Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 02:53

General

  • Target

    cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe

  • Size

    78KB

  • MD5

    c50fecd6605ba752a20c774a20cc37e4

  • SHA1

    a9b6162bc193847b01bde02000a95c76211e9d18

  • SHA256

    cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf

  • SHA512

    bf83caad2b50c6f308b24f7c8dce9d5950b79af82fa647d8f6df2a3f4206be13213b606eaec6c983b8f8d2d0281887c9b3a03f7bc36c8f90c0779922d7bb2eb3

  • SSDEEP

    1536:sj584vZv0kH9gDDtWzYCnJPeoYrGQtC6K9/R18G:4584l0Y9MDYrm7y9/7

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
    "C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ak1olqu-.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9BE.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:264
    • C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESB9BF.tmp

    Filesize

    1KB

    MD5

    28c3d421f32f5259ce4890a9cd3f65eb

    SHA1

    d33c21eb405e21821c28bb66cdea3156ba5241f9

    SHA256

    4cc2dcb9b7f828dbcbd14df5c130f65624f917b029a96d5d3c37e3cfa54060e0

    SHA512

    c3018c2f3ff916f7593a9123e3d786aff8dc39c93059356f8203ea887ffa184444a96b78ead90fc1fa330201459cc6b874ff85f7c123b547ba315b57c6e7eee6

  • C:\Users\Admin\AppData\Local\Temp\ak1olqu-.0.vb

    Filesize

    14KB

    MD5

    cb312fca98a389e6fa7a0322a7e05d78

    SHA1

    87241bc77409f7e44fc0fd2dc3b8c3559c497bcd

    SHA256

    89c24800a9c3b8b762e80763c0576a92024893e7cbd40e2c73b0a47510399854

    SHA512

    4abf52d41a09f687197478e9fa7d17cb14b4cc7f90b6eaec5e6e5fb47fa03fa393512f0a2425d7f135d3cf846c8f8d1268fa0002bcd33e3388e32720ff06abcc

  • C:\Users\Admin\AppData\Local\Temp\ak1olqu-.cmdline

    Filesize

    266B

    MD5

    2d0c90c628e12d57e129c7688b688149

    SHA1

    40097b33a37ad78b482ee3be6400fb80141d8a8e

    SHA256

    4456e02b2ced378fa011f3d6eeb6cc74e7e4199b46f58a2746f3c998e463c1aa

    SHA512

    43d06edb74c4e09bf7aff92556f40a4f4d359e47fcaadaa3c1bed5fa65757bd7d6d307d88d966b8e75911fb03c4f19f3d9a456ffeaa72099ca3fde8b82d25683

  • C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.exe

    Filesize

    78KB

    MD5

    a581d16e25926f94043d2831d866d105

    SHA1

    cbe6db3a71580871443437ee8cf559802bdcdf56

    SHA256

    226bba414a75f881b09fe1ab2c596afd5a79c09998ab5043e3ca0f546b46a0e0

    SHA512

    50de624be2032a1a934958b6d8777223fa272fc26e11101bfa1482e4e6c261b87fbb7a13e6daa44849c2ce9264fe3c55acbe80a065b85c04d55541acc8cd2ad6

  • C:\Users\Admin\AppData\Local\Temp\vbcB9BE.tmp

    Filesize

    660B

    MD5

    66f0b1ab1b72e1b927c718199eeff102

    SHA1

    3129e07b57b2ff928d64a2c79f733ec79ff309d2

    SHA256

    b6795d3174643ac614f94dd64b62536b2f08bf11c2822ab8c48bba3b2823ccda

    SHA512

    b18d057fb9f12b685859db7c27f3405e0c4abc5a69eb488cddb5a2030e8fcaf31facef495be54bf1a23a1f81b5145f618148e3f97145aecd17db5471f7335a49

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    8b25b4d931908b4c77ce6c3d5b9a2910

    SHA1

    88b65fd9733484c8f8147dad9d0896918c7e37c7

    SHA256

    79c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e

    SHA512

    6d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d

  • memory/2420-9-0x0000000074680000-0x0000000074C2B000-memory.dmp

    Filesize

    5.7MB

  • memory/2420-18-0x0000000074680000-0x0000000074C2B000-memory.dmp

    Filesize

    5.7MB

  • memory/3048-0-0x0000000074681000-0x0000000074682000-memory.dmp

    Filesize

    4KB

  • memory/3048-1-0x0000000074680000-0x0000000074C2B000-memory.dmp

    Filesize

    5.7MB

  • memory/3048-2-0x0000000074680000-0x0000000074C2B000-memory.dmp

    Filesize

    5.7MB

  • memory/3048-24-0x0000000074680000-0x0000000074C2B000-memory.dmp

    Filesize

    5.7MB