Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 20:16
Static task
static1
Behavioral task
behavioral1
Sample
cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe
Resource
win10v2004-20241007-en
General
-
Target
cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe
-
Size
78KB
-
MD5
8f0f177e2be050abd297777be9905860
-
SHA1
761debb211dd85f9743bcb0d6e3db7568f51e241
-
SHA256
cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2
-
SHA512
be23c669011144a8e9fea0282cd39f64e7e4ab0cb4a6751cff32f7b57966f456a5e717807f45f1b306f118a01f26e587ae68eadc8fb3d429e92493d6a9de71b1
-
SSDEEP
1536:ctHF3rdELT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQti9/411q4:ctHFbdSE2EwR4uY41HyvYi9/u
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe -
Executes dropped EXE 1 IoCs
pid Process 1636 tmpAEFD.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\"" tmpAEFD.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpAEFD.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2292 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe Token: SeDebugPrivilege 1636 tmpAEFD.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2584 2292 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 83 PID 2292 wrote to memory of 2584 2292 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 83 PID 2292 wrote to memory of 2584 2292 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 83 PID 2584 wrote to memory of 3532 2584 vbc.exe 85 PID 2584 wrote to memory of 3532 2584 vbc.exe 85 PID 2584 wrote to memory of 3532 2584 vbc.exe 85 PID 2292 wrote to memory of 1636 2292 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 86 PID 2292 wrote to memory of 1636 2292 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 86 PID 2292 wrote to memory of 1636 2292 cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe"C:\Users\Admin\AppData\Local\Temp\cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x-nr4c7b.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0B2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7ECE713457CB4AB9922765B1D3CB3446.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpAEFD.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAEFD.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cbf67c723b16be8b15eac4792708f2bc30848948733f92e42c89ab875fa95ab2N.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57c734ee622d112f27931e9fb4f1113ac
SHA1d9a622137851c349a313ec2641ed2b33433bc99f
SHA2565ad47c26f29a8c51593ae90ccf14a351e47a32afa649c8b8d656d81327bf71d6
SHA512c7bc9d6a64b95bbe119fd127b5b9b0a12b3ebf0feac234a3488f90d9ad24ff8ed39d910a6ef9f716d907e5c56b0c1ac018cc32240947165158a07e12d029da45
-
Filesize
78KB
MD5db990364ae08578c7afbaa6b7c46767e
SHA1c96a111d5917232888fc19165cd6674ab09e3b29
SHA256af330a7ab96fc00f98c75d250c69de386f0d81c2847fa82a12e7fec48bc778af
SHA512da1322d3563fd50cd6451f42c28741b32ce835518ff1f30a30252c0e7d8cec77048a5cd9f3b1c001c99c4575ccfb0c594ed8fc45db389ada5522e61e5feecbab
-
Filesize
660B
MD566138f53efe4854c004b72df3ee2e0b0
SHA1da4d7cf294d1d5f7cee8c2580a12bb1f916d107b
SHA25647324f11169e829033343d0ae4e2ca58eaa604a7d323c85bc06e28a1f0a2b7cc
SHA51223303664ef532733f05635ecf52482756d6e6fc7b4ac4eb595bed8fe9bbfc43d22ec9fbaedea85ac27817421e5b7b688e2af8484a4eb805e60b62ad843ec9166
-
Filesize
15KB
MD583f92cf9ea9f94d546bdf49ce5fdba55
SHA16e17d9d56196d32586e5c0060a9ccfade867bf28
SHA2569c4fd223e4efdce4be998b7293300bbc0acfc3f5b6b0726c3fa5a31c4cd13a08
SHA512dbe2237465be28f68d2540af8ecab02b68813fa749a5a84a2fa3550baa897a1bc284ff64072cbc3c6e92cd53a44134f41414996fe344e9f13aba66205052fbde
-
Filesize
266B
MD59c00c9554ed7132d8aa1ff0e03943bf4
SHA140135901cda98864f73217a9c53963055bece8bd
SHA256fcac9254ebb99947de8f24880a75072435e0ec600049c5822d54f9316c37fae4
SHA51208fb6038a6d80a72d43c74059bf7b9b0d727adc5b19b3ca827f9e99f786822c5ef30f1565fd4e5084ab10fdc5afaba0f1a3e003385c4d64939c3c8c3e489a453
-
Filesize
62KB
MD56870a276e0bed6dd5394d178156ebad0
SHA19b6005e5771bb4afb93a8862b54fe77dc4d203ee
SHA25669db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4
SHA5123b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809