Analysis

  • max time kernel
    137s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 13:07

General

  • Target

    3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe

  • Size

    78KB

  • MD5

    07624ac00166d342ece8654baf2ab30b

  • SHA1

    9cd9b504b176f9e08cd79af4122d3e1909b3c3b2

  • SHA256

    3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499

  • SHA512

    77e43d8d99e606bb9064a168316d21dbdf898d56400948fe8f1444ba0eced64d2492968938cefd3f7f4a5288e64c698d2fa9c5c3d672b6e0a3ec917e719b2677

  • SSDEEP

    1536:158Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6w9/F91n1j:158Yn7N041Qqhg49/zj

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
    "C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a-zfptn3.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB28E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB28D.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2136
    • C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe" C:\Users\Admin\AppData\Local\Temp\3155051b123d2e9f0d9a4c687241902160f5d9b5e8cf770a128e20620d61b499.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB28E.tmp

    Filesize

    1KB

    MD5

    d335078e16e33469be90871e658a334b

    SHA1

    04284de2aab58a199dba739d237122bd2a5e7c2a

    SHA256

    6c373928bfad18364cc767f6f9783207b8dec34b73799e606614b52ff5850bfb

    SHA512

    40271e1f9836c4460c37b2f74ae33f5fff9694f797462ce5f6eb60b9f38144a4444d9f0213c9c6b2041fa5d3c42a8d712e4990949508890aab955a129e3aa068

  • C:\Users\Admin\AppData\Local\Temp\a-zfptn3.0.vb

    Filesize

    14KB

    MD5

    2976f3d7a32fea8f14df607b94522247

    SHA1

    796f63b6022b32c1706c7a9cd37baaec7536dd8b

    SHA256

    267792961e64b9c1486c2b8c3c646af4f2cfbce369968cb7f5848ad226c08bb2

    SHA512

    0c8cabe9149673413095102da58e6441b4a56600a4091c4450de26235ccc825d2cb5c69b96d75e7b9621375b54130d689c18265b6d4d3f0fe3ce3dc5902885ae

  • C:\Users\Admin\AppData\Local\Temp\a-zfptn3.cmdline

    Filesize

    266B

    MD5

    1cc73a5794b42671d6eddf41fe9dd493

    SHA1

    5b6f0813e5b42de64245774c4743d71c4e811045

    SHA256

    2bdb8a19e28119622b4da562c94a7fc7bd7e94dde1d58aa4bfcfe11ee10c6c32

    SHA512

    28f45d5f01a450ac767a71c34ccc70eaf03299c6d718113f69d5ab02deb5bee121ccdee055dd299b2a858c6e5fb5b7ecd32e5504fcdd2c114cbf5219451ba0d2

  • C:\Users\Admin\AppData\Local\Temp\tmpB126.tmp.exe

    Filesize

    78KB

    MD5

    c1b768814d98ad79ba771a6aec65b626

    SHA1

    14a9c6ef955c7d7ade3fb2f8e2a493a0e80fb0ec

    SHA256

    da9eaa0cdd16b2d00d7d7864a976835ad4c437e5185413d2cec9e5b8fe53a953

    SHA512

    fcbb86f48c2afcb4769c444900a52776bf49dc389809be1d63ce9db49eaa5a03ed9809d6d2fa985e8e89288299ad2a2fb93a249bdd268c2d39553a2356714a39

  • C:\Users\Admin\AppData\Local\Temp\vbcB28D.tmp

    Filesize

    660B

    MD5

    98c2ecb29d62b5752e49ec00afb8ad01

    SHA1

    3ca17eb5b3feb58343555753bbf1f03db6b1a49e

    SHA256

    7fb9d368dfd0e6e78ee45e9bccd3313be8ce9b8fef6c7ebce53f42759a360750

    SHA512

    f1cada288663806131bf9ac6a85312708853bf6a0bb5467146fceb7c49757083de23b87ca3d6f238d2ff00e38fcc4ac02f5b817450c2121f1aa5a90666651dcd

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/1300-0-0x0000000074131000-0x0000000074132000-memory.dmp

    Filesize

    4KB

  • memory/1300-1-0x0000000074130000-0x00000000746DB000-memory.dmp

    Filesize

    5.7MB

  • memory/1300-2-0x0000000074130000-0x00000000746DB000-memory.dmp

    Filesize

    5.7MB

  • memory/1300-24-0x0000000074130000-0x00000000746DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2448-8-0x0000000074130000-0x00000000746DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2448-18-0x0000000074130000-0x00000000746DB000-memory.dmp

    Filesize

    5.7MB