0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe
Size

17KB
MD5

0b660bffa6e0093bf7054a8d80071585
SHA1

6450139c6698b3cfb67cf9f06a0b3190c44442af
SHA256

0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15
SHA512

09fb8bbe5d013fa01ba5cd50595a2d273411a71344ba3e9af7864dbad185c88844c128b023f85368c1718c05e9799f46d2af11dc0665c14c4c30dfd161537f48
SSDEEP

384:pxkgrwjFTcBr6YbalEM7s/oObysVKQsyKXfWc:pxkgrwFwvalEoGChXu

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2644	2880	0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe	31
PID 2880 wrote to memory of 2644	2880	0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe	31
PID 2880 wrote to memory of 2644	2880	0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe	31
PID 2644 wrote to memory of 568	2644	vbc.exe	33
PID 2644 wrote to memory of 568	2644	vbc.exe	33
PID 2644 wrote to memory of 568	2644	vbc.exe	33

C:\Users\Admin\AppData\Local\Temp\0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe
"C:\Users\Admin\AppData\Local\Temp\0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hddv8esk.cmdline"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2A8.tmp"
    3⤵
    PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF2B9.tmp

Filesize
1KB

MD5
66106877975e9e3e55cd5c005da181f1

SHA1
6b76a27208a2717be9a2ac26cb89d03a9f188f63

SHA256
785c7e20d240ae3f5fe8e96104b0c7f8ca8aee4802fbd6394c08141aedf0c3d5

SHA512
cedd099975cfbb5f11327f886fa222107466d3dc21595e0b64ecce8551519e4323e53cab5881963f1f5b78c61af84bfd8a7db0ba7fe0ef8e1c598c29cb1f908e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hddv8esk.0.vb

Filesize
212B

MD5
8535e84314fe151d979f9896e28a33d7

SHA1
5cb5609f42179f838b87d61eb210210b91e5b83a

SHA256
25ba1e85cfd057b879b7b8d05d983799d2f7cade11e0d447614462e5921eb99b

SHA512
24902ef8cdef9b8feb9d060e72f6a45f66da7c43c39cb627794de6405bcee2a592e889aadfa20b46e0a54291b682c0b67bd6ae3b15f8283d9c768800af0418bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hddv8esk.cmdline

Filesize
194B

MD5
e7077f2cf36719e5da8dbadd647fd76d

SHA1
df168e4845832aca81c7d13a53d29a8722ef7e2c

SHA256
3d8b0a88a4fe31fae5227e0b4983d0f92b87aad00851a7c261f92551f0909c38

SHA512
db768718a7249413b7a4d1c469884177f05d4309728887b1933fe421b1b813de50b9c67c5f7a533b852d040405ab51ae745dc63af2047fd0a6f88e1c4722198c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF2A8.tmp

Filesize
644B

MD5
23c5f6c5bb4e5de59ec5aa884ea098d3

SHA1
7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

SHA256
7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

SHA512
bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

Download Submit
memory/2644-11-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2644-19-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-0-0x000007FEF575E000-0x000007FEF575F000-memory.dmp

Filesize
4KB

Download
memory/2880-1-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-2-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-3-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-4-0x000007FEF575E000-0x000007FEF575F000-memory.dmp

Filesize
4KB

Download
memory/2880-5-0x000007FEF54A0000-0x000007FEF5E3D000-memory.dmp

Filesize
9.6MB

Download