ec451d08b9b3485f92c53344a89acbcf84d3b5b7030350845140e9c418d18b934befdf8166
-
Filesize
1KB
MD5fd1bfea2b71f9231631633a19b5e85ef
SHA1bf62c53f59c38ce39d782972c3ede0add410adcc
SHA256fe4d11c247177ef751d73e49216d20be5576ee9f954b93b86b23c5fd74752787
SHA5125c75cb9e57a51a448b4fe715c8c126ff2047a332636be77bce366fcd4ebef16f99c20750cb3a94b5836ee206af6f9c560f6d72422ec5f4189b1ba1338366219e
-
Filesize
2KB
MD5823ef7aaae1ac87312a7dc9c5c70cbab
SHA1e90ff193964e4448783f77292c89e681bd27b5a4
SHA2563729679b8858f9c8b454bd768317bda2f1678bd3d8796a36fafa8c95efd50d17
SHA512b6bcb9281cadd9f2ed5c45b59eb4a111b444ef7f5d21d6312465682dea67851f29b36b98dd2169c70ad77d1a76df8f038d321225cbe407e64f724a50bd754972
-
Filesize
273B
MD5eb827487e40a84cea64263bfb521d25f
SHA15cf872c72bd8fbea85f6f11d4f2102755217928f
SHA256613c63bd2743ae9bbcc620e7898926a18c5d9c1119a5de90eac5a5b2963dfc2a
SHA51235c5c6a6f4960c728e461fb842d0d9017a216b5d3b77f5761303191383f54aa42a2e03e5a36b74a9ef79bc31b0ffe695d0ea972ba65f29483df5ff3c37f369d8
-
Filesize
12KB
MD58642424c8ce9d56393db836bf5cbf4f9
SHA1bb17d4bfe4e8f33ca8eefe62ccf25b40c1ce4840
SHA25693fedb6f50cb15b54a0dfec041a8b045938ff1821efdfe29d88047a56b438192
SHA51215a5386f710b62396cabae6614ac2e0d203b48a7c0b88227a177b33068d2794d377d23a134bde3c4db7bd6c08c6b2c3d6fe59815da713de14877708ed247d16c
-
Filesize
1KB
MD5fb8b5b6067d871992dcbf942847111c2
SHA1d5eb91f776490da711cb4cf13b28ffb3d256e98a
SHA256d39f5022035f84c9ea882d256fbada7b9f2ca8c0681e431ab5a687051b60da5e
SHA51250c1838f295af41fce9418e50183ed3e57562094bc84b35179620c6608398b8001db8a97eaea537ef5e863fa81f56535a63caa5dd59f702b755aec0c2f0f1eda