Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 13:16

General

  • Target

    4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe

  • Size

    78KB

  • MD5

    425ca0a0d0e9bcca9812b5f48a56c955

  • SHA1

    721290757978f2fddd1b3cc6f5f200344a20b38e

  • SHA256

    4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1

  • SHA512

    c9f86663fb8f3a700ef3357b505c97eec17a0ae45235cf693f5a6378c44e4d2e47e896753e9000cae59587db36961d7addb5cda8ee6bc61b43d697683a09f0a3

  • SSDEEP

    1536:SvWV58/pJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6d9/2K1Zgq:sWV58BJywQjDgTLopLwdCFJzF9/2Jq

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
    "C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h52ia-ur.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FA50B9DF46E4F7A9C8BE369A5195EBE.TMP"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1336
    • C:\Users\Admin\AppData\Local\Temp\tmp91E0.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp91E0.tmp.exe" C:\Users\Admin\AppData\Local\Temp\4f112b3cfe0291544cd34b83c02e76ce6bb47ab7fb7ae073ac8e0933000854b1.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES92DA.tmp

    Filesize

    1KB

    MD5

    f0c5034694d3290c853ba1bc9a397289

    SHA1

    0b3464eb8376f450a4f476ac87ca4817a74925e6

    SHA256

    26c87f95b989f6303b98b69b9e0f32ded4a8ad96c009c6d77dcd60cb1f22e262

    SHA512

    a874bd65903ce631ed3d14168f358b1ac512256be23329479eaa977c97846d6b200cddf57d15f5ec26c3c629673fb4205b30492dee1447a50f6c4b3646954de6

  • C:\Users\Admin\AppData\Local\Temp\h52ia-ur.0.vb

    Filesize

    14KB

    MD5

    6fb7ed266ea88ad94fe631df8fea4063

    SHA1

    3a73c2138556c55fc8ca787f7d6dce62eee67379

    SHA256

    ba2f43b3183e2912cf1ad1f2ebeba15c4d071327338cfafc1988d4df687f8c5e

    SHA512

    83032fc02c211bf987686b787b9289665b21304fc98c1093c793813dfae0e4cc641deeb29e911a83429b91ba6b8ea13e2c91d179e53b33e780e693a4d58c6c02

  • C:\Users\Admin\AppData\Local\Temp\h52ia-ur.cmdline

    Filesize

    266B

    MD5

    c0ec646739d64b1416eebe78abdad4e8

    SHA1

    e5207ba5699958484f84c73c3a5d939060850997

    SHA256

    9221e63f480ed5b7b09c1772adb765da15a8b6d12ce96c42e98d48f899d48e27

    SHA512

    8c378055102a310a06fb1eae417988c01ba291c6945dfa07f395fd97636cd4c56636e66ccb0e9277316c3827e7648d9fbcc111ba4f2179399aadd3b4f2e89bff

  • C:\Users\Admin\AppData\Local\Temp\tmp91E0.tmp.exe

    Filesize

    78KB

    MD5

    ca6f0cd353fc33fd38f06c3d0f9735ca

    SHA1

    20614fbf040fb6be8a3642ca4972b4d296f3aced

    SHA256

    a8e3f6784fd7c8a99e50b5d4d01bf2e1b5b76b620e3ff21ef43a6b12bebf5996

    SHA512

    f0242725ea6357b0e1932fd362ff23b045db528ae680f64136bfaa50a4d9d2bba12c1a8915aa91f435cddde8489a73f31fadbfe7a9cdeef303ab10c1ef21ee1f

  • C:\Users\Admin\AppData\Local\Temp\vbc8FA50B9DF46E4F7A9C8BE369A5195EBE.TMP

    Filesize

    660B

    MD5

    eb17c85fb03310d9e3336e4cddad1fb8

    SHA1

    2c8332e00f07136cbd04486696ee76ea719834a7

    SHA256

    2590d44ad3ecbf56795c68c6d9cab43db367e45ce4b804bd17e526c42b2c22ca

    SHA512

    e0a706513f54327d8647f3ccf03a2654cb75ddf03119a98933b70060a7dbbdbd4ab2dc397995707de5169d6d6d7960294e12812eefca4f75703688b60dee1040

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/1096-7-0x00007FFD1B1F0000-0x00007FFD1B3E5000-memory.dmp

    Filesize

    2.0MB

  • memory/2468-21-0x00007FFD1B1F0000-0x00007FFD1B3E5000-memory.dmp

    Filesize

    2.0MB

  • memory/2468-22-0x00007FFD1B1F0000-0x00007FFD1B3E5000-memory.dmp

    Filesize

    2.0MB

  • memory/2468-23-0x00007FFD1B1F0000-0x00007FFD1B3E5000-memory.dmp

    Filesize

    2.0MB

  • memory/2636-0-0x00007FFD1B1F0000-0x00007FFD1B3E5000-memory.dmp

    Filesize

    2.0MB

  • memory/2636-1-0x00007FFD1B1F0000-0x00007FFD1B3E5000-memory.dmp

    Filesize

    2.0MB

  • memory/2636-20-0x00007FFD1B1F0000-0x00007FFD1B3E5000-memory.dmp

    Filesize

    2.0MB