Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
Resource
win10v2004-20241007-en
General
-
Target
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe
-
Size
78KB
-
MD5
c50fecd6605ba752a20c774a20cc37e4
-
SHA1
a9b6162bc193847b01bde02000a95c76211e9d18
-
SHA256
cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf
-
SHA512
bf83caad2b50c6f308b24f7c8dce9d5950b79af82fa647d8f6df2a3f4206be13213b606eaec6c983b8f8d2d0281887c9b3a03f7bc36c8f90c0779922d7bb2eb3
-
SSDEEP
1536:sj584vZv0kH9gDDtWzYCnJPeoYrGQtC6K9/R18G:4584l0Y9MDYrm7y9/7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1984 tmpB8F3.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpB8F3.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpB8F3.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe Token: SeDebugPrivilege 1984 tmpB8F3.tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2420 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 30 PID 3048 wrote to memory of 2420 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 30 PID 3048 wrote to memory of 2420 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 30 PID 3048 wrote to memory of 2420 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 30 PID 2420 wrote to memory of 264 2420 vbc.exe 32 PID 2420 wrote to memory of 264 2420 vbc.exe 32 PID 2420 wrote to memory of 264 2420 vbc.exe 32 PID 2420 wrote to memory of 264 2420 vbc.exe 32 PID 3048 wrote to memory of 1984 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 33 PID 3048 wrote to memory of 1984 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 33 PID 3048 wrote to memory of 1984 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 33 PID 3048 wrote to memory of 1984 3048 cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe"C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ak1olqu-.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB9BE.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:264
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpB8F3.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cf74711701c46a24b292f2c15ae0a8a0b5869d1cbc11a2b68bf1f2620caf6faf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528c3d421f32f5259ce4890a9cd3f65eb
SHA1d33c21eb405e21821c28bb66cdea3156ba5241f9
SHA2564cc2dcb9b7f828dbcbd14df5c130f65624f917b029a96d5d3c37e3cfa54060e0
SHA512c3018c2f3ff916f7593a9123e3d786aff8dc39c93059356f8203ea887ffa184444a96b78ead90fc1fa330201459cc6b874ff85f7c123b547ba315b57c6e7eee6
-
Filesize
14KB
MD5cb312fca98a389e6fa7a0322a7e05d78
SHA187241bc77409f7e44fc0fd2dc3b8c3559c497bcd
SHA25689c24800a9c3b8b762e80763c0576a92024893e7cbd40e2c73b0a47510399854
SHA5124abf52d41a09f687197478e9fa7d17cb14b4cc7f90b6eaec5e6e5fb47fa03fa393512f0a2425d7f135d3cf846c8f8d1268fa0002bcd33e3388e32720ff06abcc
-
Filesize
266B
MD52d0c90c628e12d57e129c7688b688149
SHA140097b33a37ad78b482ee3be6400fb80141d8a8e
SHA2564456e02b2ced378fa011f3d6eeb6cc74e7e4199b46f58a2746f3c998e463c1aa
SHA51243d06edb74c4e09bf7aff92556f40a4f4d359e47fcaadaa3c1bed5fa65757bd7d6d307d88d966b8e75911fb03c4f19f3d9a456ffeaa72099ca3fde8b82d25683
-
Filesize
78KB
MD5a581d16e25926f94043d2831d866d105
SHA1cbe6db3a71580871443437ee8cf559802bdcdf56
SHA256226bba414a75f881b09fe1ab2c596afd5a79c09998ab5043e3ca0f546b46a0e0
SHA51250de624be2032a1a934958b6d8777223fa272fc26e11101bfa1482e4e6c261b87fbb7a13e6daa44849c2ce9264fe3c55acbe80a065b85c04d55541acc8cd2ad6
-
Filesize
660B
MD566f0b1ab1b72e1b927c718199eeff102
SHA13129e07b57b2ff928d64a2c79f733ec79ff309d2
SHA256b6795d3174643ac614f94dd64b62536b2f08bf11c2822ab8c48bba3b2823ccda
SHA512b18d057fb9f12b685859db7c27f3405e0c4abc5a69eb488cddb5a2030e8fcaf31facef495be54bf1a23a1f81b5145f618148e3f97145aecd17db5471f7335a49
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d