Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
Resource
win10v2004-20241007-en
General
-
Target
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
-
Size
78KB
-
MD5
425ca0a0d0e9bcca9812b5f48a56c955
-
SHA1
721290757978f2fddd1b3cc6f5f200344a20b38e
-
SHA256
4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1
-
SHA512
c9f86663fb8f3a700ef3357b505c97eec17a0ae45235cf693f5a6378c44e4d2e47e896753e9000cae59587db36961d7addb5cda8ee6bc61b43d697683a09f0a3
-
SSDEEP
1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zgq:sWV58BJywQjDgTLopLwdCFJzF9/2Jq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe -
Deletes itself 1 IoCs
pid Process 2468 tmp91E0.tmp.exe -
Executes dropped EXE 1 IoCs
pid Process 2468 tmp91E0.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp91E0.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2636 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2636 wrote to memory of 1096 2636 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 82 PID 2636 wrote to memory of 1096 2636 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 82 PID 2636 wrote to memory of 1096 2636 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 82 PID 1096 wrote to memory of 1336 1096 vbc.exe 84 PID 1096 wrote to memory of 1336 1096 vbc.exe 84 PID 1096 wrote to memory of 1336 1096 vbc.exe 84 PID 2636 wrote to memory of 2468 2636 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 85 PID 2636 wrote to memory of 2468 2636 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 85 PID 2636 wrote to memory of 2468 2636 4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h52ia-ur.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FA50B9DF46E4F7A9C8BE369A5195EBE.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:1336
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp91E0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp91E0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f0c5034694d3290c853ba1bc9a397289
SHA10b3464eb8376f450a4f476ac87ca4817a74925e6
SHA25626c87f95b989f6303b98b69b9e0f32ded4a8ad96c009c6d77dcd60cb1f22e262
SHA512a874bd65903ce631ed3d14168f358b1ac512256be23329479eaa977c97846d6b200cddf57d15f5ec26c3c629673fb4205b30492dee1447a50f6c4b3646954de6
-
Filesize
14KB
MD56fb7ed266ea88ad94fe631df8fea4063
SHA13a73c2138556c55fc8ca787f7d6dce62eee67379
SHA256ba2f43b3183e2912cf1ad1f2ebeba15c4d071327338cfafc1988d4df687f8c5e
SHA51283032fc02c211bf987686b787b9289665b21304fc98c1093c793813dfae0e4cc641deeb29e911a83429b91ba6b8ea13e2c91d179e53b33e780e693a4d58c6c02
-
Filesize
266B
MD5c0ec646739d64b1416eebe78abdad4e8
SHA1e5207ba5699958484f84c73c3a5d939060850997
SHA2569221e63f480ed5b7b09c1772adb765da15a8b6d12ce96c42e98d48f899d48e27
SHA5128c378055102a310a06fb1eae417988c01ba291c6945dfa07f395fd97636cd4c56636e66ccb0e9277316c3827e7648d9fbcc111ba4f2179399aadd3b4f2e89bff
-
Filesize
78KB
MD5ca6f0cd353fc33fd38f06c3d0f9735ca
SHA120614fbf040fb6be8a3642ca4972b4d296f3aced
SHA256a8e3f6784fd7c8a99e50b5d4d01bf2e1b5b76b620e3ff21ef43a6b12bebf5996
SHA512f0242725ea6357b0e1932fd362ff23b045db528ae680f64136bfaa50a4d9d2bba12c1a8915aa91f435cddde8489a73f31fadbfe7a9cdeef303ab10c1ef21ee1f
-
Filesize
660B
MD5eb17c85fb03310d9e3336e4cddad1fb8
SHA12c8332e00f07136cbd04486696ee76ea719834a7
SHA2562590d44ad3ecbf56795c68c6d9cab43db367e45ce4b804bd17e526c42b2c22ca
SHA512e0a706513f54327d8647f3ccf03a2654cb75ddf03119a98933b70060a7dbbdbd4ab2dc397995707de5169d6d6d7960294e12812eefca4f75703688b60dee1040
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7