17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe
Size

196KB
MD5

c82617e2ea031d93d5c2ea8165656753
SHA1

62e495b8e7bf597cb5fac48828f808d46f064930
SHA256

e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d
SHA512

36766d8d98348926ed49e40a88e3ac928de8f2bd415bbe955aa73edb0db943f20c0d2e92b955bbd1d93ca2db316c6a421066993c3ce675d4597bc397110fd563
SSDEEP

768:JQ092dvBhHL+Txzm9xrHefCQ+LKSYTPlSfDj017JaS8+LvH5:C092ZjHezmTrHUoYzNT8yh

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exevbc.exe

description	pid	process	target process
PID 2144 wrote to memory of 2648	2144	e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe	vbc.exe
PID 2144 wrote to memory of 2648	2144	e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe	vbc.exe
PID 2144 wrote to memory of 2648	2144	e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe	vbc.exe
PID 2648 wrote to memory of 2884	2648	vbc.exe	cvtres.exe
PID 2648 wrote to memory of 2884	2648	vbc.exe	cvtres.exe
PID 2648 wrote to memory of 2884	2648	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe
"C:\Users\Admin\AppData\Local\Temp\e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\aqtl01cl\aqtl01cl.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2328462DB4FC41A3AEE6801FD233B73.TMP"
    3⤵
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Library.resources

Filesize
2KB

MD5
7ea2659362200f7cf40d5f6abf8da41a

SHA1
e792edd81cb9a081560efecaf7fd02a91ce3c22e

SHA256
aa2463e4bbcfbb30ae2c28a80ec040990a88e8fb5df4c59397032664b82f9cda

SHA512
a4a4f885936982a23af092d21035d8d83c2ef25421bbd17d97dabd9a83e10b8eaa7a3719304d12be7b2dd71b6b572776e9798f3738de839294734d2d998a12c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20E9.tmp

Filesize
1KB

MD5
42dd2f6508b51e08e8de820f7b74e1e4

SHA1
f163c4e2ccbe85875dd46fe6f6aa06f5d2f54ef9

SHA256
da047b951a2b64ad016c272666e9c886d77e8f2e5adc7e564c2e4dbdf46dd9fd

SHA512
38319d9ba33ee23972c0697bd6b8c2e79157ed997e269629b73578eba6170f051860f340ab43e23a192cc965e689540df2d204ef5b93b1c8c8a3fda1f12c6a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqtl01cl\aqtl01cl.0.vb

Filesize
13KB

MD5
9ea2130e97a89160c42d930f69be89c3

SHA1
659ffd753a813eda9a3cbb9f128872146cd8c47b

SHA256
a25915d6af7ec14d92b7f5ccf44ace2a10393c3ef5ef25f325bba25fe8907165

SHA512
5451692fc6eab6e174a78a1c3d85ace197fb336c403ac3abaea1a147724b825c1a1bcec7076777441491b235fed8842ec6d714fdae7e3aebc4120425338eeacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqtl01cl\aqtl01cl.cmdline

Filesize
239B

MD5
b01610019eaf75ed643cd8a202a736f4

SHA1
31dded7795e2dd356636742369de7fa037b9c206

SHA256
7a02d786a48e66b0e62747b25a2d5cccc78b70cd68d19385778d062eb03b02a9

SHA512
1b9ae3281910305d37664a3500de769485dfa4ee3d9b6708d4ecefb2195b700cb8923d07ba748ddcc4b8b3d25e09e7cc0d096c146833bde21d7ec90f8d0ffcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2328462DB4FC41A3AEE6801FD233B73.TMP

Filesize
1KB

MD5
cf0a8cd08f417849d9748787d19b0f1b

SHA1
9c58376a071e126a73deedc8131c3fc0b61d78e3

SHA256
850f9a10e4ca66a432472b22bbe2f7d13cdbfc535b1c15e1516dbf4b93486044

SHA512
749709e69afa9e1b8f5f830579ba8b2ec9a86eacdcf3a1df5ad253888685af8aa9f27b7614dd28ac820bfb538b38350427167345b9461df4d31830b626541764

Download Submit
memory/2144-0-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2144-1-0x0000000000DB0000-0x0000000000DE6000-memory.dmp

Filesize
216KB

Download
memory/2144-2-0x000007FEF5C83000-0x000007FEF5C84000-memory.dmp

Filesize
4KB

Download
memory/2144-9-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-21-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

Filesize
9.9MB

Download