Malware Analysis Report

2025-04-14 01:00

Sample ID 240602-2j18xahe9t
Target 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83
SHA256 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83

Threat Level: Shows suspicious behavior

The file 5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:37

Reported

2024-06-02 22:40

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2372 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2724 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2724 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2724 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2724 wrote to memory of 1276 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2372 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe
PID 2372 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe
PID 2372 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe
PID 2372 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe

"C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hlf5wpw2\hlf5wpw2.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1564.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAD11244C3041426583AFFE5CDACF70.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe

Network

N/A

Files

memory/2372-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

memory/2372-1-0x0000000001140000-0x000000000114A000-memory.dmp

memory/2372-7-0x00000000744D0000-0x0000000074BBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hlf5wpw2\hlf5wpw2.cmdline

MD5 eb827487e40a84cea64263bfb521d25f
SHA1 5cf872c72bd8fbea85f6f11d4f2102755217928f
SHA256 613c63bd2743ae9bbcc620e7898926a18c5d9c1119a5de90eac5a5b2963dfc2a
SHA512 35c5c6a6f4960c728e461fb842d0d9017a216b5d3b77f5761303191383f54aa42a2e03e5a36b74a9ef79bc31b0ffe695d0ea972ba65f29483df5ff3c37f369d8

C:\Users\Admin\AppData\Local\Temp\hlf5wpw2\hlf5wpw2.0.vb

MD5 823ef7aaae1ac87312a7dc9c5c70cbab
SHA1 e90ff193964e4448783f77292c89e681bd27b5a4
SHA256 3729679b8858f9c8b454bd768317bda2f1678bd3d8796a36fafa8c95efd50d17
SHA512 b6bcb9281cadd9f2ed5c45b59eb4a111b444ef7f5d21d6312465682dea67851f29b36b98dd2169c70ad77d1a76df8f038d321225cbe407e64f724a50bd754972

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 15210095f5e51b3906c35a952adf4f34
SHA1 db24a64ca980bacaf27ac433a6ca10158517c687
SHA256 4f9b289383403695bf11ceb1eb524332372abac476d9ada4424177e27a93ab05
SHA512 31a92760e1d70800d79f802e52076218a01ee5bdb7c1093a687005ec451d08b9b3485f92c53344a89acbcf84d3b5b7030350845140e9c418d18b934befdf8166

C:\Users\Admin\AppData\Local\Temp\vbcAD11244C3041426583AFFE5CDACF70.TMP

MD5 fb8b5b6067d871992dcbf942847111c2
SHA1 d5eb91f776490da711cb4cf13b28ffb3d256e98a
SHA256 d39f5022035f84c9ea882d256fbada7b9f2ca8c0681e431ab5a687051b60da5e
SHA512 50c1838f295af41fce9418e50183ed3e57562094bc84b35179620c6608398b8001db8a97eaea537ef5e863fa81f56535a63caa5dd59f702b755aec0c2f0f1eda

C:\Users\Admin\AppData\Local\Temp\RES1564.tmp

MD5 fd1bfea2b71f9231631633a19b5e85ef
SHA1 bf62c53f59c38ce39d782972c3ede0add410adcc
SHA256 fe4d11c247177ef751d73e49216d20be5576ee9f954b93b86b23c5fd74752787
SHA512 5c75cb9e57a51a448b4fe715c8c126ff2047a332636be77bce366fcd4ebef16f99c20750cb3a94b5836ee206af6f9c560f6d72422ec5f4189b1ba1338366219e

C:\Users\Admin\AppData\Local\Temp\tmp146C.tmp.exe

MD5 8642424c8ce9d56393db836bf5cbf4f9
SHA1 bb17d4bfe4e8f33ca8eefe62ccf25b40c1ce4840
SHA256 93fedb6f50cb15b54a0dfec041a8b045938ff1821efdfe29d88047a56b438192
SHA512 15a5386f710b62396cabae6614ac2e0d203b48a7c0b88227a177b33068d2794d377d23a134bde3c4db7bd6c08c6b2c3d6fe59815da713de14877708ed247d16c

memory/2672-23-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

memory/2372-24-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:37

Reported

2024-06-02 22:40

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1068 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1068 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3372 wrote to memory of 3516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3372 wrote to memory of 3516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3372 wrote to memory of 3516 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1068 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe
PID 1068 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe
PID 1068 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe

"C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0nakykbt\0nakykbt.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7EF846C6B1C04C9D8ADBD95DC566407.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e7dd30e3496cf52fd5d91a2201e3b8bf6bf42bd3baefde1cb7950e7a6fcfd83.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/1068-0-0x000000007470E000-0x000000007470F000-memory.dmp

memory/1068-1-0x0000000000F50000-0x0000000000F5A000-memory.dmp

memory/1068-2-0x00000000057F0000-0x000000000588C000-memory.dmp

memory/1068-8-0x0000000074700000-0x0000000074EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0nakykbt\0nakykbt.cmdline

MD5 667330a8828429cebe9cd18c89d14744
SHA1 f16d1f86de43ab4b723c395eee6c32368ba2114f
SHA256 c13084f80618a34ff3ffa2ea2a43dec871a87c8d0c3a6a9e992e6ecf7bf5ff27
SHA512 018617a2705c1c2c8970b815f19ca1697cd13a58673021fb405c0ebe8477b66523a138609e9f2d5b8f1b71d714eea3fcf8f62fae90d85ee6926207712a370c92

C:\Users\Admin\AppData\Local\Temp\0nakykbt\0nakykbt.0.vb

MD5 c18d58195b0ec399114aceccfcf881c8
SHA1 8882db53c5d4c8781e891de5cb6b8c525190f3d1
SHA256 35bca2ff0c47484c616ee3fb67fd8e77caa9d626500bf40c688da95a18387588
SHA512 b854b77335b038908af51b8edd67f925905affe0c5e91c20132db06d38b42be614838567665030934b2ba2e130f6aa924cd67f735f6d0c6f958e9913d36e8e70

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 4ee05ef616290a4ddac7a82c37bfaddc
SHA1 6e629febb2130d4cb9993ca9789dadcf2e0ed1c0
SHA256 c594b0dcc45becd0b4a36f7f123a6c00e930e4269cd381f304d9e421bc442974
SHA512 b6df40909477f2dc08d962be80ec74dea85604ccc9a69461b6163b61af09ad8e9e583af7ec04c58b49ac1715557b0226bf1ea52f9dc4bb10a4e0b876a7fe2255

C:\Users\Admin\AppData\Local\Temp\vbc7EF846C6B1C04C9D8ADBD95DC566407.TMP

MD5 89647ec3d0bb1a4f9d4b44cd6334ef46
SHA1 db096dee6206bfa7533615f355aec769c1e7ac58
SHA256 891ef8254a7a8711e94aa3a3fca8011f8aa55848cc209cc61de35323dfa83dec
SHA512 118714618b277864e890d7240b8989b57c0a4f7511fa4c5d2665d17aff3d2153fdc2c6a8695443b06d389e0b270d6ce19533cacbe26947cccd73bb7a1d323436

C:\Users\Admin\AppData\Local\Temp\RESF4FF.tmp

MD5 1e45bb6515832b4135fd39a04aad11c1
SHA1 03e80771668dfb3f954952cf4551ef1d089eb760
SHA256 2dccc6d7f11482502f6cd20ad59f123092c4695be92cc7fcf380d4a0640c7297
SHA512 781cf45bcddd481d4722429e517be4e6c39ea0f906b767ef6a7021cb0f22a336c4886f819cd2c33a9be4205048e986779462389dab7ae22d2bb31576d56039dd

C:\Users\Admin\AppData\Local\Temp\tmpF31B.tmp.exe

MD5 17c0dbf03e9b8cb787f622f050dd5dfe
SHA1 ec8e66a1a5b3be263c2a1b5e4a2a63951b71b0d1
SHA256 5044b798cb825a55761ce9ce7c39f12b6ae2fb77fa7521a783360c9cde5350e0
SHA512 4711d121bdac6c7b076a144188c1bbe2ed9be3970b81bdfb4846a9489a2421ca44328928856541d43d6e2773932e1e21f5a576112a1347e65eff30f5213e549d

memory/1068-24-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/4112-25-0x0000000074700000-0x0000000074EB0000-memory.dmp

memory/4112-26-0x00000000003C0000-0x00000000003CA000-memory.dmp

memory/4112-27-0x00000000052B0000-0x0000000005854000-memory.dmp

memory/4112-28-0x0000000004DA0000-0x0000000004E32000-memory.dmp

memory/4112-30-0x0000000074700000-0x0000000074EB0000-memory.dmp