31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae

Analysis

max time kernel
148s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe
Size

17KB
MD5

7ce0ae6f480ddfcdb6791b4c657c0457
SHA1

8bd1d4205dc4b4c057f73f47333f33ef9866cd7f
SHA256

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae
SHA512

8378d7a092dfe57c10e3132cf4d53a8fad7d53344d84a52d88863af67a19a19a2bd507211b2727b9f5854b9d8245a793d673f953b5bfb382db278e61df128cf4
SSDEEP

384:crRPot9VcjGYbalEM7s/oObysVK8sy0XfWc:crRPG9galEoGCbXu

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2716	2560	31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe	30
PID 2560 wrote to memory of 2716	2560	31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe	30
PID 2560 wrote to memory of 2716	2560	31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe	30
PID 2716 wrote to memory of 2980	2716	vbc.exe	32
PID 2716 wrote to memory of 2980	2716	vbc.exe	32
PID 2716 wrote to memory of 2980	2716	vbc.exe	32

C:\Users\Admin\AppData\Local\Temp\31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe
"C:\Users\Admin\AppData\Local\Temp\31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1-stikci.cmdline"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES319C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc317C.tmp"
    3⤵
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1-stikci.0.vb

Filesize
211B

MD5
36324a85023e1b05aa1288c8a93aa4a2

SHA1
af07ff6e72cfa89dd6cda7b5a300aa2dbb0cf8ed

SHA256
fc73c925f564ef1db0f4dcca7574b5a4b474bc7206fbb3f909607c3be598cb7d

SHA512
86eb5f6411b3f6fe16b58b74648961bffc875ddf1b81c3a39521e78a0b84abeee50ffb7bbb674594725ca2f7a530d84ce11a4ca1843baec7619487ef1d32cfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1-stikci.cmdline

Filesize
194B

MD5
6fb6fca3465c5394b193070b65d7c5a7

SHA1
a1dd9c4fa72d890c1ce13d7ca0766fadcf688285

SHA256
2ce62630c20212ca31689bfc70e7287f35abc59dd283f418baf7eefd92d056a3

SHA512
8c414bb2c9521e3ecf584447c2ba18b8a6aed05bdab4dfe3b9351326a238098293d241ee3298d4df57c8567f2bb2d7e59490501300df99bfd72f3466edb6d2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES319C.tmp

Filesize
1KB

MD5
ce337b32b6f361920271a7296d95f7e2

SHA1
5ec20ee749da1c86ac5a0ed984cef477c57abeb7

SHA256
b6e5b29d9e30a9d6a6985593512f8fa601790bc3e391a7adf8f592fee5b04376

SHA512
6c1bbf9ae1cdb4f3f41d7284ef5d5fc1e66fd26b7e63cdd43c2b1ebf1833d525b1df9b054247ddbc874c6fdd4efffd3fa7cc4e8d94bdf3b7c87a447d7215f128

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc317C.tmp

Filesize
644B

MD5
23c5f6c5bb4e5de59ec5aa884ea098d3

SHA1
7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

SHA256
7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

SHA512
bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

Download Submit
memory/2560-0-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp

Filesize
4KB

Download
memory/2560-1-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-2-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-3-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2560-4-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp

Filesize
4KB

Download
memory/2560-5-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-11-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download
memory/2716-19-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Filesize
9.6MB

Download