Analysis

  • max time kernel
    112s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 02:17

General

  • Target

    2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe

  • Size

    78KB

  • MD5

    e7b9e8d6e3f8c69f76f7a042ec752ec0

  • SHA1

    2d57654a6483df30956d5ed8bcff49709dd7586f

  • SHA256

    2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488a

  • SHA512

    9544b6cb58d76fd5793d9274edfdcd2849986e9b2455c84309879998bd15cdb71ab0054ce673004b4634dcabf3ff9ef79e3c3eabeee620284fd502bbd8d617dd

  • SSDEEP

    1536:yVc5fAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtS649/j11NE:oc5fAtWDDILJLovbicqOq3o+nw9/jq

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe
    "C:\Users\Admin\AppData\Local\Temp\2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\euw-90ku.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBB6.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2756
    • C:\Users\Admin\AppData\Local\Temp\tmpEACC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpEACC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESEBB7.tmp

    Filesize

    1KB

    MD5

    e67ff97713f8e0665263a6458a5fbbdb

    SHA1

    9acd64f4ee5c0248293570896f61a21f923f17b8

    SHA256

    1eb4e197b3a9fbf35c6e9479cf36f0d7b17e7d52c1e8d795bb73a56ce7f26dc6

    SHA512

    86e738aa4fa3768074bab8a6e2b80fafb4e499cc57e035d296e10ee1a24bc06c636257bc4603e9793c18be1de7e3f0deeffa9d846d58aaa7f7fbe96797950206

  • C:\Users\Admin\AppData\Local\Temp\euw-90ku.0.vb

    Filesize

    14KB

    MD5

    71590725e120385e6219849b848c7a56

    SHA1

    1e398fe5a1dfeca257b2d757ea151c2b35a1f043

    SHA256

    a63d1e1bc72c2c06728295d02645234711a9cecf6cfbfa206bb4dc882520e064

    SHA512

    9ac881c2201726a912311fece7dd6bd0689422f53fc24d456b4a706bf37b2b0c6be41e95ef9a14472482cffa4d861af52b8a6bc6ca338526adbd3fb25582e12a

  • C:\Users\Admin\AppData\Local\Temp\euw-90ku.cmdline

    Filesize

    266B

    MD5

    1236c7ea41390c7de99010177e271bd9

    SHA1

    b7c7aeaec6c66dad3ee96f6a7ee931152246ca5a

    SHA256

    c072b613c291c27533a40654a92fec4ec3f3cb8be06653cd3b0abb7e2c653c2b

    SHA512

    67b3ad39fac1dec39ba932005c87f3230aba263f5b2aff5678b1f3aa8296835e63f2e606ed1ae160637b931a97a9da02ab33f018fedb6f1230b9dad5fee94e46

  • C:\Users\Admin\AppData\Local\Temp\tmpEACC.tmp.exe

    Filesize

    78KB

    MD5

    b46db3efaa16d20c795670e618325358

    SHA1

    9437b34628a9ee6fc38d84551cf85d0260a0646a

    SHA256

    cd3b8642c78b46af4de8f907c32638fa31e98cbe0d427321bbf7f79c49ebd77f

    SHA512

    6c4f56d9e72eaedef15014dc4ea515bd994b119ee4b6accbe2333cb1876290412b19d611294e6b1e7222deac548652ca33ff35a3fc39dd51bf562060cfc66eda

  • C:\Users\Admin\AppData\Local\Temp\vbcEBB6.tmp

    Filesize

    660B

    MD5

    762bb884488de96eb56e4cace50ebfff

    SHA1

    841528e15e5f6e86edbe2864f48f1aea719cfbb1

    SHA256

    00fe0c5e97a6ca4ff5c737ee1f8689573e8037a1031208585d8dffd48b5e5f7a

    SHA512

    dda392b49e4aafadac2937605319ab7ee581b93988dec43ce66a281d0ce5f1adc8f0718adee1abf20a5f5283d720992d5d137fe4bb42e5105d7c0e8a29c69847

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    a26b0f78faa3881bb6307a944b096e91

    SHA1

    42b01830723bf07d14f3086fa83c4f74f5649368

    SHA256

    b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

    SHA512

    a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

  • memory/2648-0-0x00000000742E1000-0x00000000742E2000-memory.dmp

    Filesize

    4KB

  • memory/2648-1-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-2-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/2648-24-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/2812-8-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB

  • memory/2812-18-0x00000000742E0000-0x000000007488B000-memory.dmp

    Filesize

    5.7MB