Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe
Resource
win10v2004-20240508-en
General
-
Target
3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe
-
Size
12KB
-
MD5
6096e231bc0b4dc1a76477531f1a6c77
-
SHA1
d7a2f598a0de951831f2ca68a002959866598120
-
SHA256
3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9
-
SHA512
27bfe179b0939006243d0362acbdb516682c6d128a967cce0c91180974056d6bb2cbfbff9fca3e18f65eb5f83fa70a9510347be7aca59816ea65351d5422298a
-
SSDEEP
384:4L7li/2zlq2DcEQvdhcJKLTp/NK9xafo:GdM/Q9cfo
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe -
Deletes itself 1 IoCs
pid Process 1924 tmp6F26.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1924 tmp6F26.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4072 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4072 wrote to memory of 2528 4072 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 88 PID 4072 wrote to memory of 2528 4072 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 88 PID 4072 wrote to memory of 2528 4072 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 88 PID 2528 wrote to memory of 736 2528 vbc.exe 91 PID 2528 wrote to memory of 736 2528 vbc.exe 91 PID 2528 wrote to memory of 736 2528 vbc.exe 91 PID 4072 wrote to memory of 1924 4072 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 92 PID 4072 wrote to memory of 1924 4072 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 92 PID 4072 wrote to memory of 1924 4072 3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe"C:\Users\Admin\AppData\Local\Temp\3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1baipetg\1baipetg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7109.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA8142FFB97741D0A1C586ACED66BF.TMP"3⤵PID:736
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6F26.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6F26.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3984bc3bf83506e6455119a8af0f04a91b1392a78fe3a39eabaa0c0230e6a9b9.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:1924
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f824c9c4c48ca2f005ce27af956fc46c
SHA1ecbada3f365d00194fc747ceeefc3da825e97170
SHA2564bd6aaa2c69d828d945dc446b5d8e82be05b6ed896d986c258481b573888f908
SHA512d8aefae799822510c00319694b8b714041382f8f7bbf852aa823adaa4ff73c0a9e1391723d49452bf124fd9d8d0a02fa744fcfd7b66944f735ea2ced06cc51e1
-
Filesize
273B
MD5ef458671fa5e566944b2ea3f3b1347d0
SHA1e6ff0d517190f04fbb8fb6cf085cc507ddc2bffd
SHA256b9d7d12fe716785e323283e5682cc9d77ae4b39fe7dcc6f9da30ad9e7fb4530c
SHA512e34702818b2493dc3a1c45a3a1e984db820ba94ef6c1274a6526a351a6ba9089a51ca13fb186d9e50331bcf129c4ed6fe4aa01c1ff8e272352ce382857ae5093
-
Filesize
2KB
MD54929db1a65322d98bf9a3313e2af1f1e
SHA1315f9fba4bc2197cc5d1db4c068b41fc448d61e4
SHA25664dfb593d85f654bfac201fa054d25f94d551d369391a49669b9c08c20635db8
SHA5120a005f396e4bd797731675b3c6750edb789a8b754ec518876451419312fdd4c5583a013b584de57f9eaa041831edbf48fb90b219bbbdbeacb0cb4b6c84a0d489
-
Filesize
1KB
MD5c8c45181a0a64bfcca570280450a7d45
SHA1713a472e32c6382285582c22482703b2401ffc98
SHA256d3d20269f4ca643015b9eae1d3c8f9c0f4b38232ed57ab46b27e82fb5a0e7b4d
SHA512d1b21a7ef6a9c9f26e88e1576c8f9c9606fbe6fe6de8ebc615e000458b5044dfede7b40081e561f1ad2a52df2c3619411cad9e61c8f9a27c83405b4dd33718d6
-
Filesize
12KB
MD5f26c332232cc3ca8d191ab93058e2004
SHA1467543a1714d004e4cd86c14b9892fe98510eff0
SHA256bf970c2e4e86b9519be5d21cda9264e788c310e2dda963239dee82d1fead80f1
SHA5120e8578b6e61c5ec06599529a872f94dd0f0ea0004b7d00a5f25c65ac6223ac105fd42a6f5540ee959f7570ec1b3312f8d907037e5570d6dbdb8061f067b25ff5
-
Filesize
1KB
MD52d013c9baa11ca394b168b5b13e265a2
SHA1d6589eed0e77ecbe1c6de3a79c38963a1c23c9f7
SHA2562a9c6bc492640f85eae610f162873b7601c694bee9847baf0b055776740acd78
SHA5121a34e292cd828b3af263043fddc11d556bec2ccea0ab41b2f163474190833bc59b6f55b4e2b2598ed1385266f37e85ae79fe65e10416eb0af95f360ebaa9e7ac