Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe
Resource
win10v2004-20240226-en
General
-
Target
5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe
-
Size
12KB
-
MD5
90140da9dd0064d5e7e7faeef8df6058
-
SHA1
187ad926180b3aac26b47001819ad301d650f528
-
SHA256
5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f
-
SHA512
49776fb6f01a63582f92209ded62a4979064d96de94a74ecbede1569adac132ae894912ddb6eee388e3d63159a5b0434c11a5e289fc70fd2f534a1e60a1039ff
-
SSDEEP
384:GL7li/2zXq2DcEQvdQcJKLTp/NK9xa5F:gTMCQ9c5F
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2672 tmp29DF.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 tmp29DF.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2212 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 28 PID 2756 wrote to memory of 2212 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 28 PID 2756 wrote to memory of 2212 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 28 PID 2756 wrote to memory of 2212 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 28 PID 2212 wrote to memory of 2576 2212 vbc.exe 30 PID 2212 wrote to memory of 2576 2212 vbc.exe 30 PID 2212 wrote to memory of 2576 2212 vbc.exe 30 PID 2212 wrote to memory of 2576 2212 vbc.exe 30 PID 2756 wrote to memory of 2672 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 31 PID 2756 wrote to memory of 2672 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 31 PID 2756 wrote to memory of 2672 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 31 PID 2756 wrote to memory of 2672 2756 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe"C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ahcbcrc\2ahcbcrc.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6BBA7F05F274DB98984F96356616C6B.TMP"3⤵PID:2576
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58275e09afcf73d7c03d33c41410bf5fb
SHA104b96ca4d5ba0ad91e46b65c0086ffb7bc59c120
SHA2564f792649ec63b122693dcf82c136917ebed21ec89542e1adab9f1e9721437104
SHA51298749c53d1bd86df878df065deb904833d8dbe70cf38368a88f1573ce3083fca38471ca16201dcb1e2b213163ae47ca806b8711e41861a53cb9d50dbbc9fff29
-
Filesize
273B
MD50ffdfa2cace5e29e2dfef286c22f1fa6
SHA1ffc04b5769a3bd0e0b1b759236d0ba5fb7ce56d0
SHA2566ec941eecd91bee7bac7042d7a82f268b7c40519bbd1eb04990b497d8fb96a6e
SHA512bb2a3d4b548f15e86d991a9eead413c3e7446e72531a36a2640de7abc2f982b799c9d98dbd1589153bcc78b6183a41e240a033f56745269b047fe195959b6434
-
Filesize
2KB
MD56a6784655e370cd4beecd989ff0f57ff
SHA190fa0625974031a6738edc6ed91ceca0393925c7
SHA25675871cd68334459d34e0393470d72c55128f44431bd7059f21cdea42e58e4cad
SHA5125083d4c3ca29570785c9db037efeb594ca48a5622790f407263bc028fbbfa0b696427f15f40bef9ba4a009da62cec109a4429024dd880079b8f2e688ddfd9206
-
Filesize
1KB
MD508d5f093428433f185325a619b9e1968
SHA1807b4a92fcb7ae4e45e5eb43b6e4085af9589f8d
SHA256e7657b022da976f8aa8d7489c3e0d0e6b2a54e9334c10ae90d6512988d68d51f
SHA51281c95f8011b57f62ea00961933b48d5b6095e1155c71940bcd7e8ffc03117988eac00b882f6734073ac5775b960770be866de8a66169db2c3545a35db45c1118
-
Filesize
12KB
MD527afdd92fac59c83f1715a6ba8608d59
SHA1a7eb711f0150ce898fcefc3e9bbbb36acdd1593a
SHA256757ce931173ff3229a4c8a23f1aaec4716d5dd1b023a4f68efd7a830fb3d14ae
SHA5129424af9bcbca5f8da050811aa36db9e834e2661a1839e90a8e4dc3523eb4a669daad4dfc6777a1242ebf04ee6e6031ba21461fff0acd0d6adb9286b113c477d1
-
Filesize
1KB
MD57b4c7773bd71a997445f264c6a352e07
SHA14604df42c5a8332583ef75197df6d97d9e9235b7
SHA256e1c7b07a393cbce1ebf413527d3baecc8bb05f88d047949cd7a6a3bcb0663a64
SHA5129e694ccf798fefa0b2fbe9b4fe17b725906dd51986a0a6272754d71efdce316ce765cf01b9203608a68d0e422fdf7da635085397c2824f8c9a09406d8cf2884d