31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe
Size

17KB
MD5

7ce0ae6f480ddfcdb6791b4c657c0457
SHA1

8bd1d4205dc4b4c057f73f47333f33ef9866cd7f
SHA256

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae
SHA512

8378d7a092dfe57c10e3132cf4d53a8fad7d53344d84a52d88863af67a19a19a2bd507211b2727b9f5854b9d8245a793d673f953b5bfb382db278e61df128cf4
SSDEEP

384:crRPot9VcjGYbalEM7s/oObysVK8sy0XfWc:crRPG9galEoGCbXu

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

vbc.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe

description	pid	Process
Token: SeDebugPrivilege	2588	31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exevbc.exe

description	pid	Process	procid_target
PID 2588 wrote to memory of 4612	2588	31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe	91
PID 2588 wrote to memory of 4612	2588	31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe	91
PID 4612 wrote to memory of 1932	4612	vbc.exe	93
PID 4612 wrote to memory of 1932	4612	vbc.exe	93

C:\Users\Admin\AppData\Local\Temp\31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe
"C:\Users\Admin\AppData\Local\Temp\31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8te0yify.cmdline"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31D9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDE9F040A173D4EBF981AD44D4925AE0.TMP"
    3⤵
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8te0yify.0.vb

Filesize
211B

MD5
36324a85023e1b05aa1288c8a93aa4a2

SHA1
af07ff6e72cfa89dd6cda7b5a300aa2dbb0cf8ed

SHA256
fc73c925f564ef1db0f4dcca7574b5a4b474bc7206fbb3f909607c3be598cb7d

SHA512
86eb5f6411b3f6fe16b58b74648961bffc875ddf1b81c3a39521e78a0b84abeee50ffb7bbb674594725ca2f7a530d84ce11a4ca1843baec7619487ef1d32cfe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8te0yify.cmdline

Filesize
194B

MD5
906f19aad29976b77a2ab0299d047a89

SHA1
7615f08d1a9523e95d3f75e544ae8a046aacf368

SHA256
afa6a0414219a8d90254b8134223a640bdddec304044a02b26b8cdd413552efa

SHA512
c5e987874d19d8298bd02304e56cf8ce3be76d6ab05b1654c5971b742a464c8b03ea97ada2677b09875e5971ec99064260e226e86ac1c209dbc0e17896db33c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES31D9.tmp

Filesize
1KB

MD5
0bc6eebc270bdf24bcdf84cb7b33e168

SHA1
bad4b8e3bfef311cbb02f4d646ebeda04a0044ae

SHA256
60a6fcbaeda786e10e62f0ee5d08f8c5b1bd2e2a8db1d1eccfddbb6128c8a3bb

SHA512
fb976ef7c8630e46116aa067deafd294ff45e6eca17c4646b9b10a7ef9a57d585390919f7ec9c6afe2e377d8e633eacc328665e3bc0cdbf99c1f877016dc1add

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDE9F040A173D4EBF981AD44D4925AE0.TMP

Filesize
644B

MD5
23c5f6c5bb4e5de59ec5aa884ea098d3

SHA1
7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

SHA256
7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

SHA512
bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

Download Submit
memory/2588-3-0x000000001B860000-0x000000001B906000-memory.dmp

Filesize
664KB

Download
memory/2588-5-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download
memory/2588-6-0x00007FFFB9445000-0x00007FFFB9446000-memory.dmp

Filesize
4KB

Download
memory/2588-7-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download
memory/2588-8-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download
memory/2588-4-0x000000001C380000-0x000000001C3E2000-memory.dmp

Filesize
392KB

Download
memory/2588-0-0x00007FFFB9445000-0x00007FFFB9446000-memory.dmp

Filesize
4KB

Download
memory/2588-2-0x000000001BEB0000-0x000000001C37E000-memory.dmp

Filesize
4.8MB

Download
memory/2588-1-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download
memory/4612-17-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download
memory/4612-22-0x00007FFFB9190000-0x00007FFFB9B31000-memory.dmp

Filesize
9.6MB

Download