Malware Analysis Report

2025-08-05 15:57

Sample ID 240612-fhhvaa1enm
Target d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f
SHA256 d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f

Threat Level: Shows suspicious behavior

The file d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f was found to be: Shows suspicious behavior.

Malicious Activity Summary


Uses the VBS compiler for execution

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 04:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:54

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2104 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2104 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2104 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2800 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2800 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2800 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2800 wrote to memory of 2696 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2104 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe
PID 2104 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe
PID 2104 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe
PID 2104 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe

"C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hrynlkwn\hrynlkwn.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES602A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB120CB7635EC4D5C89973B5541962F54.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe

Network

N/A

Files

memory/2104-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

memory/2104-1-0x0000000001380000-0x000000000138A000-memory.dmp

memory/2104-7-0x0000000074E80000-0x000000007556E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hrynlkwn\hrynlkwn.cmdline

MD5 13d35e9ade9d862d4d21edd49edf3078
SHA1 1e133fa74c7ac6828315636f3682713bcf266955
SHA256 6c3a434c9e7e6a5f4434143f893ac8e04c2aaa41dc9c78de82f59eb3ab7793d0
SHA512 b66b57bd8717cd8550d53086e5a084d00fad5044258bb74b2ba7390e0d708e72e237903f3d2f63978afc94cada8980727a40dc07d21ed22c2955594f1c5a9a70

C:\Users\Admin\AppData\Local\Temp\hrynlkwn\hrynlkwn.0.vb

MD5 feea7bf0777d825ff6f463417ffe3118
SHA1 13b416c2bcaf75f47a53bdd01ef2b5bed716536c
SHA256 349ed88a0cfdd7c5274f43c931c87c5cf6ed9fc9c032d660435155361ffebd5e
SHA512 420f2676b52c2a331ebc9f2fc3a761a0429f421970646e8c968cc9b94fc1558d4bf614f42278a317826fdc78b51647ce3b430e135879b5ee2da471831d46d5e4

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 0da6623e576193254e58434a9edd0c6e
SHA1 b5dbdde35bb55f3eaaa16b23f9674e8119772212
SHA256 ee3e0e4c400bc1c6a4d5aae76e6d44b7b5ede8751d9a5d6203d3580bf3c374e3
SHA512 7cf4c77bb35583ca52c33a528a2e04da2956832577436bb99fb676f81dbc3e8bcd2dcdce2ee1874c569d407b82ec6a72f1e5b6c5ad17b4c37a50433726f9b778

C:\Users\Admin\AppData\Local\Temp\vbcB120CB7635EC4D5C89973B5541962F54.TMP

MD5 d3c56b0d548fb886ea051fccb58b701a
SHA1 b3a981aecd3e7fce0189c96b46e0956eb9da462f
SHA256 ab27c4577c33f819a2a0461c6f702ec508f36d39b1f5376ae39e0a4fe6c18f5a
SHA512 8d7dd939e45f8db15095ebb27c747f244e630e26e86a2c04792ac15e5e4710fbeba8a82ea1bacdb35ba95c01593ed1db9452bac47116e4318974cb25c848d72c

C:\Users\Admin\AppData\Local\Temp\RES602A.tmp

MD5 06d676cd3eb7e368c9eb55ac9d3358de
SHA1 dc85c26dc54eda1c3776295c376e9691828a0da3
SHA256 29afeb1f91e2890411c27fc256650e4eb094c6744585dd0f37cf5edace2327bc
SHA512 5f4a6c57f80d24e6c1731065df1e0edac479e4193f2e8b5cb7f81f79df5c9127aa1c3291a4016b37614c688727f454507ee99c2fa64d918b1b0f618307d1d96d

C:\Users\Admin\AppData\Local\Temp\tmp5B2B.tmp.exe

MD5 f9b4b2d0bfad861d0a4ea05e930df915
SHA1 7dc0eb00cfe9de5ef3507a2ec06e38ac6b797707
SHA256 8c912c57e359da0db3bae8d0a8c0622c59e82257a38debbd3d396bbc096aa375
SHA512 afedf5d1975e305c31d492cdd86713e3c2fdefbd983499e2d456cff71d8fab7ea97a0b5c875dd27c963c8ee97decd7abb0442d08e7be93ac4f2960ea054fd8e7

memory/2748-23-0x0000000000F70000-0x0000000000F7A000-memory.dmp

memory/2104-24-0x0000000074E80000-0x000000007556E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 04:52

Reported

2024-06-12 04:54

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4024 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4024 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1536 wrote to memory of 4368 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1536 wrote to memory of 4368 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1536 wrote to memory of 4368 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4024 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe
PID 4024 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe
PID 4024 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe

"C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2m13gyg5\2m13gyg5.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8BA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7E089BBD58F7499E96EF1385F69E86AD.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d7db88115f40eeb5b08be7faa8e414589dd8d5c4569e21765cd260fec0ff031f.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4164,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4024-0-0x000000007507E000-0x000000007507F000-memory.dmp

memory/4024-1-0x00000000005A0000-0x00000000005AA000-memory.dmp

memory/4024-2-0x0000000004FB0000-0x000000000504C000-memory.dmp

memory/4024-8-0x0000000075070000-0x0000000075820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2m13gyg5\2m13gyg5.cmdline

MD5 a9d3ed61573319bbb1adf97af5664c3c
SHA1 afafd50d03df9e21c29ae3f25df73c35cb02da28
SHA256 dadc2f302307efc3d3a0b9607bab8dfac88eef32dc9c783de996a8fe79d896b3
SHA512 4f573eb32a74a22902a3dc06d6ea6264a3c808f519937cbe940f9dd1be99d0b97bf7de9fed884329b95b87b38b9a35d2fa4486314bbf52c441d032ec90133db2

C:\Users\Admin\AppData\Local\Temp\2m13gyg5\2m13gyg5.0.vb

MD5 9c0b2d2b508f6865bcb41d3bf4f6c027
SHA1 22bf634cffb7fa64c7b222568c21e24e4ac493a1
SHA256 7cc0d5c0f13893e3234b55774f0f6a6aa4fd95a10cfbb342d3872a5785705d72
SHA512 f79df74662461d57ce9761cb0d164b9724d01ba95d07a53ed6021f87023f703a8867a3dcb7bdd6328137cb4acf09ebc45421d013b2960b498d4307277a4bb465

C:\Users\Admin\AppData\Local\Temp\RE.resources

MD5 68290d56f0120b44404cfe4769f9c75d
SHA1 c61352e18973c44af629681364d7c2713513aad7
SHA256 371a7f13562337139e0d66c800a12e1a2240a9f36f05ee1b539cb1ec559f6320
SHA512 e526fda49840fe589a32208bde9c3fc1171dde0ac103edb2e159252f1e6dc2abf03fc38a7ee86ea347dc4fd430fb759263ea25d0b7f79fb53c3ef5ab0e516197

C:\Users\Admin\AppData\Local\Temp\vbc7E089BBD58F7499E96EF1385F69E86AD.TMP

MD5 db77505b22a3cda7bf6e02b60d2b6e97
SHA1 cd73da46790bcba2e39f9eefe59a741ec52bd262
SHA256 1bf1712d0143bcdfd6774a3f271c73cedec6c668a6312ba05bc9b9379f9de051
SHA512 83ced60504d61a8596a5e6af47b527ef41f34d6656665755be6fbe764baf3ee780c519a33963f8c4e69fad4f55d97f8d04630303af72928e14b406be9281b594

C:\Users\Admin\AppData\Local\Temp\RESE8BA.tmp

MD5 5c9003effa672261dbfd78e21fd63609
SHA1 c48a17da8f2ad74c31742c5b4620b1598516a5c2
SHA256 33a8f856a82fbb05d24ab200a2366c14f1cf880c3c611e5a81810f263d39de4f
SHA512 49d0e68cbeb83c4a4c6686ec4367a5e88222cc0f389da4cdfdfcc0663dd7566013f858f9198250d4b4d32f34bf3ba7e009d97357764ce55bc08060bccc7bca9b

C:\Users\Admin\AppData\Local\Temp\tmpE782.tmp.exe

MD5 5c6726cf26e624ee2ccf1c87fa023e29
SHA1 3ca075a50d84928ec35d40bbac504fde172725c4
SHA256 27428befc51ee0acb2e55130db83593c95c22bd8cef30c231b1ce5b4bb947a19
SHA512 8edf09db5c1f50ee4ce35e90210e5497e81e95180fdb0149488dad487ecd3cc4b69970ffb2d269f97e7982d972eb6e10a91b5160da1a5756ae6b0fff9053fba3

memory/4024-24-0x0000000075070000-0x0000000075820000-memory.dmp

memory/3960-25-0x0000000075070000-0x0000000075820000-memory.dmp

memory/3960-26-0x00000000005D0000-0x00000000005DA000-memory.dmp

memory/3960-27-0x0000000005550000-0x0000000005AF4000-memory.dmp

memory/3960-28-0x0000000004FA0000-0x0000000005032000-memory.dmp

memory/3960-30-0x0000000075070000-0x0000000075820000-memory.dmp