Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 13:07
Static task
static1
Behavioral task
behavioral1
Sample
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
Resource
win10v2004-20241007-en
General
-
Target
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
-
Size
78KB
-
MD5
07624ac00166d342ece8654baf2ab30b
-
SHA1
9cd9b504b176f9e08cd79af4122d3e1909b3c3b2
-
SHA256
3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499
-
SHA512
77e43d8d99e606bb9064a168316d21dbdf898d56400948fe8f1444ba0eced64d2492968938cefd3f7f4a5288e64c698d2fa9c5c3d672b6e0a3ec917e719b2677
-
SSDEEP
1536:158Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6w9/F91n1j:158Yn7N041Qqhg49/zj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2776 tmpB126.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmpB126.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB126.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe Token: SeDebugPrivilege 2776 tmpB126.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1300 wrote to memory of 2448 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 30 PID 1300 wrote to memory of 2448 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 30 PID 1300 wrote to memory of 2448 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 30 PID 1300 wrote to memory of 2448 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 30 PID 2448 wrote to memory of 2136 2448 vbc.exe 32 PID 2448 wrote to memory of 2136 2448 vbc.exe 32 PID 2448 wrote to memory of 2136 2448 vbc.exe 32 PID 2448 wrote to memory of 2136 2448 vbc.exe 32 PID 1300 wrote to memory of 2776 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 33 PID 1300 wrote to memory of 2776 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 33 PID 1300 wrote to memory of 2776 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 33 PID 1300 wrote to memory of 2776 1300 3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe"C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a-zfptn3.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB28E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB28D.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d335078e16e33469be90871e658a334b
SHA104284de2aab58a199dba739d237122bd2a5e7c2a
SHA2566c373928bfad18364cc767f6f9783207b8dec34b73799e606614b52ff5850bfb
SHA51240271e1f9836c4460c37b2f74ae33f5fff9694f797462ce5f6eb60b9f38144a4444d9f0213c9c6b2041fa5d3c42a8d712e4990949508890aab955a129e3aa068
-
Filesize
14KB
MD52976f3d7a32fea8f14df607b94522247
SHA1796f63b6022b32c1706c7a9cd37baaec7536dd8b
SHA256267792961e64b9c1486c2b8c3c646af4f2cfbce369968cb7f5848ad226c08bb2
SHA5120c8cabe9149673413095102da58e6441b4a56600a4091c4450de26235ccc825d2cb5c69b96d75e7b9621375b54130d689c18265b6d4d3f0fe3ce3dc5902885ae
-
Filesize
266B
MD51cc73a5794b42671d6eddf41fe9dd493
SHA15b6f0813e5b42de64245774c4743d71c4e811045
SHA2562bdb8a19e28119622b4da562c94a7fc7bd7e94dde1d58aa4bfcfe11ee10c6c32
SHA51228f45d5f01a450ac767a71c34ccc70eaf03299c6d718113f69d5ab02deb5bee121ccdee055dd299b2a858c6e5fb5b7ecd32e5504fcdd2c114cbf5219451ba0d2
-
Filesize
78KB
MD5c1b768814d98ad79ba771a6aec65b626
SHA114a9c6ef955c7d7ade3fb2f8e2a493a0e80fb0ec
SHA256da9eaa0cdd16b2d00d7d7864a976835ad4c437e5185413d2cec9e5b8fe53a953
SHA512fcbb86f48c2afcb4769c444900a52776bf49dc389809be1d63ce9db49eaa5a03ed9809d6d2fa985e8e89288299ad2a2fb93a249bdd268c2d39553a2356714a39
-
Filesize
660B
MD598c2ecb29d62b5752e49ec00afb8ad01
SHA13ca17eb5b3feb58343555753bbf1f03db6b1a49e
SHA2567fb9d368dfd0e6e78ee45e9bccd3313be8ce9b8fef6c7ebce53f42759a360750
SHA512f1cada288663806131bf9ac6a85312708853bf6a0bb5467146fceb7c49757083de23b87ca3d6f238d2ff00e38fcc4ac02f5b817450c2121f1aa5a90666651dcd
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65