Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 06:48

General

  • Target

    d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe

  • Size

    78KB

  • MD5

    7afe3e8926bce1c2bc8a5b17ab2694a4

  • SHA1

    71e7cb335cbf7285da9153aaa019417522240c75

  • SHA256

    d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc

  • SHA512

    c52202fed5e14f32745fa2a21d3f4a480347203dc4dc10dc47d03874d5a27ddc4e74a5cc997cc7723588b5461bdb499768b9eefc96102491e4a42564a146b448

  • SSDEEP

    1536:CsHHuaJtVpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQtkB9//1CYE:CsH/3DJywQjDgTLopLwdCFJzkB9/dE

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
    "C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uwye-7km.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7D4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA7D3.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3060
    • C:\Users\Admin\AppData\Local\Temp\tmpA63E.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpA63E.tmp.exe" C:\Users\Admin\AppData\Local\Temp\d49c59859d9781d9e2cb3fea98b0545db19de3bb10816becae015a67686adedc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESA7D4.tmp

    Filesize

    1KB

    MD5

    59fba37adb4ab9f65f56f2967a14c555

    SHA1

    05a13f3c64577bce1b42e1451f1d1459b252dabb

    SHA256

    37714771fdd2082875448fd17e4f0223d99f54479e2d9750b43e322be4014561

    SHA512

    19dc09f95cbfa90592aa57e233c3bd1f14e1d88f5de97ce3e00068f3006c41f06533ead83409448c0ed8d06203e6d087aac4c7c516da9cded077286b0f0dd8da

  • C:\Users\Admin\AppData\Local\Temp\tmpA63E.tmp.exe

    Filesize

    78KB

    MD5

    60693294332564296e48c02810253b36

    SHA1

    a61c5d29d7644f1ab778a7eae1434214ed81273b

    SHA256

    e7acf6374ad760b434fb1774d6b25a6fbb44826055d8a118d39fddc9264be2aa

    SHA512

    e5c96f0b463beb150a758d857499a5ffef79c1141cc8a03d5dcfe3f7b4e19661a56659ee16de2b5a6b857ddbb9c67a74a9356e76b67941ec7f32e0a4f8c0ac22

  • C:\Users\Admin\AppData\Local\Temp\uwye-7km.0.vb

    Filesize

    15KB

    MD5

    f240dcf657416506324f98838d25ed69

    SHA1

    19bc162d11d9db22ee817ed19254c0264a661e32

    SHA256

    3fcde790217f891cfa058100b272e462d1139b70d47f140dd75795c303ee305a

    SHA512

    86070e49f228cbf5294896568570a13d7c815fd541cc0d1b2285c0a1fe54e95697514b6497548c7e8832d79f760b0635792c1dfa630ce0030eccdad9e4b3bb97

  • C:\Users\Admin\AppData\Local\Temp\uwye-7km.cmdline

    Filesize

    266B

    MD5

    ee480ac40f1f185cae9120e7d6be7969

    SHA1

    e37b05f8acab9b82978023135aabda43cdb204e3

    SHA256

    36c5eb9e74d3b57eec587139877b07b078fc9eb6a89fa18fa3cf3dce1145dfa2

    SHA512

    64657551a62f234f094a989e1162d19ec67985da60289749c8a05ff4378b2b37f175418e62b6776b512c99643019839f27249c6e6f395329762dd0d49fa68085

  • C:\Users\Admin\AppData\Local\Temp\vbcA7D3.tmp

    Filesize

    660B

    MD5

    83fb22a275fbeaa6d38021910056c83b

    SHA1

    ea8928c610cde69325aed04ce190d0ab195b8db8

    SHA256

    deb5ca191fe1e8821271b0982ca69dcec3ddb58d63c25d4765f8cead9ea98157

    SHA512

    79c85f5a88a1b482d68632f37133849f702dd25307d503333e77a716b58b0a190f6dbeffb42723bbff23bfa0dd7c371a386876904e0195e47fe330568b70ba38

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/1984-0-0x00000000749E1000-0x00000000749E2000-memory.dmp

    Filesize

    4KB

  • memory/1984-1-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1984-2-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

  • memory/1984-24-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2512-8-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB

  • memory/2512-18-0x00000000749E0000-0x0000000074F8B000-memory.dmp

    Filesize

    5.7MB