Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2024, 12:40
Static task
static1
Behavioral task
behavioral1
Sample
a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe
Resource
win10v2004-20241007-en
General
-
Target
a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe
-
Size
78KB
-
MD5
b5e5cc450ce24bb3ebce0a58805094c0
-
SHA1
d4324325761bb6c36b0695ecab77118e55192ba6
-
SHA256
a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26
-
SHA512
975dadfed33aad6ea427a05df3fac95f2a2070417aa7451167fdf868a99ff2f304353919973eeb93da901b35b47d1f06d9f8eb5989d6acc0c816df07016b5fa6
-
SSDEEP
1536:tCHF3M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQth9/C1xg:tCHF83xSyRxvY3md+dWWZyh9/5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe -
Deletes itself 1 IoCs
pid Process 1220 tmp8C04.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 1220 tmp8C04.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp8C04.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp8C04.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4856 a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe Token: SeDebugPrivilege 1220 tmp8C04.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4856 wrote to memory of 4908 4856 a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe 82 PID 4856 wrote to memory of 4908 4856 a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe 82 PID 4856 wrote to memory of 4908 4856 a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe 82 PID 4908 wrote to memory of 2820 4908 vbc.exe 84 PID 4908 wrote to memory of 2820 4908 vbc.exe 84 PID 4908 wrote to memory of 2820 4908 vbc.exe 84 PID 4856 wrote to memory of 1220 4856 a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe 85 PID 4856 wrote to memory of 1220 4856 a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe 85 PID 4856 wrote to memory of 1220 4856 a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe"C:\Users\Admin\AppData\Local\Temp\a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bomyj-uy.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CDE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc351F56EE7B70472B9049AB6FC433C1CF.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp8C04.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8C04.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a2359309d16be094bde84b356d09a145042e57403d6ce77f406f0dabc5a9ad26N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD508df5cf07f78bdb69e352bb8fefc2def
SHA1f482267b03888ec3636c2e56a214910875824633
SHA25644a4d813de7b3289586861eb921d8a2f9f1db21d86194dc47d5433cf2648d8c1
SHA512cf69a1199051e094191ce068959f1ff9b8b0dbfde2eeaf6ca436915bda920dea523a108384ef34fffe6268756f5504701f47cb352993fcd320ff3e7847e1cee1
-
Filesize
15KB
MD563e07fb1b308f050ab257ac86b4109a2
SHA151f365d59d75181dc64bcf8f19ee7059a336a2a6
SHA256db49ebadda1901dbccb4c8d5e6e476a21388c8daf85e2cda6f2e4b8a4b957d6f
SHA5121f06c64c7bb8e27403d08136c967b1f8c4ad0e94fe1771244ccc4953cf6045d8d8d179ce3fd28674dbb44c51383415add42a06ef6d4be9763ae5b969f39f4066
-
Filesize
266B
MD51c670a6b8e668c0a3ea4747418a0c219
SHA127d49a57e798dc5e23d55b16360f745399838763
SHA256f77ff67b75a651df5c252ff7f98991d284e6bac8bab47138ee881d6622badee4
SHA5129e5af1ccb9d61ed7ed606b18af57cd9d7837ee8faf16bd2c910901e5d4af809b8a179e81af75b84c53ae05e71903fcb8ac9e63406cc03a482a77f8afdfb8516b
-
Filesize
78KB
MD523fd4aa76219866b35a1679b145ef2fd
SHA1c185f788222096d6e625caf2315bb96282031638
SHA256b05637718d4c67f9884b6d69b60fef581b244511821ec2e17e85d7b81463f2f4
SHA512a582a05ccaa28871b90da03935f4c3ba42f64092a150782390b210c1f0e6d33faac561a3f6414c616ca2c1f68cbf856b52131f4ff8ff3d857cc3e332e521ada6
-
Filesize
660B
MD5da787b0c7848c445118ae15e799b0c89
SHA11a5ae1a1ea2ea0d37719e5baa5b7dec8a96646c3
SHA25641f53bd1f4c7495fc0a6d36bb813308e876dc45227d95ab5ee6f6c59f1d7a371
SHA512f5e916affd3a6d429c741c93dd8dd99345fbc878dfee1419528f835afed0aaa2de790937730bc89f78c3b4329ea8f40e58572b92e728ca3d253b0f8188667e9b
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107