Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 04:52
Static task
static1
Behavioral task
behavioral1
Sample
d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe
Resource
win10v2004-20240508-en
General
-
Target
d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe
-
Size
12KB
-
MD5
1009ec37a87bcbd283ac22c19fd9e8ef
-
SHA1
d86fc9cfb640b898e0fee1d36d04d7e532c697e6
-
SHA256
d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f
-
SHA512
b1847bb0b0c7ebe52b296c6b9a653f8bc7385386a71b376251c00f07bd7a0dc78b20f192ac2655636c1eb13783c9a631b6c8c8688b51fe5737129e4272e8a530
-
SSDEEP
384:9L7li/2zHq2DcEQvdQcJKLTp/NK9xayH:tbMCQ9cyH
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2748 tmp5B2B.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2748 tmp5B2B.tmp.exe -
Loads dropped DLL 1 IoCs
pid Process 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2800 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 28 PID 2104 wrote to memory of 2800 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 28 PID 2104 wrote to memory of 2800 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 28 PID 2104 wrote to memory of 2800 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 28 PID 2800 wrote to memory of 2696 2800 vbc.exe 30 PID 2800 wrote to memory of 2696 2800 vbc.exe 30 PID 2800 wrote to memory of 2696 2800 vbc.exe 30 PID 2800 wrote to memory of 2696 2800 vbc.exe 30 PID 2104 wrote to memory of 2748 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 31 PID 2104 wrote to memory of 2748 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 31 PID 2104 wrote to memory of 2748 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 31 PID 2104 wrote to memory of 2748 2104 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe"C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hrynlkwn\hrynlkwn.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES602A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB120CB7635EC4D5C89973B5541962F54.TMP"3⤵PID:2696
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50da6623e576193254e58434a9edd0c6e
SHA1b5dbdde35bb55f3eaaa16b23f9674e8119772212
SHA256ee3e0e4c400bc1c6a4d5aae76e6d44b7b5ede8751d9a5d6203d3580bf3c374e3
SHA5127cf4c77bb35583ca52c33a528a2e04da2956832577436bb99fb676f81dbc3e8bcd2dcdce2ee1874c569d407b82ec6a72f1e5b6c5ad17b4c37a50433726f9b778
-
Filesize
1KB
MD506d676cd3eb7e368c9eb55ac9d3358de
SHA1dc85c26dc54eda1c3776295c376e9691828a0da3
SHA25629afeb1f91e2890411c27fc256650e4eb094c6744585dd0f37cf5edace2327bc
SHA5125f4a6c57f80d24e6c1731065df1e0edac479e4193f2e8b5cb7f81f79df5c9127aa1c3291a4016b37614c688727f454507ee99c2fa64d918b1b0f618307d1d96d
-
Filesize
2KB
MD5feea7bf0777d825ff6f463417ffe3118
SHA113b416c2bcaf75f47a53bdd01ef2b5bed716536c
SHA256349ed88a0cfdd7c5274f43c931c87c5cf6ed9fc9c032d660435155361ffebd5e
SHA512420f2676b52c2a331ebc9f2fc3a761a0429f421970646e8c968cc9b94fc1558d4bf614f42278a317826fdc78b51647ce3b430e135879b5ee2da471831d46d5e4
-
Filesize
273B
MD513d35e9ade9d862d4d21edd49edf3078
SHA11e133fa74c7ac6828315636f3682713bcf266955
SHA2566c3a434c9e7e6a5f4434143f893ac8e04c2aaa41dc9c78de82f59eb3ab7793d0
SHA512b66b57bd8717cd8550d53086e5a084d00fad5044258bb74b2ba7390e0d708e72e237903f3d2f63978afc94cada8980727a40dc07d21ed22c2955594f1c5a9a70
-
Filesize
12KB
MD5f9b4b2d0bfad861d0a4ea05e930df915
SHA17dc0eb00cfe9de5ef3507a2ec06e38ac6b797707
SHA2568c912c57e359da0db3bae8d0a8c0622c59e82257a38debbd3d396bbc096aa375
SHA512afedf5d1975e305c31d492cdd86713e3c2fdefbd983499e2d456cff71d8fab7ea97a0b5c875dd27c963c8ee97decd7abb0442d08e7be93ac4f2960ea054fd8e7
-
Filesize
1KB
MD5d3c56b0d548fb886ea051fccb58b701a
SHA1b3a981aecd3e7fce0189c96b46e0956eb9da462f
SHA256ab27c4577c33f819a2a0461c6f702ec508f36d39b1f5376ae39e0a4fe6c18f5a
SHA5128d7dd939e45f8db15095ebb27c747f244e630e26e86a2c04792ac15e5e4710fbeba8a82ea1bacdb35ba95c01593ed1db9452bac47116e4318974cb25c848d72c