Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 04:52
Static task
static1
Behavioral task
behavioral1
Sample
d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe
Resource
win10v2004-20240508-en
General
-
Target
d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe
-
Size
12KB
-
MD5
1009ec37a87bcbd283ac22c19fd9e8ef
-
SHA1
d86fc9cfb640b898e0fee1d36d04d7e532c697e6
-
SHA256
d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f
-
SHA512
b1847bb0b0c7ebe52b296c6b9a653f8bc7385386a71b376251c00f07bd7a0dc78b20f192ac2655636c1eb13783c9a631b6c8c8688b51fe5737129e4272e8a530
-
SSDEEP
384:9L7li/2zHq2DcEQvdQcJKLTp/NK9xayH:tbMCQ9cyH
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe -
Deletes itself 1 IoCs
pid Process 3960 tmpE782.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 3960 tmpE782.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4024 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4024 wrote to memory of 1536 4024 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 93 PID 4024 wrote to memory of 1536 4024 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 93 PID 4024 wrote to memory of 1536 4024 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 93 PID 1536 wrote to memory of 4368 1536 vbc.exe 95 PID 1536 wrote to memory of 4368 1536 vbc.exe 95 PID 1536 wrote to memory of 4368 1536 vbc.exe 95 PID 4024 wrote to memory of 3960 4024 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 96 PID 4024 wrote to memory of 3960 4024 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 96 PID 4024 wrote to memory of 3960 4024 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe"C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2m13gyg5\2m13gyg5.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7E089BBD58F7499E96EF1385F69E86AD.TMP"3⤵PID:4368
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe2⤵
- Deletes itself
- Executes dropped EXE
PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4164,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:81⤵PID:1400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD59c0b2d2b508f6865bcb41d3bf4f6c027
SHA122bf634cffb7fa64c7b222568c21e24e4ac493a1
SHA2567cc0d5c0f13893e3234b55774f0f6a6aa4fd95a10cfbb342d3872a5785705d72
SHA512f79df74662461d57ce9761cb0d164b9724d01ba95d07a53ed6021f87023f703a8867a3dcb7bdd6328137cb4acf09ebc45421d013b2960b498d4307277a4bb465
-
Filesize
273B
MD5a9d3ed61573319bbb1adf97af5664c3c
SHA1afafd50d03df9e21c29ae3f25df73c35cb02da28
SHA256dadc2f302307efc3d3a0b9607bab8dfac88eef32dc9c783de996a8fe79d896b3
SHA5124f573eb32a74a22902a3dc06d6ea6264a3c808f519937cbe940f9dd1be99d0b97bf7de9fed884329b95b87b38b9a35d2fa4486314bbf52c441d032ec90133db2
-
Filesize
2KB
MD568290d56f0120b44404cfe4769f9c75d
SHA1c61352e18973c44af629681364d7c2713513aad7
SHA256371a7f13562337139e0d66c800a12e1a2240a9f36f05ee1b539cb1ec559f6320
SHA512e526fda49840fe589a32208bde9c3fc1171dde0ac103edb2e159252f1e6dc2abf03fc38a7ee86ea347dc4fd430fb759263ea25d0b7f79fb53c3ef5ab0e516197
-
Filesize
1KB
MD55c9003effa672261dbfd78e21fd63609
SHA1c48a17da8f2ad74c31742c5b4620b1598516a5c2
SHA25633a8f856a82fbb05d24ab200a2366c14f1cf880c3c611e5a81810f263d39de4f
SHA51249d0e68cbeb83c4a4c6686ec4367a5e88222cc0f389da4cdfdfcc0663dd7566013f858f9198250d4b4d32f34bf3ba7e009d97357764ce55bc08060bccc7bca9b
-
Filesize
12KB
MD55c6726cf26e624ee2ccf1c87fa023e29
SHA13ca075a50d84928ec35d40bbac504fde172725c4
SHA25627428befc51ee0acb2e55130db83593c95c22bd8cef30c231b1ce5b4bb947a19
SHA5128edf09db5c1f50ee4ce35e90210e5497e81e95180fdb0149488dad487ecd3cc4b69970ffb2d269f97e7982d972eb6e10a91b5160da1a5756ae6b0fff9053fba3
-
Filesize
1KB
MD5db77505b22a3cda7bf6e02b60d2b6e97
SHA1cd73da46790bcba2e39f9eefe59a741ec52bd262
SHA2561bf1712d0143bcdfd6774a3f271c73cedec6c668a6312ba05bc9b9379f9de051
SHA51283ced60504d61a8596a5e6af47b527ef41f34d6656665755be6fbe764baf3ee780c519a33963f8c4e69fad4f55d97f8d04630303af72928e14b406be9281b594