31eb4376680323bbb588265b463159d03534120e4c9c729c792a4f7641fb35a6

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 00:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aa37cf960215bd9db8d096764ef6e210N.exe
Size

9.1MB
MD5

aa37cf960215bd9db8d096764ef6e210
SHA1

34c37aa9c9edfa596ff9e476ef87d5b6ffeb2ee0
SHA256

31eb4376680323bbb588265b463159d03534120e4c9c729c792a4f7641fb35a6
SHA512

effd89cbda9588b8dbf94fa8dc53cc6985cd1c0cb8f7ece574612f512dae2803768c303c1b64a89f83b7db678cf26cc8f5775caa20a20f8444d77417690e7c8e
SSDEEP

196608:AYVql37pjF9U2FshAcBMih02o8NtIOvV53AIC3MQUpUWiHoZyEAZ+FcAjoSZlr:AYVa37pfU2yBY2tnvV5TmjUpUWiHowMv

Score

6^/10

defense_evasion discovery execution

Malware Config

Signatures

Downloads MZ/PE file
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	aa37cf960215bd9db8d096764ef6e210N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4312	7za.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa37cf960215bd9db8d096764ef6e210N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2280	cmd.exe
3804	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3804	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2408	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4312	7za.exe
Token: 35	4312	7za.exe
Token: SeSecurityPrivilege	4312	7za.exe
Token: SeSecurityPrivilege	4312	7za.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3928	1856	aa37cf960215bd9db8d096764ef6e210N.exe	83
PID 1856 wrote to memory of 3928	1856	aa37cf960215bd9db8d096764ef6e210N.exe	83
PID 1856 wrote to memory of 3928	1856	aa37cf960215bd9db8d096764ef6e210N.exe	83
PID 1856 wrote to memory of 3688	1856	aa37cf960215bd9db8d096764ef6e210N.exe	88
PID 1856 wrote to memory of 3688	1856	aa37cf960215bd9db8d096764ef6e210N.exe	88
PID 1856 wrote to memory of 3688	1856	aa37cf960215bd9db8d096764ef6e210N.exe	88
PID 3688 wrote to memory of 1456	3688	wscript.exe	94
PID 3688 wrote to memory of 1456	3688	wscript.exe	94
PID 3688 wrote to memory of 1456	3688	wscript.exe	94
PID 3688 wrote to memory of 4312	3688	wscript.exe	97
PID 3688 wrote to memory of 4312	3688	wscript.exe	97
PID 3688 wrote to memory of 4312	3688	wscript.exe	97
PID 3688 wrote to memory of 4440	3688	wscript.exe	99
PID 3688 wrote to memory of 4440	3688	wscript.exe	99
PID 3688 wrote to memory of 4440	3688	wscript.exe	99
PID 3688 wrote to memory of 212	3688	wscript.exe	101
PID 3688 wrote to memory of 212	3688	wscript.exe	101
PID 3688 wrote to memory of 212	3688	wscript.exe	101
PID 3688 wrote to memory of 1584	3688	wscript.exe	103
PID 3688 wrote to memory of 1584	3688	wscript.exe	103
PID 3688 wrote to memory of 1584	3688	wscript.exe	103
PID 3688 wrote to memory of 2280	3688	wscript.exe	105
PID 3688 wrote to memory of 2280	3688	wscript.exe	105
PID 3688 wrote to memory of 2280	3688	wscript.exe	105
PID 2280 wrote to memory of 3804	2280	cmd.exe	107
PID 2280 wrote to memory of 3804	2280	cmd.exe	107
PID 2280 wrote to memory of 3804	2280	cmd.exe	107
PID 3688 wrote to memory of 2408	3688	wscript.exe	110
PID 3688 wrote to memory of 2408	3688	wscript.exe	110
PID 3688 wrote to memory of 2408	3688	wscript.exe	110

C:\Users\Admin\AppData\Local\Temp\aa37cf960215bd9db8d096764ef6e210N.exe
"C:\Users\Admin\AppData\Local\Temp\aa37cf960215bd9db8d096764ef6e210N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo hi
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3928
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" C:\\ProgramData\\mvdihdsbib.js
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c rd /S/Q C:\ProgramData\uwxeej
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1456
- - C:\ProgramData\6szdf\7za.exe
    "C:\ProgramData\6szdf\7za.exe" e C:\ProgramData\3b4acw.zip -pvkd -y -oC:\ProgramData\uwxeej
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move /Y "C:\ProgramData\uwxeej" "C:\ProgramData\VkontakteDJ"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4440
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Delete /TN VK_DJ /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c del /S/Q C:\ProgramData\3b4acw.zip
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3804
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN VKDJ /SC ONLOGON /TR "C:\ProgramData\VkontakteDJ\VKontakteDJ.exe /H" /F /DELAY 0001:00 /RL HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\3b4acw.zip

Filesize
4.4MB

MD5
66ec3b7e607b7973199c6618aaa6960c

SHA1
36d18bad8432ebc0e9aa59e1b2b66e988ab30c27

SHA256
23d76b4b362c0bd62475923961531cedf26984eba709d6c936ad90ef979600f8

SHA512
7b5b7acbe678e41947d2e9a32f8c915450d5986572a06a6aa1f9fbe2ecfa80ccfce30fd2da655ab1674d5a40be49cb0d9b44e3e2d4e7992526ff1ef788425fb7

Download Submit
C:\ProgramData\6szdf\7za.exe

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\ProgramData\VkontakteDJ\VKontakteDJ.exe

Filesize
6.6MB

MD5
546d1b4e720a53949fe1d2afbb77dd80

SHA1
aa4de05020b8a3f64b50290eb21946ad6ae42986

SHA256
710e14c93d6ebdd75eaa51e2059ec7ae57eb13e7fb7f142fb238540936559c1a

SHA512
d239f422689c1463d92ed22dada8e47045ec64d9dae77b63dd1be2842563d2cd76fe9a6ac1d02d0db9e445a6103bae9712eb3f857254d8f918f9c08aaa14fd91

Download Submit
C:\ProgramData\VkontakteDJ\uninstall.exe

Filesize
490KB

MD5
e127107063431e8186811bac98ad0b6e

SHA1
27a508f87621792f102ed1d97e7689801132c13f

SHA256
c04672f2cdcba81fb8a6d9a0e47b3f28605e3b020c8dc37657f932c7d981dad9

SHA512
c88edce031d5d73a4f443dc31e2d204f650f876ad2fa517d3e47581fa48cdc93afbb4941bdc6f0b44060d209d59406bd855feadf0b18de30f27c3d61580b0661

Download Submit
C:\ProgramData\mvdihdsbib.js

Filesize
4KB

MD5
32ebed61c8f61c18b2383cb9511588a6

SHA1
1ea5052c738780000cbf9f6409069c289573f4ab

SHA256
a861e6d41cb838f1d90503b1d7858b26c81f43ef8beb5584a23345505dc82862

SHA512
050018c531aefaf66b937011d10519d9b7176e66d03f15f1d053be36b8560f18be01fb0a307452c592c193cfb6e81cbea90707007cd32522f9d39a0c07f64c3d

Download Submit
memory/1856-0-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1856-32-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/1856-31-0x0000000000400000-0x0000000000D31000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads