Overview

overview

6

Static

static

1

1d057ebb99...0N.exe

windows7-x64

6

1d057ebb99...0N.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 13:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d057ebb99d1c533f8fc7d76e1687920N.exe

  • Size

    9.1MB

  • MD5

    1d057ebb99d1c533f8fc7d76e1687920

  • SHA1

    9c71e33cfe73d3f31c1e502e293cd08af7d49f80

  • SHA256

    6bea1931fa6e555137cc6f15593856a5bf2f1445df702f766e3454defa3036f1

  • SHA512

    c062d1e4842825eb70e968ef68b37f40c121940cbbc42700080d0f869efa92452531275108b3d7b1a8b147ec9050926c7f29a1fab6f1a5624d54a6823c4f4ab3

  • SSDEEP

    196608:Xlbrq3GhKGcRHaL5fjsteMmFIfxcDNvUpUWiHoZyEAZ+FcAjoSZVW:XlbW3GhQZapemOcpUpUWiHowMcWoOM

Score
6/10
defense_evasiondiscoveryexecution

Malware Config

Signatures

  • Downloads MZ/PE file
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d057ebb99d1c533f8fc7d76e1687920N.exe
    "C:\Users\Admin\AppData\Local\Temp\1d057ebb99d1c533f8fc7d76e1687920N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c echo hi
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2196
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\\ProgramData\\bfulswbgho.js
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c rd /S/Q C:\ProgramData\iu60ti
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3976
      • C:\ProgramData\ox96y\7za.exe
        "C:\ProgramData\ox96y\7za.exe" e C:\ProgramData\aa1yvw.zip -pvkd -y -oC:\ProgramData\iu60ti
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c move /Y "C:\ProgramData\iu60ti" "C:\ProgramData\VkontakteDJ"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4504
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Delete /TN VK_DJ /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3292
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c del /S/Q C:\ProgramData\aa1yvw.zip
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2996
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4524
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN VKDJ /SC ONLOGON /TR "C:\ProgramData\VkontakteDJ\VKontakteDJ.exe /H" /F /DELAY 0001:00 /RL HIGHEST
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\VkontakteDJ\VKontakteDJ.exe
    Filesize

    6.6MB

    MD5

    d9af06e50b192e519764520108567f91

    SHA1

    a5c054dcae364968de8c6c3043a49ce37e1c491a

    SHA256

    96904ed3a7a451340e490264da5813620b9db909303aff11ab3053922f7ef2e2

    SHA512

    5eddc47da3853abad79847fbe7d53cd9fc8f5912414fb62fc11a8e72fcfeda1103e51377ee810897fac8d6743e9014786451b22b0a98506c6c6683d1d708c1d3

    Download Submit

  • C:\ProgramData\VkontakteDJ\uninstall.exe
    Filesize

    490KB

    MD5

    e127107063431e8186811bac98ad0b6e

    SHA1

    27a508f87621792f102ed1d97e7689801132c13f

    SHA256

    c04672f2cdcba81fb8a6d9a0e47b3f28605e3b020c8dc37657f932c7d981dad9

    SHA512

    c88edce031d5d73a4f443dc31e2d204f650f876ad2fa517d3e47581fa48cdc93afbb4941bdc6f0b44060d209d59406bd855feadf0b18de30f27c3d61580b0661

    Download Submit

  • C:\ProgramData\aa1yvw.zip
    Filesize

    4.4MB

    MD5

    d377ba6a58de20aca63909e3bc6c1fd0

    SHA1

    281884d3645ea8182abc39f5ce7d386acd8a3025

    SHA256

    daf9f5455806ebdc87029c86aca7dbb675f69f476bb7d183c16cfd6e0193af5e

    SHA512

    643e5fd4da5304474c075355721452423fe2187feb1c0e7a16759b740f8d197e2947f0901d55a6517182e5a05888227ba72930e67a231dd73981f3b66df098a6

    Download Submit

  • C:\ProgramData\bfulswbgho.js
    Filesize

    4KB

    MD5

    32ebed61c8f61c18b2383cb9511588a6

    SHA1

    1ea5052c738780000cbf9f6409069c289573f4ab

    SHA256

    a861e6d41cb838f1d90503b1d7858b26c81f43ef8beb5584a23345505dc82862

    SHA512

    050018c531aefaf66b937011d10519d9b7176e66d03f15f1d053be36b8560f18be01fb0a307452c592c193cfb6e81cbea90707007cd32522f9d39a0c07f64c3d

    Download Submit

  • C:\ProgramData\ox96y\7za.exe
    Filesize

    722KB

    MD5

    43141e85e7c36e31b52b22ab94d5e574

    SHA1

    cfd7079a9b268d84b856dc668edbb9ab9ef35312

    SHA256

    ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

    SHA512

    9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

    Download Submit

  • memory/2204-0-0x00000000030C0000-0x00000000030C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2204-30-0x00000000030C0000-0x00000000030C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2204-29-0x0000000000400000-0x0000000000D31000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/2204-32-0x0000000000400000-0x0000000000D31000-memory.dmp

    Filesize

    9.2MB

    Download

  • memory/2204-34-0x0000000000400000-0x0000000000D31000-memory.dmp

    Filesize

    9.2MB

    Download