Malware Analysis Report

2025-04-14 01:00

Sample ID 240602-2jfl7she7x
Target 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f
SHA256 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f

Threat Level: Shows suspicious behavior

The file 5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Uses the VBS compiler for execution

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:36

Reported

2024-06-02 22:39

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2756 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2756 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2756 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2212 wrote to memory of 2576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2212 wrote to memory of 2576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2212 wrote to memory of 2576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2212 wrote to memory of 2576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe

"C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ahcbcrc\2ahcbcrc.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA6BBA7F05F274DB98984F96356616C6B.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe

Network

N/A

Files

memory/2756-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2756-1-0x0000000000D90000-0x0000000000D9A000-memory.dmp

memory/2756-7-0x0000000074B10000-0x00000000751FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ahcbcrc\2ahcbcrc.cmdline

MD5 0ffdfa2cace5e29e2dfef286c22f1fa6
SHA1 ffc04b5769a3bd0e0b1b759236d0ba5fb7ce56d0
SHA256 6ec941eecd91bee7bac7042d7a82f268b7c40519bbd1eb04990b497d8fb96a6e
SHA512 bb2a3d4b548f15e86d991a9eead413c3e7446e72531a36a2640de7abc2f982b799c9d98dbd1589153bcc78b6183a41e240a033f56745269b047fe195959b6434

C:\Users\Admin\AppData\Local\Temp\2ahcbcrc\2ahcbcrc.0.vb

MD5 8275e09afcf73d7c03d33c41410bf5fb
SHA1 04b96ca4d5ba0ad91e46b65c0086ffb7bc59c120
SHA256 4f792649ec63b122693dcf82c136917ebed21ec89542e1adab9f1e9721437104
SHA512 98749c53d1bd86df878df065deb904833d8dbe70cf38368a88f1573ce3083fca38471ca16201dcb1e2b213163ae47ca806b8711e41861a53cb9d50dbbc9fff29

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 6a6784655e370cd4beecd989ff0f57ff
SHA1 90fa0625974031a6738edc6ed91ceca0393925c7
SHA256 75871cd68334459d34e0393470d72c55128f44431bd7059f21cdea42e58e4cad
SHA512 5083d4c3ca29570785c9db037efeb594ca48a5622790f407263bc028fbbfa0b696427f15f40bef9ba4a009da62cec109a4429024dd880079b8f2e688ddfd9206

C:\Users\Admin\AppData\Local\Temp\vbcA6BBA7F05F274DB98984F96356616C6B.TMP

MD5 7b4c7773bd71a997445f264c6a352e07
SHA1 4604df42c5a8332583ef75197df6d97d9e9235b7
SHA256 e1c7b07a393cbce1ebf413527d3baecc8bb05f88d047949cd7a6a3bcb0663a64
SHA512 9e694ccf798fefa0b2fbe9b4fe17b725906dd51986a0a6272754d71efdce316ce765cf01b9203608a68d0e422fdf7da635085397c2824f8c9a09406d8cf2884d

C:\Users\Admin\AppData\Local\Temp\RES2B93.tmp

MD5 08d5f093428433f185325a619b9e1968
SHA1 807b4a92fcb7ae4e45e5eb43b6e4085af9589f8d
SHA256 e7657b022da976f8aa8d7489c3e0d0e6b2a54e9334c10ae90d6512988d68d51f
SHA512 81c95f8011b57f62ea00961933b48d5b6095e1155c71940bcd7e8ffc03117988eac00b882f6734073ac5775b960770be866de8a66169db2c3545a35db45c1118

C:\Users\Admin\AppData\Local\Temp\tmp29DF.tmp.exe

MD5 27afdd92fac59c83f1715a6ba8608d59
SHA1 a7eb711f0150ce898fcefc3e9bbbb36acdd1593a
SHA256 757ce931173ff3229a4c8a23f1aaec4716d5dd1b023a4f68efd7a830fb3d14ae
SHA512 9424af9bcbca5f8da050811aa36db9e834e2661a1839e90a8e4dc3523eb4a669daad4dfc6777a1242ebf04ee6e6031ba21461fff0acd0d6adb9286b113c477d1

memory/2672-23-0x00000000001F0000-0x00000000001FA000-memory.dmp

memory/2756-24-0x0000000074B10000-0x00000000751FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:36

Reported

2024-06-02 22:39

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4656 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4656 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3560 wrote to memory of 3876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3560 wrote to memory of 3876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3560 wrote to memory of 3876 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4656 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe
PID 4656 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe
PID 4656 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe

"C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wvgi2hxc\wvgi2hxc.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc39B546E95413430699225FB3BA98A5DA.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\5e471fefad350018ed05f175822f5ec09cc6fbaa614fda94ed8865e0187ae07f.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4656-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

memory/4656-1-0x00000000001F0000-0x00000000001FA000-memory.dmp

memory/4656-2-0x0000000004B90000-0x0000000004C2C000-memory.dmp

memory/4656-7-0x0000000074B80000-0x0000000075330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wvgi2hxc\wvgi2hxc.cmdline

MD5 28d581cf2bd4122f1f56501b04cfcf28
SHA1 b8cabce47def34146082890414154f5b2946e1d5
SHA256 15fb62f4851141954bb2d6959967c02219dcb5aad9da2d9fd814e8d13c1e8df2
SHA512 6a4fd6a721dc004bd738660dca4b76eb9768c34aca060ad8cec617a25f835890a19c9d765813297bac97821dab2d6a84770a649f4251d28ca8250d28080b9679

C:\Users\Admin\AppData\Local\Temp\wvgi2hxc\wvgi2hxc.0.vb

MD5 8487049c5a7cc7cb6bfeb7e4764dec2f
SHA1 0520caa0c4b9ed58350e16f5796ad841c754e455
SHA256 344a8fca28cba9301285e23a00eda52df4a5cab80ffb13d9733fc670bc978d6a
SHA512 9e00dc93ba70e238374ac4c5124b81d8ccba02b0f5fab16a4c00cee743e70d93fb85b0fd8d2d317e725583a7b9b97a604996dc0241c08b2a25474c493c44148a

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 1a72061aa16f3221434fff97ee2fa94d
SHA1 a0869f4cb5b02fcac18b32d73b64e1ec28473463
SHA256 15edc98886be58076e464cffceefad18c78e7bf0868bdba8cc57d1cba1914f56
SHA512 33747b03b47dab4e2a2cec42b743e22abf49c3d545ce683e987cd93a879b13224541c07c594848bae1f1d2a8122ff52220c31e8bd6d846571d2da034cc41235d

C:\Users\Admin\AppData\Local\Temp\vbc39B546E95413430699225FB3BA98A5DA.TMP

MD5 e87d9f573c6dec1e6208fa7ca70778a5
SHA1 987fc2c39b1c3e839e18276328b3dbe7d92bfa2f
SHA256 bc365e4fbd85c90176228d962c35249abe652357266a0193bc312b5ae5e2cf34
SHA512 c7bd5c7f27be7853e5137b7677cf18098c672623a18c55644402eacb425d10f78ba0f73dd93178b7bbf2068a8e8a3645fb36c3eb5e716f9d26e00810248ae74a

C:\Users\Admin\AppData\Local\Temp\RES30B0.tmp

MD5 4afa14aad7ac810eac32cee375dacf20
SHA1 9a1b34a9964efcd454e1ee8ee8f1dd074e015eb8
SHA256 d76f8d9dd6bee5a6d540bceadadbcaea81a7d5df00825aadeb1616bc6c09c23d
SHA512 ac7e62ac462a815b472efc898fdd768092b290f37dea99c10afa0ca17f98d52df738ef5b3d95774bb0066d35314b6a65f898d67563b31e6c8c1bf9bc2ddc0ea7

C:\Users\Admin\AppData\Local\Temp\tmp11BF.tmp.exe

MD5 bdb3abe69f6518ada3e376fa77a3c120
SHA1 13c982743fa069a5e2e1c84cd40e9291e6c77681
SHA256 2d750bb8298c328bc9bb797df97dbd03ab696c146d66fab9a1cab8cd16149f3f
SHA512 6d3f2eff54a8ba4493303f126b2d15c8436ed304fc3886a77eb39c6abbe1f4a83c812d008a100a754cd28504a067cb871249a59ec7757401ee75a5d34527122c

memory/396-23-0x00000000000E0000-0x00000000000EA000-memory.dmp

memory/396-24-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/4656-26-0x0000000074B80000-0x0000000075330000-memory.dmp

memory/396-27-0x0000000005000000-0x00000000055A4000-memory.dmp

memory/396-28-0x0000000004AF0000-0x0000000004B82000-memory.dmp

memory/396-30-0x0000000074B80000-0x0000000075330000-memory.dmp