Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 13:00

General

  • Target

    3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe

  • Size

    78KB

  • MD5

    07624ac00166d342ece8654baf2ab30b

  • SHA1

    9cd9b504b176f9e08cd79af4122d3e1909b3c3b2

  • SHA256

    3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499

  • SHA512

    77e43d8d99e606bb9064a168316d21dbdf898d56400948fe8f1444ba0eced64d2492968938cefd3f7f4a5288e64c698d2fa9c5c3d672b6e0a3ec917e719b2677

  • SSDEEP

    1536:158Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6w9/F91n1j:158Yn7N041Qqhg49/zj

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
    "C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0cys8ui-.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50EE.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2704
    • C:\Users\Admin\AppData\Local\Temp\tmp4FA6.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp4FA6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\0cys8ui-.0.vb

    Filesize

    14KB

    MD5

    e48e72b871ee9e0f5063a3ac933196d8

    SHA1

    1c9f7054397780effcce647493379792b80607e1

    SHA256

    26dad9b9e12d6efa926a4defc9cd6fc765604c1c6e9b9d45e67b1f7c0dc933be

    SHA512

    842317f0ea03097e9050f51cf85804753cc5bc76253b9aba3b123f47b2133ea1b6f1b2ebbaeaef114d060135892ca22eafccc718b95348f94bfdcde949450398

  • C:\Users\Admin\AppData\Local\Temp\0cys8ui-.cmdline

    Filesize

    266B

    MD5

    221ab59a40d69220176b6452b85fa965

    SHA1

    e07adbb944c912d05aeec44e553b600042dd9227

    SHA256

    6ad9e2987e1653426bc692d9e1fcaee05cf18e4cd2cf2f02dfbd38cd50105b6d

    SHA512

    0f7abb74226119dfa13e9e76c2e4f6dd426c38bae75e177e86c2b3c3065d6ef84052fc3cf5e32522c5f7f4274714cf53ce672f13f25474e93677c86efc105d97

  • C:\Users\Admin\AppData\Local\Temp\RES50EF.tmp

    Filesize

    1KB

    MD5

    29b1b8662828463867ca85813b7eed85

    SHA1

    5a991da7ea50f9c1e9e801dde755054be438c21b

    SHA256

    d1f676dfa98d010913e80e6f8d45e914a7bbf8e50d3567d71504e629d7397c63

    SHA512

    573bb37b0da2542d2dd124333146eba5f47d0ad2d2ba1c219e8f581e5e7479d046c8680e23d3f087f1e180b6f6d6963574c39d6cf176f85354e5173c771d2bd3

  • C:\Users\Admin\AppData\Local\Temp\tmp4FA6.tmp.exe

    Filesize

    78KB

    MD5

    180549eb20c09f40dd52aeefe23c68a7

    SHA1

    6d3597ae1534e64be16670249feea178ef93bc53

    SHA256

    38e8d52b1740648e9a229fbf5fe0f194402abc13f680621231bf5299dd0121f4

    SHA512

    2e92b5abbea44ede654094cccb00c8a673c828ada52a28ef955c9c318f79c0a9366355a7633759c2c301a8402925b975e9e6b362b6dfef930a00576b4ea5fa36

  • C:\Users\Admin\AppData\Local\Temp\vbc50EE.tmp

    Filesize

    660B

    MD5

    37a0c85e6cdd785b5fedd5be789879b9

    SHA1

    e69fb3e4d9691341c31684c58dc53a8da26539ef

    SHA256

    9230f85bb740c5c92dad7de5765b9133685dc40a19bde80a6da825abbc53db3e

    SHA512

    eb24d6477e1ef9bd02bf606bcf3107d79bc42092d5ebbcf81553867d7bd85c649ce72288dcf42e85a882ccf2de5ad69d24cf35c8a4cd03eae88891c0b08704cd

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/2680-8-0x0000000074300000-0x00000000748AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2680-18-0x0000000074300000-0x00000000748AB000-memory.dmp

    Filesize

    5.7MB

  • memory/3056-0-0x0000000074301000-0x0000000074302000-memory.dmp

    Filesize

    4KB

  • memory/3056-1-0x0000000074300000-0x00000000748AB000-memory.dmp

    Filesize

    5.7MB

  • memory/3056-2-0x0000000074300000-0x00000000748AB000-memory.dmp

    Filesize

    5.7MB

  • memory/3056-24-0x0000000074300000-0x00000000748AB000-memory.dmp

    Filesize

    5.7MB