Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
Resource
win10v2004-20241007-en
General
-
Target
d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe
-
Size
78KB
-
MD5
429b87cd41d4e67b43010fbd651e2cd2
-
SHA1
8862545b217e67c7a037b2aa1c20e74d85cb8b57
-
SHA256
d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff
-
SHA512
84ed16a0031c02a93b0d188f09619bb0428c7d068af9161c2372b5a9f7b7c34ed784acbb5fdd2ed20ba0510ac87ada68a7e86ef4e500e59edbb19a16c19a09da
-
SSDEEP
1536:XuHFo6M3xXT0XRhyRjVf3znOJTv3lcUK/+dWzCP7oYTcSQtRK9/nM1GyG:XuHFon3xSyRxvY3md+dWWZyRK9/nIG
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe -
Executes dropped EXE 1 IoCs
pid Process 2648 tmp84B1.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShFusRes = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\big5.exe\"" tmp84B1.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp84B1.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3280 d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe Token: SeDebugPrivilege 2648 tmp84B1.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3280 wrote to memory of 2148 3280 d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe 83 PID 3280 wrote to memory of 2148 3280 d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe 83 PID 3280 wrote to memory of 2148 3280 d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe 83 PID 2148 wrote to memory of 212 2148 vbc.exe 85 PID 2148 wrote to memory of 212 2148 vbc.exe 85 PID 2148 wrote to memory of 212 2148 vbc.exe 85 PID 3280 wrote to memory of 2648 3280 d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe 86 PID 3280 wrote to memory of 2648 3280 d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe 86 PID 3280 wrote to memory of 2648 3280 d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe"C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\blxqi-js.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8695.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF7C61265E1AF43D2B8A653CFD222E86.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:212
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmp84B1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp84B1.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d34c7381dc2aef35ae5aab9ef182c0ef8c12aa27a278b68c5cddeff42b9a47ff.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD563ed2a478b68a098122da2bf4e09c88d
SHA1cfcdcc5923e8d492c032651b13bb98a47629e612
SHA256e80e1e2164a3c9b1c979905a7e29277ac23144182d6bd1b62d353c1f9f509d10
SHA5124ff099dfbdf361f1c9b3ad9aae59a111515afdf0655cc91dc7f8465e0381d22afc68d5f1e33b1a3cf640e1338e990e4a7435d4a28fef1ad6d1d9831b4de8585b
-
Filesize
15KB
MD5810c5b49d912398f12e436474ee61e66
SHA10e4cc8ca4b38dd03c37438496efc70bf946d8ae3
SHA25619c298eaa3e546cddb5cd2b9a67e9d8e8660b2baceadc2eed90d9dc5d4440514
SHA512c4ca8c4aaa1f38c91ec093981c7f796f39e88ce7c977305c6a37680b103ae2e6cf7387b8b24f150bb24c9ceabb7bfca97299f89e3ee53f7f29cb801fb7204ded
-
Filesize
266B
MD510d33678bf770c5045a7ecc2268729c3
SHA1bf43023685d3aafc2c3ba1dbbca4dab763defc8b
SHA2565acd355a229f5b656faca82c5287509deb4d1bb73de8b1b40b7bb69eff364cb6
SHA512bf3370cb29ddd48e3cbcdc7fc0a6ce40f9020aad90114461c1b1b47a15cc7e6ded49b3316460d09b40305f06aab5b92402ee06848a13acc299c86e9ff4197b57
-
Filesize
78KB
MD5cd3fdde70a552684a66cc6345ff55bb3
SHA19982a5581dbc2d45df0530dc07bac98e745a6cc2
SHA25643671400dc3c43a25c6575cd76800937b332cf7f5917170c1275a9d0b91e4d09
SHA5127e77c856857bf51a0b950755aacfcb640eaa204280fe55fbde115ed5ea1fc553ce6c3ffdaad37eac8ac4e99cabe1d58532dcf41ca1dc82bdc904655dfddfaabb
-
Filesize
660B
MD5cf1e3f38ac2eaa9ae22c6bf8b56b1af3
SHA1e909c3267e2095fc4384d564b02834f6bda302d3
SHA256dd883595903980d07187ea8761c043c193a91e95a00a00f2e890e0e61d3f99e6
SHA512358f7d52d610be2bbd897732cd028e19cbab0c5c8f58e66a058461a946395c7bc28d66e9c397c2efefe1325fc3514f1bde63eb6e015fba479de377f8a511cffb
-
Filesize
62KB
MD54f0e8cf79edb6cd381474b21cabfdf4a
SHA17018c96b4c5dab7957d4bcdc82c1e7bb3a4f80c4
SHA256e54a257fa391065c120f55841de8c11116ea0e601d90fe1a35dcd340c5dd9cd5
SHA5122451a59d09464e30d0df822d9322dbecb83faa92c5a5b71b7b9db62330c40cc7570d66235f137290074a3c4a9f3d8b3447067ed135f1bb60ea9e18d0df39a107