Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 19:35

General

  • Target

    0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe

  • Size

    78KB

  • MD5

    581f9e5c8c590df7968f30199d0eb290

  • SHA1

    f697c1b44cac00f00111d51ae8583940f93b0adc

  • SHA256

    0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41f

  • SHA512

    d369d37f4e5e393bf42c4661636750b0a74965056d02aba0c8346fa85e36da7ae7d13629a4534e519ba50b0c2c1fbdb1d409a0863ea28d5a876c8327c02d5b86

  • SSDEEP

    1536:158Ndy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQty6w9/F91n1:158Yn7N041Qqhg49/z

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe
    "C:\Users\Admin\AppData\Local\Temp\0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\--orvqad.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E64.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7E63.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2944
    • C:\Users\Admin\AppData\Local\Temp\tmp7DE7.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp7DE7.tmp.exe" C:\Users\Admin\AppData\Local\Temp\0b0137c7ef073034b27cd73e128e703990d19c702e5be5eb5d418b65101bc41fN.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\--orvqad.0.vb

    Filesize

    14KB

    MD5

    78cb14cc16bbc83eedbb501b2b92e4a0

    SHA1

    4017188de00385f273d8def27dcd62af9aa69f8e

    SHA256

    b6352ef632f9548d0b6e3cb1cfe433312e7b271942369cb848d9605636137556

    SHA512

    5b01a323d1931d7d819b5a50e3fb39298de140abec7e449ab7a075e246b969a26cc9c18e92372cf640aca66dc83bab5821274a45a0ad27692947c8c0f03dba84

  • C:\Users\Admin\AppData\Local\Temp\--orvqad.cmdline

    Filesize

    266B

    MD5

    807683157bc9944ca36c4eda9551a144

    SHA1

    765d28a43005fca43e1bd29059dd19a4cd5be69a

    SHA256

    a95d22aef33b4d6f009f4db1deaaaa20bf6da0a62c1060f10c56983119e2d0e0

    SHA512

    ed974bcd5993829c66560431aeea81f8c19c54f9016fc8c0ac3ceddde19fc6483cf2ca9a23536e6868bb965f53373dd1763534875ab1683eb8815ce6875d7ffb

  • C:\Users\Admin\AppData\Local\Temp\RES7E64.tmp

    Filesize

    1KB

    MD5

    091fe13a8d84a761d48b46833bec5be0

    SHA1

    e46d6e354e0a02e9d53be1292d67f7d284eaf8e5

    SHA256

    c8f93b7bcdcd6db388b80a571205ed92d677d2d637d3d18a1ec58ae9d187015f

    SHA512

    d1530c97c375ebbf44f8e434b1c3dcc8d13172d187820e284319d34fd5421c0db20965eb4204d97ac387f0bc8e9964df50909646ac4e184bec6e2499d70f08ca

  • C:\Users\Admin\AppData\Local\Temp\tmp7DE7.tmp.exe

    Filesize

    78KB

    MD5

    b2e87b65aade06e5a44c6675106cf0a4

    SHA1

    01560afc903de113f3d96e65fa594b4bf08aea58

    SHA256

    00ba46f110474dd1ef3d973267ca6b96118bc29984b858229df76805a5a7443a

    SHA512

    b7e37a511f4589ce41228ddf0824a204519f5fe76165f2d50f4ae109375d33943dad0b2921195542a4f9beeaef3be54090e4d2ee64c90fdece8e508be5d522de

  • C:\Users\Admin\AppData\Local\Temp\vbc7E63.tmp

    Filesize

    660B

    MD5

    9a210c9d175307f05a5d834e8c22f107

    SHA1

    8d9be67dc7ddd1510204eeffdf97899f603e49c1

    SHA256

    be27f3533ffc79e964bbc272d97501716f74a17cc7797cceedc9d2fd480df06b

    SHA512

    d60c24cd26bb2b382e6407605545cc983c5270d4a713e4f2b4168d48abccdb577013e0b4744f3e262beb83fae12a0ab72d8dc4681dd8c408da0d4f858c7cff3e

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    aa4bdac8c4e0538ec2bb4b7574c94192

    SHA1

    ef76d834232b67b27ebd75708922adea97aeacce

    SHA256

    d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

    SHA512

    0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

  • memory/2332-8-0x0000000074A00000-0x0000000074FAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2332-18-0x0000000074A00000-0x0000000074FAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2488-0-0x0000000074A01000-0x0000000074A02000-memory.dmp

    Filesize

    4KB

  • memory/2488-1-0x0000000074A00000-0x0000000074FAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2488-2-0x0000000074A00000-0x0000000074FAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2488-24-0x0000000074A00000-0x0000000074FAB000-memory.dmp

    Filesize

    5.7MB