Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 19:35
Static task
static1
Behavioral task
behavioral1
Sample
0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe
Resource
win10v2004-20241007-en
General
-
Target
0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe
-
Size
78KB
-
MD5
581f9e5c8c590df7968f30199d0eb290
-
SHA1
f697c1b44cac00f00111d51ae8583940f93b0adc
-
SHA256
0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41f
-
SHA512
d369d37f4e5e393bf42c4661636750b0a74965056d02aba0c8346fa85e36da7ae7d13629a4534e519ba50b0c2c1fbdb1d409a0863ea28d5a876c8327c02d5b86
-
SSDEEP
1536:158Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6w9/F91n1:158Yn7N041Qqhg49/z
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2828 tmp7DE7.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" tmp7DE7.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp7DE7.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe Token: SeDebugPrivilege 2828 tmp7DE7.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2332 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 30 PID 2488 wrote to memory of 2332 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 30 PID 2488 wrote to memory of 2332 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 30 PID 2488 wrote to memory of 2332 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 30 PID 2332 wrote to memory of 2944 2332 vbc.exe 32 PID 2332 wrote to memory of 2944 2332 vbc.exe 32 PID 2332 wrote to memory of 2944 2332 vbc.exe 32 PID 2332 wrote to memory of 2944 2332 vbc.exe 32 PID 2488 wrote to memory of 2828 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 33 PID 2488 wrote to memory of 2828 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 33 PID 2488 wrote to memory of 2828 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 33 PID 2488 wrote to memory of 2828 2488 0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe"C:\Users\Admin\AppData\Local\Temp\0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\--orvqad.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7E63.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2944
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp7DE7.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7DE7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD578cb14cc16bbc83eedbb501b2b92e4a0
SHA14017188de00385f273d8def27dcd62af9aa69f8e
SHA256b6352ef632f9548d0b6e3cb1cfe433312e7b271942369cb848d9605636137556
SHA5125b01a323d1931d7d819b5a50e3fb39298de140abec7e449ab7a075e246b969a26cc9c18e92372cf640aca66dc83bab5821274a45a0ad27692947c8c0f03dba84
-
Filesize
266B
MD5807683157bc9944ca36c4eda9551a144
SHA1765d28a43005fca43e1bd29059dd19a4cd5be69a
SHA256a95d22aef33b4d6f009f4db1deaaaa20bf6da0a62c1060f10c56983119e2d0e0
SHA512ed974bcd5993829c66560431aeea81f8c19c54f9016fc8c0ac3ceddde19fc6483cf2ca9a23536e6868bb965f53373dd1763534875ab1683eb8815ce6875d7ffb
-
Filesize
1KB
MD5091fe13a8d84a761d48b46833bec5be0
SHA1e46d6e354e0a02e9d53be1292d67f7d284eaf8e5
SHA256c8f93b7bcdcd6db388b80a571205ed92d677d2d637d3d18a1ec58ae9d187015f
SHA512d1530c97c375ebbf44f8e434b1c3dcc8d13172d187820e284319d34fd5421c0db20965eb4204d97ac387f0bc8e9964df50909646ac4e184bec6e2499d70f08ca
-
Filesize
78KB
MD5b2e87b65aade06e5a44c6675106cf0a4
SHA101560afc903de113f3d96e65fa594b4bf08aea58
SHA25600ba46f110474dd1ef3d973267ca6b96118bc29984b858229df76805a5a7443a
SHA512b7e37a511f4589ce41228ddf0824a204519f5fe76165f2d50f4ae109375d33943dad0b2921195542a4f9beeaef3be54090e4d2ee64c90fdece8e508be5d522de
-
Filesize
660B
MD59a210c9d175307f05a5d834e8c22f107
SHA18d9be67dc7ddd1510204eeffdf97899f603e49c1
SHA256be27f3533ffc79e964bbc272d97501716f74a17cc7797cceedc9d2fd480df06b
SHA512d60c24cd26bb2b382e6407605545cc983c5270d4a713e4f2b4168d48abccdb577013e0b4744f3e262beb83fae12a0ab72d8dc4681dd8c408da0d4f858c7cff3e
-
Filesize
62KB
MD5aa4bdac8c4e0538ec2bb4b7574c94192
SHA1ef76d834232b67b27ebd75708922adea97aeacce
SHA256d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA5120ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65