Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe
Resource
win10v2004-20240226-en
General
-
Target
5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe
-
Size
12KB
-
MD5
90140da9dd0064d5e7e7faeef8df6058
-
SHA1
187ad926180b3aac26b47001819ad301d650f528
-
SHA256
5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f
-
SHA512
49776fb6f01a63582f92209ded62a4979064d96de94a74ecbede1569adac132ae894912ddb6eee388e3d63159a5b0434c11a5e289fc70fd2f534a1e60a1039ff
-
SSDEEP
384:GL7li/2zXq2DcEQvdQcJKLTp/NK9xa5F:gTMCQ9c5F
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe -
Deletes itself 1 IoCs
pid Process 396 tmp11BF.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 396 tmp11BF.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4656 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4656 wrote to memory of 3560 4656 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 90 PID 4656 wrote to memory of 3560 4656 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 90 PID 4656 wrote to memory of 3560 4656 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 90 PID 3560 wrote to memory of 3876 3560 vbc.exe 92 PID 3560 wrote to memory of 3876 3560 vbc.exe 92 PID 3560 wrote to memory of 3876 3560 vbc.exe 92 PID 4656 wrote to memory of 396 4656 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 93 PID 4656 wrote to memory of 396 4656 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 93 PID 4656 wrote to memory of 396 4656 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe"C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wvgi2hxc\wvgi2hxc.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39B546E95413430699225FB3BA98A5DA.TMP"3⤵PID:3876
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51a72061aa16f3221434fff97ee2fa94d
SHA1a0869f4cb5b02fcac18b32d73b64e1ec28473463
SHA25615edc98886be58076e464cffceefad18c78e7bf0868bdba8cc57d1cba1914f56
SHA51233747b03b47dab4e2a2cec42b743e22abf49c3d545ce683e987cd93a879b13224541c07c594848bae1f1d2a8122ff52220c31e8bd6d846571d2da034cc41235d
-
Filesize
1KB
MD54afa14aad7ac810eac32cee375dacf20
SHA19a1b34a9964efcd454e1ee8ee8f1dd074e015eb8
SHA256d76f8d9dd6bee5a6d540bceadadbcaea81a7d5df00825aadeb1616bc6c09c23d
SHA512ac7e62ac462a815b472efc898fdd768092b290f37dea99c10afa0ca17f98d52df738ef5b3d95774bb0066d35314b6a65f898d67563b31e6c8c1bf9bc2ddc0ea7
-
Filesize
12KB
MD5bdb3abe69f6518ada3e376fa77a3c120
SHA113c982743fa069a5e2e1c84cd40e9291e6c77681
SHA2562d750bb8298c328bc9bb797df97dbd03ab696c146d66fab9a1cab8cd16149f3f
SHA5126d3f2eff54a8ba4493303f126b2d15c8436ed304fc3886a77eb39c6abbe1f4a83c812d008a100a754cd28504a067cb871249a59ec7757401ee75a5d34527122c
-
Filesize
1KB
MD5e87d9f573c6dec1e6208fa7ca70778a5
SHA1987fc2c39b1c3e839e18276328b3dbe7d92bfa2f
SHA256bc365e4fbd85c90176228d962c35249abe652357266a0193bc312b5ae5e2cf34
SHA512c7bd5c7f27be7853e5137b7677cf18098c672623a18c55644402eacb425d10f78ba0f73dd93178b7bbf2068a8e8a3645fb36c3eb5e716f9d26e00810248ae74a
-
Filesize
2KB
MD58487049c5a7cc7cb6bfeb7e4764dec2f
SHA10520caa0c4b9ed58350e16f5796ad841c754e455
SHA256344a8fca28cba9301285e23a00eda52df4a5cab80ffb13d9733fc670bc978d6a
SHA5129e00dc93ba70e238374ac4c5124b81d8ccba02b0f5fab16a4c00cee743e70d93fb85b0fd8d2d317e725583a7b9b97a604996dc0241c08b2a25474c493c44148a
-
Filesize
273B
MD528d581cf2bd4122f1f56501b04cfcf28
SHA1b8cabce47def34146082890414154f5b2946e1d5
SHA25615fb62f4851141954bb2d6959967c02219dcb5aad9da2d9fd814e8d13c1e8df2
SHA5126a4fd6a721dc004bd738660dca4b76eb9768c34aca060ad8cec617a25f835890a19c9d765813297bac97821dab2d6a84770a649f4251d28ca8250d28080b9679