bf8ffd1e6f909d4e29b43af47750cb7fcaa167e7bd691c2f3d83f61163f6ed5a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 18:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Adersoft.VbsEdit.v3.4.1.19/lpk.dll
Size

45KB
MD5

fcdc863503f8b1be2104614f948179fc
SHA1

71485de3e22c42df5f0c9e39f47420e48195fef5
SHA256

d80b59ded380078af93526a8fb78bf19ab05a924958b15a9fdcee8b0e31c3f3a
SHA512

ca0bf43bf2615e32a496a8cd65f2db8bee08c19da36310bc58a7f7dde8849d9aea610a054e3088a9c6bf0284400370806fd38e4e89ba54a35f0f13e8a9f6c2b9
SSDEEP

768:zojY9Pg68uUCS77GhGLhLpms1RZo9yHHojY9P:GmY6BS7LL18+o9yHSm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2776	hrl757E.tmp
2728	vmtrwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	rundll32.exe
2716	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vmtrwm.exe	hrl757E.tmp
File opened for modification	C:\Windows\SysWOW64\vmtrwm.exe	hrl757E.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2284	2728	vmtrwm.exe	33

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmtrwm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2716	2400	rundll32.exe	30
PID 2400 wrote to memory of 2716	2400	rundll32.exe	30
PID 2400 wrote to memory of 2716	2400	rundll32.exe	30
PID 2400 wrote to memory of 2716	2400	rundll32.exe	30
PID 2400 wrote to memory of 2716	2400	rundll32.exe	30
PID 2400 wrote to memory of 2716	2400	rundll32.exe	30
PID 2400 wrote to memory of 2716	2400	rundll32.exe	30
PID 2716 wrote to memory of 2776	2716	rundll32.exe	31
PID 2716 wrote to memory of 2776	2716	rundll32.exe	31
PID 2716 wrote to memory of 2776	2716	rundll32.exe	31
PID 2716 wrote to memory of 2776	2716	rundll32.exe	31
PID 2728 wrote to memory of 2284	2728	vmtrwm.exe	33
PID 2728 wrote to memory of 2284	2728	vmtrwm.exe	33
PID 2728 wrote to memory of 2284	2728	vmtrwm.exe	33
PID 2728 wrote to memory of 2284	2728	vmtrwm.exe	33
PID 2728 wrote to memory of 2284	2728	vmtrwm.exe	33
PID 2728 wrote to memory of 2284	2728	vmtrwm.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Adersoft.VbsEdit.v3.4.1.19\lpk.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Adersoft.VbsEdit.v3.4.1.19\lpk.dll,#1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\hrl757E.tmp
    C:\Users\Admin\AppData\Local\Temp\hrl757E.tmp
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2776

C:\Windows\SysWOW64\vmtrwm.exe
C:\Windows\SysWOW64\vmtrwm.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hrl757E.tmp

Filesize
38KB

MD5
4b5b96093cdd0eb372be9a459b2bc27e

SHA1
6c36841cabbf00bb365bddede0897fcc6338e68f

SHA256
b3c425ac158293c36809f69d6c53cc4b77c6f14eb63c548320e280414ae7a4fa

SHA512
cba45a987e23452f630790ae620876916710ecda846e5300be0f399ed57bc994cfd594b0a638d217af7a611a5c7c3430f6369f47f3b72403f3eb2fdff0e033fe

Download Submit
memory/2284-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2284-14-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2284-16-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2776-17-0x0000000000400000-0x000000000040CE58-memory.dmp

Filesize
51KB

Download