Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe
Resource
win10v2004-20241007-en
General
-
Target
45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe
-
Size
78KB
-
MD5
d4013599520de9c8b1ae67d9abaee087
-
SHA1
73e8c0b7b6f71cdc8c52b0d19904b3ca2d61e583
-
SHA256
45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd
-
SHA512
2b384517313bb0fd28eb876290f5d9e02bad92eb86ea3ed3de7c023a94d05ea248643847408072528d5fe46d6c2323d0e0e12c3b8c4833b4e681a2cb56bd579f
-
SSDEEP
1536:RsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtj9/f1GC2:RsH/3DJywQjDgTLopLwdCFJzj9/T2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2236 tmpE09F.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpE09F.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2092 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 31 PID 2344 wrote to memory of 2092 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 31 PID 2344 wrote to memory of 2092 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 31 PID 2344 wrote to memory of 2092 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 31 PID 2092 wrote to memory of 3056 2092 vbc.exe 33 PID 2092 wrote to memory of 3056 2092 vbc.exe 33 PID 2092 wrote to memory of 3056 2092 vbc.exe 33 PID 2092 wrote to memory of 3056 2092 vbc.exe 33 PID 2344 wrote to memory of 2236 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 34 PID 2344 wrote to memory of 2236 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 34 PID 2344 wrote to memory of 2236 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 34 PID 2344 wrote to memory of 2236 2344 45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe"C:\Users\Admin\AppData\Local\Temp\45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t-tuttlk.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE1B8.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3056
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpE09F.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpE09F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\45ec0efdf4e0bcf89bc4862a0ed16c1c1c668c62d35c6494c95eb973eb505ebd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD557602da82d158747e6e50462c8877ce6
SHA16336ac04dffce5553be4a3daacbea052e408f2cc
SHA2566b59c11f258fcd4cf804ec857cbadc46d7d7bea5a82eeb40dc5f1aa1364f87aa
SHA512caaee88740607f69442b0ea27dc00249488d8b51f75f58920b082f92246f0ea86d66a6d2dde070cc5b16c13f734a83a731b1b59fe7c9f38a6940b91b16312f53
-
Filesize
15KB
MD5643233dbd6e64b5ed05165ddafc3b26b
SHA1066b2d5c4cb320b6644b29d92959d7d065a735c1
SHA256d08e73edd69e920e91f37f546a05b9182c5d587e3c552f0b1da0df05449a1a12
SHA5120e88ddc06f70e4d29dc28ed46ae324c11f5fb4cf717f41870e79f1dfa5776aeb0ee2d8366f4bb34de78bad8741e65fd4b50127c8bc372d980b64a669657e6b3d
-
Filesize
266B
MD573c3adff8e3577ff0f7ff1d3fbceb40f
SHA12b18b03ae799b3cc46fe73cfb880882642f41acb
SHA25610aad81979b5e4df63011273c7e9cdae960fee1b8ee60b96e276fc56abefaae6
SHA512ba8117911b8d97895e8fdf5a7960cada0cbda127b458920ebd40e41d2d4d4f7d39e4684a976afb441a537e51db98a4cba4b2109d203112d521ffaa029a4b7636
-
Filesize
78KB
MD553dcf651ebbf411722d97f8b94a1bcb9
SHA1c568fa5f301102144df041970c70e00d42f0c244
SHA256a5e2a221e0c00eb298bd548b34ce6b7fe80332e211e758739f1dc90d9f55ce79
SHA51213af1e22e70649c3cfd447fe5a7b0d8790483474345ccf2691a98586a9b455c8d7fbe94272d7424c39a128d72d9b943b8c581c28d60ae41c8252acbf9a288975
-
Filesize
660B
MD50ac2309a343a7f53168232fee92cd021
SHA10f3687a87a1ce8a1ce74b066dbd7d50ad3e17d3f
SHA256cbfdf0042dd6fd3fc64349dc40a00de7d256dbdcef25926ab5718e2842cf3a38
SHA512f32e196a22665cb14bfba4f0a326646fa08702880bfa97422736d6f5abe560f528f1d40fbdf35aab5a87ad09b8980aea6f627c9e9a5b3fa92c1c907c76d20b4c
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7