0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe
Size

17KB
MD5

0b660bffa6e0093bf7054a8d80071585
SHA1

6450139c6698b3cfb67cf9f06a0b3190c44442af
SHA256

0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15
SHA512

09fb8bbe5d013fa01ba5cd50595a2d273411a71344ba3e9af7864dbad185c88844c128b023f85368c1718c05e9799f46d2af11dc0665c14c4c30dfd161537f48
SSDEEP

384:pxkgrwjFTcBr6YbalEM7s/oObysVKQsyKXfWc:pxkgrwFwvalEoGChXu

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 1456	3352	0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe	91
PID 3352 wrote to memory of 1456	3352	0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe	91
PID 1456 wrote to memory of 1100	1456	vbc.exe	93
PID 1456 wrote to memory of 1100	1456	vbc.exe	93

C:\Users\Admin\AppData\Local\Temp\0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe
"C:\Users\Admin\AppData\Local\Temp\0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\utgalyu7.cmdline"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6E2F094937364DA29B9DECA6A55A0A5.TMP"
    3⤵
    PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2D16.tmp

Filesize
1KB

MD5
1ee0fe2722fe76517734aa2fc12a40a5

SHA1
bf53ac9b4d4c99b1537eea3f9897bc9fcc8cf7e3

SHA256
b000021f2d5d35e3efb2a95690e19a91c9428200d58b62bc7fd76584ff628f23

SHA512
127e06efe6df5b66e6ad70c52ec771f21d148a080adb12b5fe7b5b9ff5a35f37aa0c3d30d7f8fca0de49f138ef6957faa336cb464116f57def0f638b472d6de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\utgalyu7.0.vb

Filesize
212B

MD5
8535e84314fe151d979f9896e28a33d7

SHA1
5cb5609f42179f838b87d61eb210210b91e5b83a

SHA256
25ba1e85cfd057b879b7b8d05d983799d2f7cade11e0d447614462e5921eb99b

SHA512
24902ef8cdef9b8feb9d060e72f6a45f66da7c43c39cb627794de6405bcee2a592e889aadfa20b46e0a54291b682c0b67bd6ae3b15f8283d9c768800af0418bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\utgalyu7.cmdline

Filesize
194B

MD5
bd44573f0f08a3a19b59ed29a4f79377

SHA1
1a9a8bb9d03685f159883e700ac9d3ee719c46b9

SHA256
1d339b828702006f76a49cc2b60d75b39b1d416b3491cb10fc22786ac1ff44ba

SHA512
1469ae559293c1b1ba3b6c4d325e0a525360c0e62da5be2aab62f5ce69c9b78e9cc76edc70154f3d7eeebb5f7384f87ae523c6f7eec7c4d37f014ba6a907bed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6E2F094937364DA29B9DECA6A55A0A5.TMP

Filesize
644B

MD5
23c5f6c5bb4e5de59ec5aa884ea098d3

SHA1
7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

SHA256
7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

SHA512
bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

Download Submit
memory/1456-21-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/1456-17-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/3352-3-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/3352-7-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/3352-6-0x00007FF8D5255000-0x00007FF8D5256000-memory.dmp

Filesize
4KB

Download
memory/3352-5-0x000000001C1E0000-0x000000001C242000-memory.dmp

Filesize
392KB

Download
memory/3352-4-0x000000001C070000-0x000000001C116000-memory.dmp

Filesize
664KB

Download
memory/3352-0-0x00007FF8D5255000-0x00007FF8D5256000-memory.dmp

Filesize
4KB

Download
memory/3352-1-0x00007FF8D4FA0000-0x00007FF8D5941000-memory.dmp

Filesize
9.6MB

Download
memory/3352-2-0x000000001BAF0000-0x000000001BFBE000-memory.dmp

Filesize
4.8MB

Download