Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 21:17
Static task
static1
Behavioral task
behavioral1
Sample
0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
Resource
win10v2004-20240709-en
General
-
Target
0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe
-
Size
78KB
-
MD5
0c7da8d5a9cd906b6e7bfa5c6c3e5c40
-
SHA1
4403b0775b66ad69b326dd5f9abbe736e0ce10c7
-
SHA256
070def2d76946994196689b38aab650d16799ec9632ab44fb9926ce55bc6d2e3
-
SHA512
2e05e10e498cfa978aa5865a8de0b7c66ca831f96e2fb170d7b5cec1c2ad39c18e1b18faea13d9be359584d3eaa14d2768619f402006f0826a29f278d9b7a45e
-
SSDEEP
1536:ImWtHHuaJtZAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtL49/u1D:1WtH/3ZAtWDDILJLovbicqOq3o+nL49E
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe -
Deletes itself 1 IoCs
Processes:
tmp8D2C.tmp.exepid process 4776 tmp8D2C.tmp.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp8D2C.tmp.exepid process 4776 tmp8D2C.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp8D2C.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmp8D2C.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exevbc.execvtres.exetmp8D2C.tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8D2C.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exetmp8D2C.tmp.exedescription pid process Token: SeDebugPrivilege 4084 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe Token: SeDebugPrivilege 4776 tmp8D2C.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exevbc.exedescription pid process target process PID 4084 wrote to memory of 4152 4084 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe vbc.exe PID 4084 wrote to memory of 4152 4084 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe vbc.exe PID 4084 wrote to memory of 4152 4084 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe vbc.exe PID 4152 wrote to memory of 5096 4152 vbc.exe cvtres.exe PID 4152 wrote to memory of 5096 4152 vbc.exe cvtres.exe PID 4152 wrote to memory of 5096 4152 vbc.exe cvtres.exe PID 4084 wrote to memory of 4776 4084 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe tmp8D2C.tmp.exe PID 4084 wrote to memory of 4776 4084 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe tmp8D2C.tmp.exe PID 4084 wrote to memory of 4776 4084 0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe tmp8D2C.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe"C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v-uzxpxg.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E55.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C08650A27414BB9A52BAB82F1AA29A2.TMP"3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0c7da8d5a9cd906b6e7bfa5c6c3e5c40N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES8E55.tmpFilesize
1KB
MD57b1c47e3a8facce10498b13015b1a323
SHA1d03ff2434a56f9160535dd20573331b6570179c1
SHA2569a6796542065af40bc304408defeb799c277b147353b4bb14683a3c1e154a800
SHA512b8826692807fc80e68722eff7b6a55f46de3e4eba864bb9d959222b52029305c5512b32aada24cebf1a5017915bbd4946e5b5aee3f434635b2d63c706a83cda6
-
C:\Users\Admin\AppData\Local\Temp\tmp8D2C.tmp.exeFilesize
78KB
MD5708b78eaffe0017469c6b1d24fb3b9fe
SHA103801b63066deb0483abab87ca4d62d5ef44d894
SHA2564ebeca321982693f9460c17db17dd2a00becf7ab5f016d1f7ad0990bf9f42a68
SHA5121eaf96a61c754889ec43736132fee8fd5925076b4ba6ad2b214bc439e183be0def59fd6256051b32e0cc8646ac3ef489dd1c970e14a96dc997c64024f1b05f91
-
C:\Users\Admin\AppData\Local\Temp\v-uzxpxg.0.vbFilesize
15KB
MD50eaf5a9a477fbe13fcdc66fe93a578ad
SHA10fcb401107bcf4420506f6a075501fcaa5733670
SHA256d4685460abb10132d4e2c06e4850cb8980933839eb3117caa920f6466367a8fb
SHA512eb2f940f389e1c8a8953e798e8b1b4bc48a35bf12da9f080f61fa6f6d0a3588f34faffd4da86547cd055ab059a12830d6232555383fdd5e6e61ac5554917f76f
-
C:\Users\Admin\AppData\Local\Temp\v-uzxpxg.cmdlineFilesize
266B
MD5f11a90b561f2d5bfd5edbae67dac7eea
SHA154d7ac5764287ff2e8d1e8fc1adc726a3114c73d
SHA256295d2355c65b0c01f98757c9cf857f6ccccd3e6248c9d31ea6a1c457c184fbb6
SHA512c9afbdcae3e4cdc0cade392783a002b15665df824e0b114cba4c70bba5d74d7b0677dcac1e81a5a89c9f1311213f9315f8ede31deeb7a789440faca317c5e628
-
C:\Users\Admin\AppData\Local\Temp\vbc4C08650A27414BB9A52BAB82F1AA29A2.TMPFilesize
660B
MD5a36738fc510ffe5443e9074b23dc34b0
SHA1ea0f9b766aad1eb5a5db38eb59922b68cd6e7e85
SHA256aa757f04dcd7e3caf2bf3c1dcd3c534d0d2d614e7d173376fc6bf800e1455746
SHA51242498a1d1eac3385b77d7f39cdb9716b6e3bb5c70a567042478ac2b02c452e90d79132abe838343c8243d008c85de9b02e6878f158bc6cee37bd084e3c9c1c14
-
C:\Users\Admin\AppData\Local\Temp\zCom.resourcesFilesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c
-
memory/4084-22-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/4084-2-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/4084-1-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/4084-0-0x0000000075472000-0x0000000075473000-memory.dmpFilesize
4KB
-
memory/4152-9-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/4152-18-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/4776-23-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/4776-24-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/4776-25-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/4776-26-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB
-
memory/4776-27-0x0000000075470000-0x0000000075A21000-memory.dmpFilesize
5.7MB