Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
06/06/2024, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe
Resource
win10v2004-20240508-en
General
-
Target
3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe
-
Size
12KB
-
MD5
6096e231bc0b4dc1a76477531f1a6c77
-
SHA1
d7a2f598a0de951831f2ca68a002959866598120
-
SHA256
3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9
-
SHA512
27bfe179b0939006243d0362acbdb516682c6d128a967cce0c91180974056d6bb2cbfbff9fca3e18f65eb5f83fa70a9510347be7aca59816ea65351d5422298a
-
SSDEEP
384:4L7li/2zlq2DcEQvdhcJKLTp/NK9xafo:GdM/Q9cfo
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2792 tmp2473.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2792 tmp2473.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2836 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 28 PID 2132 wrote to memory of 2836 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 28 PID 2132 wrote to memory of 2836 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 28 PID 2132 wrote to memory of 2836 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 28 PID 2836 wrote to memory of 2624 2836 vbc.exe 30 PID 2836 wrote to memory of 2624 2836 vbc.exe 30 PID 2836 wrote to memory of 2624 2836 vbc.exe 30 PID 2836 wrote to memory of 2624 2836 vbc.exe 30 PID 2132 wrote to memory of 2792 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 31 PID 2132 wrote to memory of 2792 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 31 PID 2132 wrote to memory of 2792 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 31 PID 2132 wrote to memory of 2792 2132 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe"C:\Users\Admin\AppData\Local\Temp\3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kw3lfnw0\kw3lfnw0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2646.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42E842DD689E40D3886E82D85F5CB91.TMP"3⤵PID:2624
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp2473.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp2473.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f77602eeb5dfd8d5331f89b51006957d
SHA11d3eeddd01c7c1acece87b7d4c2f3ae3ee15d49a
SHA2565159b2149ef7241ac000f83f99020b1b74853f6ad93edfef4bd22341335d6f98
SHA51299a847781f0450b99ff52492aed8c53e45248ff2b8a4a947833a12baebb1b6365506ab5afb2a133466cde7168e39cbfb196510b8b3e0670749301d686dd6b2ab
-
Filesize
1KB
MD5e716cd76568986447a329f6270644f78
SHA15f83ba715c595c1c3f080150273baf93907c6cd4
SHA256a995ceb6ef26317c2a7cddbdbd02d8bc8bea9b1b3d9b66b66130d48c8e2f5e6c
SHA512988191175eb436b69b3069ae8166569d4484dbdbfdf3cc9f328de2417dab368b35b2ea8c5bdbbac9cf143b58edb9096c657006759bfcc89497184e1d047978ee
-
Filesize
2KB
MD578688011e7bc26f5b0ecf073d20301a9
SHA1c6e054b132eb32b289cca8648d1e309ce55ebb82
SHA256a2e10214d5f3563077f786ebd7fc986fba92129384e3635c833d8d29717aded5
SHA5121b465f2774f386d0a0fd0477eca17748dea1ecd22185e7a1e5b59f7155e3e868d8671dfaae0bfa8aa26efa5690285c23fde44cad3d910c3558c5ba56251528c8
-
Filesize
273B
MD5530b780bc8236254b4fc136197209970
SHA153a01f093296227c24d3258bda4019973d555a06
SHA2569e30c5cda0cbc26763808dc3ccc172d03867b5614df8b6e71aeb051df6dfde4a
SHA512a5ee5a4771feaf46abbb16ca416846bcfca9c34911bf1a3e935c995ecb910afb05fa09cd222dd68c5a69a93793ad81fdfc1326f60403e1df1a0270aabd0f6de0
-
Filesize
12KB
MD5556fd326ab1ddf6b754fd4f30c939200
SHA115fcf461c948163b5bb3b5d1bd139a954903a39f
SHA256d70579eebdeadbdc2bc50900dbae304db35b3606adc4486f6d10bb1e6f077639
SHA5121ca5380952a442dd4c907e812a4dbfafeee25095c196fb29485d73c1428f1bc27b18cc3ab257df6ca11d02eb58adf165a5ff41616daa9f837ae54d22c8d4b905
-
Filesize
1KB
MD5e070c493e555643377b11293aa9cdb63
SHA194cde3f56c28d8a7d4b8bb7777cd8c47c68fd75d
SHA25669d78095bbf3710a5336aff135e6eb5b0fb869bc41ac02aac70cf32a0ba220e8
SHA512130b13522687c9b40301b7e429f462996aaf49a2454987f68013bf49e09b87c662e54605e8ebba67a64cee9ee49cdd1b8b476fd817b31fe93741e9547a8ae154