Analysis
-
max time kernel
132s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:37
Static task
static1
Behavioral task
behavioral1
Sample
5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe
Resource
win10v2004-20240508-en
General
-
Target
5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe
-
Size
12KB
-
MD5
b5ddbd05bbacdaf2340fab88d694a093
-
SHA1
a655e9819d7c7bb1b981ab7d188f03ddd656e28a
-
SHA256
5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83
-
SHA512
53af3e1fee8482e1b2bbd71e954dd3e73ef1fa82aac8479e7ce8e5111fa2a7ea869f3aa0f9dbba28c0cb7dd388ac6f6af30dcab918272bfe2a7143254bf54a4c
-
SSDEEP
384:yL7li/2zPq2DcEQvdQcJKLTp/NK9xaJi:sTMCQ9cJi
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe -
Deletes itself 1 IoCs
pid Process 4112 tmpF31B.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 4112 tmpF31B.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1068 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1068 wrote to memory of 3372 1068 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 96 PID 1068 wrote to memory of 3372 1068 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 96 PID 1068 wrote to memory of 3372 1068 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 96 PID 3372 wrote to memory of 3516 3372 vbc.exe 98 PID 3372 wrote to memory of 3516 3372 vbc.exe 98 PID 3372 wrote to memory of 3516 3372 vbc.exe 98 PID 1068 wrote to memory of 4112 1068 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 99 PID 1068 wrote to memory of 4112 1068 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 99 PID 1068 wrote to memory of 4112 1068 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe"C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0nakykbt\0nakykbt.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EF846C6B1C04C9D8ADBD95DC566407.TMP"3⤵PID:3516
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:81⤵PID:5100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c18d58195b0ec399114aceccfcf881c8
SHA18882db53c5d4c8781e891de5cb6b8c525190f3d1
SHA25635bca2ff0c47484c616ee3fb67fd8e77caa9d626500bf40c688da95a18387588
SHA512b854b77335b038908af51b8edd67f925905affe0c5e91c20132db06d38b42be614838567665030934b2ba2e130f6aa924cd67f735f6d0c6f958e9913d36e8e70
-
Filesize
273B
MD5667330a8828429cebe9cd18c89d14744
SHA1f16d1f86de43ab4b723c395eee6c32368ba2114f
SHA256c13084f80618a34ff3ffa2ea2a43dec871a87c8d0c3a6a9e992e6ecf7bf5ff27
SHA512018617a2705c1c2c8970b815f19ca1697cd13a58673021fb405c0ebe8477b66523a138609e9f2d5b8f1b71d714eea3fcf8f62fae90d85ee6926207712a370c92
-
Filesize
2KB
MD54ee05ef616290a4ddac7a82c37bfaddc
SHA16e629febb2130d4cb9993ca9789dadcf2e0ed1c0
SHA256c594b0dcc45becd0b4a36f7f123a6c00e930e4269cd381f304d9e421bc442974
SHA512b6df40909477f2dc08d962be80ec74dea85604ccc9a69461b6163b61af09ad8e9e583af7ec04c58b49ac1715557b0226bf1ea52f9dc4bb10a4e0b876a7fe2255
-
Filesize
1KB
MD51e45bb6515832b4135fd39a04aad11c1
SHA103e80771668dfb3f954952cf4551ef1d089eb760
SHA2562dccc6d7f11482502f6cd20ad59f123092c4695be92cc7fcf380d4a0640c7297
SHA512781cf45bcddd481d4722429e517be4e6c39ea0f906b767ef6a7021cb0f22a336c4886f819cd2c33a9be4205048e986779462389dab7ae22d2bb31576d56039dd
-
Filesize
12KB
MD517c0dbf03e9b8cb787f622f050dd5dfe
SHA1ec8e66a1a5b3be263c2a1b5e4a2a63951b71b0d1
SHA2565044b798cb825a55761ce9ce7c39f12b6ae2fb77fa7521a783360c9cde5350e0
SHA5124711d121bdac6c7b076a144188c1bbe2ed9be3970b81bdfb4846a9489a2421ca44328928856541d43d6e2773932e1e21f5a576112a1347e65eff30f5213e549d
-
Filesize
1KB
MD589647ec3d0bb1a4f9d4b44cd6334ef46
SHA1db096dee6206bfa7533615f355aec769c1e7ac58
SHA256891ef8254a7a8711e94aa3a3fca8011f8aa55848cc209cc61de35323dfa83dec
SHA512118714618b277864e890d7240b8989b57c0a4f7511fa4c5d2665d17aff3d2153fdc2c6a8695443b06d389e0b270d6ce19533cacbe26947cccd73bb7a1d323436