9404c7a99bcdde02f50e378d1dffad170426af7c1c5c545b2f6fd57de48ffad5

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware/vbc2.exe
Size

265KB
MD5

aad8885345c5d145c8cb22292332fb38
SHA1

b7c01db77c5cd491bee82e125d4783175a1f73b7
SHA256

0007c9f7203e80c87042d5b4ae3208bf3adf66657c65e02ef6136c5b18ee3bcb
SHA512

70bd8402767b7c7ca1fce5f737e5fff44dda0ebf5a81f1465589dfe5179bc17d82009f771157d2003bf22f7d5582f90330f1159d9d464c90dceeff503e568f09
SSDEEP

6144:HNeZmORhwi08GOs8RuAR3F7saaLIcscJY6pYQsFle2ujpLiFAD:HNlchakNRJKTsN6pYbFlgt7D

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ioatgumevw.exe

pid process

1808 ioatgumevw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4768 1808 WerFault.exe ioatgumevw.exe

pid	process
1808	ioatgumevw.exe

pid	pid_target	process	target process
4768	1808	WerFault.exe	ioatgumevw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc2.exeioatgumevw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ioatgumevw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

vbc2.exeioatgumevw.exe

description	pid	process	target process
PID 4648 wrote to memory of 1808	4648	vbc2.exe	ioatgumevw.exe
PID 4648 wrote to memory of 1808	4648	vbc2.exe	ioatgumevw.exe
PID 4648 wrote to memory of 1808	4648	vbc2.exe	ioatgumevw.exe
PID 1808 wrote to memory of 396	1808	ioatgumevw.exe	ioatgumevw.exe
PID 1808 wrote to memory of 396	1808	ioatgumevw.exe	ioatgumevw.exe
PID 1808 wrote to memory of 396	1808	ioatgumevw.exe	ioatgumevw.exe

C:\Users\Admin\AppData\Local\Temp\malware\vbc2.exe
"C:\Users\Admin\AppData\Local\Temp\malware\vbc2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe
  C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe C:\Users\Admin\AppData\Local\Temp\kghzkpgyin
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe
    C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe C:\Users\Admin\AppData\Local\Temp\kghzkpgyin
    3⤵
    PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 524
    3⤵
    - Program crash
    PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1808 -ip 1808
1⤵
PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7yk8h1szdi

Filesize
284KB

MD5
c0fcdf6c83060610bfd06a232dbce163

SHA1
aeaa28e293eba2347e1a29608cb41f4646cd92f6

SHA256
9f8d2ff465ce5caba6ade5e7dbfd5a349980ccaf780412aaa8e2685ba88bb31f

SHA512
d2ab68ee32efb8c1c5614e7d8a47728f097e8f7a30ede3c5c5d805ba2c20ed7bbd8cb5242c12de852b23fb5d52ded82058fb1cbbc211bfe027b3b4aad352b78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe

Filesize
4KB

MD5
f88371b8ec4dc631943fe54a227707dc

SHA1
a127b7a645f9468105a31109a3572960004a7316

SHA256
6ea31176202a06bbfd787b91c64c8ac55cd8e2c817e37d556576133334a3614b

SHA512
b4d04bf47e643845e97da626f62dcd5ac3611508300769bb2840fbde88ecbc2229cadd0ef3b2b50ab36042e9e31c71211e4d335871f15840ec5aa3bd5244c1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\kghzkpgyin

Filesize
5KB

MD5
cbac7f599beb8247e95dd1ba7a84636e

SHA1
cc8fec2fba79fa494d8fb41dc1fea3d8a18343f2

SHA256
cbb92fe48e868dd2bf0138d48faa7e6573340928d5e253ed93599aa357a2d0e3

SHA512
5494afa3bd99f09574420e535e8b584bf21a56d3e4cea58668a2efa5ba623cc7f971a3dd6f905737b9ab30d6af0bc50bc7e6f2aef7f9e5086cdf3808b9ca1a35

Download Submit
memory/1808-7-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download