Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 04:26

General

  • Target

    45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe

  • Size

    78KB

  • MD5

    d4013599520de9c8b1ae67d9abaee087

  • SHA1

    73e8c0b7b6f71cdc8c52b0d19904b3ca2d61e583

  • SHA256

    45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd

  • SHA512

    2b384517313bb0fd28eb876290f5d9e02bad92eb86ea3ed3de7c023a94d05ea248643847408072528d5fe46d6c2323d0e0e12c3b8c4833b4e681a2cb56bd579f

  • SSDEEP

    1536:RsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtj9/f1GC2:RsH/3DJywQjDgTLopLwdCFJzj9/T2

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe
    "C:\Users\Admin\AppData\Local\Temp\45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t-tuttlk.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE1B8.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3056
    • C:\Users\Admin\AppData\Local\Temp\tmpE09F.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpE09F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESE1B9.tmp

    Filesize

    1KB

    MD5

    57602da82d158747e6e50462c8877ce6

    SHA1

    6336ac04dffce5553be4a3daacbea052e408f2cc

    SHA256

    6b59c11f258fcd4cf804ec857cbadc46d7d7bea5a82eeb40dc5f1aa1364f87aa

    SHA512

    caaee88740607f69442b0ea27dc00249488d8b51f75f58920b082f92246f0ea86d66a6d2dde070cc5b16c13f734a83a731b1b59fe7c9f38a6940b91b16312f53

  • C:\Users\Admin\AppData\Local\Temp\t-tuttlk.0.vb

    Filesize

    15KB

    MD5

    643233dbd6e64b5ed05165ddafc3b26b

    SHA1

    066b2d5c4cb320b6644b29d92959d7d065a735c1

    SHA256

    d08e73edd69e920e91f37f546a05b9182c5d587e3c552f0b1da0df05449a1a12

    SHA512

    0e88ddc06f70e4d29dc28ed46ae324c11f5fb4cf717f41870e79f1dfa5776aeb0ee2d8366f4bb34de78bad8741e65fd4b50127c8bc372d980b64a669657e6b3d

  • C:\Users\Admin\AppData\Local\Temp\t-tuttlk.cmdline

    Filesize

    266B

    MD5

    73c3adff8e3577ff0f7ff1d3fbceb40f

    SHA1

    2b18b03ae799b3cc46fe73cfb880882642f41acb

    SHA256

    10aad81979b5e4df63011273c7e9cdae960fee1b8ee60b96e276fc56abefaae6

    SHA512

    ba8117911b8d97895e8fdf5a7960cada0cbda127b458920ebd40e41d2d4d4f7d39e4684a976afb441a537e51db98a4cba4b2109d203112d521ffaa029a4b7636

  • C:\Users\Admin\AppData\Local\Temp\tmpE09F.tmp.exe

    Filesize

    78KB

    MD5

    53dcf651ebbf411722d97f8b94a1bcb9

    SHA1

    c568fa5f301102144df041970c70e00d42f0c244

    SHA256

    a5e2a221e0c00eb298bd548b34ce6b7fe80332e211e758739f1dc90d9f55ce79

    SHA512

    13af1e22e70649c3cfd447fe5a7b0d8790483474345ccf2691a98586a9b455c8d7fbe94272d7424c39a128d72d9b943b8c581c28d60ae41c8252acbf9a288975

  • C:\Users\Admin\AppData\Local\Temp\vbcE1B8.tmp

    Filesize

    660B

    MD5

    0ac2309a343a7f53168232fee92cd021

    SHA1

    0f3687a87a1ce8a1ce74b066dbd7d50ad3e17d3f

    SHA256

    cbfdf0042dd6fd3fc64349dc40a00de7d256dbdcef25926ab5718e2842cf3a38

    SHA512

    f32e196a22665cb14bfba4f0a326646fa08702880bfa97422736d6f5abe560f528f1d40fbdf35aab5a87ad09b8980aea6f627c9e9a5b3fa92c1c907c76d20b4c

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/2092-8-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2092-18-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2344-0-0x00000000746A1000-0x00000000746A2000-memory.dmp

    Filesize

    4KB

  • memory/2344-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2344-2-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB

  • memory/2344-24-0x00000000746A0000-0x0000000074C4B000-memory.dmp

    Filesize

    5.7MB