Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 13:00
Static task
static1
Behavioral task
behavioral1
Sample
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
Resource
win10v2004-20241007-en
General
-
Target
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
-
Size
78KB
-
MD5
07624ac00166d342ece8654baf2ab30b
-
SHA1
9cd9b504b176f9e08cd79af4122d3e1909b3c3b2
-
SHA256
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499
-
SHA512
77e43d8d99e606bb9064a168316d21dbdf898d56400948fe8f1444ba0eced64d2492968938cefd3f7f4a5288e64c698d2fa9c5c3d672b6e0a3ec917e719b2677
-
SSDEEP
1536:158Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6w9/F91n1j:158Yn7N041Qqhg49/zj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1036 tmp4FA6.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp4FA6.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp4FA6.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe Token: SeDebugPrivilege 1036 tmp4FA6.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2680 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 30 PID 3056 wrote to memory of 2680 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 30 PID 3056 wrote to memory of 2680 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 30 PID 3056 wrote to memory of 2680 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 30 PID 2680 wrote to memory of 2704 2680 vbc.exe 32 PID 2680 wrote to memory of 2704 2680 vbc.exe 32 PID 2680 wrote to memory of 2704 2680 vbc.exe 32 PID 2680 wrote to memory of 2704 2680 vbc.exe 32 PID 3056 wrote to memory of 1036 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 33 PID 3056 wrote to memory of 1036 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 33 PID 3056 wrote to memory of 1036 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 33 PID 3056 wrote to memory of 1036 3056 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe"C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0cys8ui-.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50EF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc50EE.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp4FA6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp4FA6.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5e48e72b871ee9e0f5063a3ac933196d8
SHA11c9f7054397780effcce647493379792b80607e1
SHA25626dad9b9e12d6efa926a4defc9cd6fc765604c1c6e9b9d45e67b1f7c0dc933be
SHA512842317f0ea03097e9050f51cf85804753cc5bc76253b9aba3b123f47b2133ea1b6f1b2ebbaeaef114d060135892ca22eafccc718b95348f94bfdcde949450398
-
Filesize
266B
MD5221ab59a40d69220176b6452b85fa965
SHA1e07adbb944c912d05aeec44e553b600042dd9227
SHA2566ad9e2987e1653426bc692d9e1fcaee05cf18e4cd2cf2f02dfbd38cd50105b6d
SHA5120f7abb74226119dfa13e9e76c2e4f6dd426c38bae75e177e86c2b3c3065d6ef84052fc3cf5e32522c5f7f4274714cf53ce672f13f25474e93677c86efc105d97
-
Filesize
1KB
MD529b1b8662828463867ca85813b7eed85
SHA15a991da7ea50f9c1e9e801dde755054be438c21b
SHA256d1f676dfa98d010913e80e6f8d45e914a7bbf8e50d3567d71504e629d7397c63
SHA512573bb37b0da2542d2dd124333146eba5f47d0ad2d2ba1c219e8f581e5e7479d046c8680e23d3f087f1e180b6f6d6963574c39d6cf176f85354e5173c771d2bd3
-
Filesize
78KB
MD5180549eb20c09f40dd52aeefe23c68a7
SHA16d3597ae1534e64be16670249feea178ef93bc53
SHA25638e8d52b1740648e9a229fbf5fe0f194402abc13f680621231bf5299dd0121f4
SHA5122e92b5abbea44ede654094cccb00c8a673c828ada52a28ef955c9c318f79c0a9366355a7633759c2c301a8402925b975e9e6b362b6dfef930a00576b4ea5fa36
-
Filesize
660B
MD537a0c85e6cdd785b5fedd5be789879b9
SHA1e69fb3e4d9691341c31684c58dc53a8da26539ef
SHA2569230f85bb740c5c92dad7de5765b9133685dc40a19bde80a6da825abbc53db3e
SHA512eb24d6477e1ef9bd02bf606bcf3107d79bc42092d5ebbcf81553867d7bd85c649ce72288dcf42e85a882ccf2de5ad69d24cf35c8a4cd03eae88891c0b08704cd
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65