Analysis
-
max time kernel
112s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe
Resource
win10v2004-20241007-en
General
-
Target
2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe
-
Size
78KB
-
MD5
e7b9e8d6e3f8c69f76f7a042ec752ec0
-
SHA1
2d57654a6483df30956d5ed8bcff49709dd7586f
-
SHA256
2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488a
-
SHA512
9544b6cb58d76fd5793d9274edfdcd2849986e9b2455c84309879998bd15cdb71ab0054ce673004b4634dcabf3ff9ef79e3c3eabeee620284fd502bbd8d617dd
-
SSDEEP
1536:yVc5fAlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9QtS649/j11NE:oc5fAtWDDILJLovbicqOq3o+nw9/jq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2556 tmpEACC.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" tmpEACC.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpEACC.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe Token: SeDebugPrivilege 2556 tmpEACC.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2812 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 31 PID 2648 wrote to memory of 2812 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 31 PID 2648 wrote to memory of 2812 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 31 PID 2648 wrote to memory of 2812 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 31 PID 2812 wrote to memory of 2756 2812 vbc.exe 33 PID 2812 wrote to memory of 2756 2812 vbc.exe 33 PID 2812 wrote to memory of 2756 2812 vbc.exe 33 PID 2812 wrote to memory of 2756 2812 vbc.exe 33 PID 2648 wrote to memory of 2556 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 34 PID 2648 wrote to memory of 2556 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 34 PID 2648 wrote to memory of 2556 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 34 PID 2648 wrote to memory of 2556 2648 2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe"C:\Users\Admin\AppData\Local\Temp\2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\euw-90ku.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBB7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEBB6.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2756
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpEACC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEACC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\2238d26317b08740d5e18cbce9d2abd7be64643f69f8aef33c66936200ce488aN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e67ff97713f8e0665263a6458a5fbbdb
SHA19acd64f4ee5c0248293570896f61a21f923f17b8
SHA2561eb4e197b3a9fbf35c6e9479cf36f0d7b17e7d52c1e8d795bb73a56ce7f26dc6
SHA51286e738aa4fa3768074bab8a6e2b80fafb4e499cc57e035d296e10ee1a24bc06c636257bc4603e9793c18be1de7e3f0deeffa9d846d58aaa7f7fbe96797950206
-
Filesize
14KB
MD571590725e120385e6219849b848c7a56
SHA11e398fe5a1dfeca257b2d757ea151c2b35a1f043
SHA256a63d1e1bc72c2c06728295d02645234711a9cecf6cfbfa206bb4dc882520e064
SHA5129ac881c2201726a912311fece7dd6bd0689422f53fc24d456b4a706bf37b2b0c6be41e95ef9a14472482cffa4d861af52b8a6bc6ca338526adbd3fb25582e12a
-
Filesize
266B
MD51236c7ea41390c7de99010177e271bd9
SHA1b7c7aeaec6c66dad3ee96f6a7ee931152246ca5a
SHA256c072b613c291c27533a40654a92fec4ec3f3cb8be06653cd3b0abb7e2c653c2b
SHA51267b3ad39fac1dec39ba932005c87f3230aba263f5b2aff5678b1f3aa8296835e63f2e606ed1ae160637b931a97a9da02ab33f018fedb6f1230b9dad5fee94e46
-
Filesize
78KB
MD5b46db3efaa16d20c795670e618325358
SHA19437b34628a9ee6fc38d84551cf85d0260a0646a
SHA256cd3b8642c78b46af4de8f907c32638fa31e98cbe0d427321bbf7f79c49ebd77f
SHA5126c4f56d9e72eaedef15014dc4ea515bd994b119ee4b6accbe2333cb1876290412b19d611294e6b1e7222deac548652ca33ff35a3fc39dd51bf562060cfc66eda
-
Filesize
660B
MD5762bb884488de96eb56e4cace50ebfff
SHA1841528e15e5f6e86edbe2864f48f1aea719cfbb1
SHA25600fe0c5e97a6ca4ff5c737ee1f8689573e8037a1031208585d8dffd48b5e5f7a
SHA512dda392b49e4aafadac2937605319ab7ee581b93988dec43ce66a281d0ce5f1adc8f0718adee1abf20a5f5283d720992d5d137fe4bb42e5105d7c0e8a29c69847
-
Filesize
62KB
MD5a26b0f78faa3881bb6307a944b096e91
SHA142b01830723bf07d14f3086fa83c4f74f5649368
SHA256b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c