Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 13:33

General

  • Target

    8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe

  • Size

    78KB

  • MD5

    f13f1d01a28fbee71a5c6a16f4122970

  • SHA1

    606f92dfd349b012ec54f9912192ee6d4942c857

  • SHA256

    8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d

  • SHA512

    1fc59f8232612d5d3810aab9f0f259ac4de5ee0e72ce1e8b8a27f8ab4da9dae98e69d7fce3baf13a6dee65f3513a20ebcb1882581fab96224d10f5b72fed00e9

  • SSDEEP

    1536:l+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67Y9/PC1aw8:I5jS7JywQjDgTLopLwdCFJzDY9/E8

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
    "C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jpbc4_-o.cmdline"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD089.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD088.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2612
    • C:\Users\Admin\AppData\Local\Temp\tmpCFFC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpCFFC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RESD089.tmp

    Filesize

    1KB

    MD5

    51a11225105df3e40445f5eea52a4711

    SHA1

    8a001f3ad1e5a2d60dd9dfcf01ff1a5a1729040f

    SHA256

    62d65f9c9816b67aa8d4d93ca4d3a4c962117ff30b54e72f97f1b1142a76ebcd

    SHA512

    72e417f1c891e10f150cd8eef9ff141bb6afc4be859eba4673bbc7722fb88eb079a73b16db4d21a991904a8e7f86c45a5d6567ae543425df2615cf2d139ae394

  • C:\Users\Admin\AppData\Local\Temp\jpbc4_-o.0.vb

    Filesize

    14KB

    MD5

    3061e82a1b407b189ee8c4fb9340d34e

    SHA1

    61beadfab86c760847a52c5df293c349af507479

    SHA256

    ea29ffa74c74caa5cb5db3120a0f1108c526de6ad8bc8192930d6669a889985f

    SHA512

    bf53af62607ea00ccee36cd61680e22c2c089751c3fdb57e16a60b0d7f71eef9e375bfb341e3cd497a73f57015b822d33b13482a4f5eb1f86e3340ac3477a154

  • C:\Users\Admin\AppData\Local\Temp\jpbc4_-o.cmdline

    Filesize

    266B

    MD5

    4bb913fd365ec3272568c0a93c49e778

    SHA1

    05822ba7407955367a3b9beef7091900477ee1da

    SHA256

    7f07535167a9e1920e75b97ad334a443090eb880c20c5a33d807f509e006a353

    SHA512

    77531ad2a38be35f1963a80f43b4d3d97b0c049ce6200586fdb6ce6440445fa8d3d2ae8641bdf13bab0655ab25158795e0f576039f2240316de566345f8e6a22

  • C:\Users\Admin\AppData\Local\Temp\tmpCFFC.tmp.exe

    Filesize

    78KB

    MD5

    14acd0dbe9bf1d48ac024df8042758d9

    SHA1

    ce47aed682d83233e350f27bc71f170e970ff84e

    SHA256

    c8dd7b55c455e882a768dcf9dfc23a683ea68038de6104838c3830fb0fa779c2

    SHA512

    319d80713fb11ed69a3b80718777ce5015adf3d3e45eed2cb6edc2d9e27831ce75440faaafff18337daeaf931c0da9dacc61517e80380e1b579dca9430bbd0e7

  • C:\Users\Admin\AppData\Local\Temp\vbcD088.tmp

    Filesize

    660B

    MD5

    b784389a7743b992d05c506ba11b9911

    SHA1

    e010d6d9a7b488509009c09ea4def8f61e2b649e

    SHA256

    d98ccab7cc55c0ca956984d174bcfbf43f546a6dc1c371ef8d26739dce2abfd5

    SHA512

    3b8e1bea4a19a208708a0e360fda7acbfa917c54c74baec0087a5fbb2b79899d49696489758dc2a2860b21126e1b9c773f554c85b672c497817c2dfa69d30a1a

  • C:\Users\Admin\AppData\Local\Temp\zCom.resources

    Filesize

    62KB

    MD5

    484967ab9def8ff17dd55476ca137721

    SHA1

    a84012f673fe1ac9041e7827cc3de4b20a1194e2

    SHA256

    9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

    SHA512

    1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

  • memory/400-18-0x0000000074C40000-0x00000000751EB000-memory.dmp

    Filesize

    5.7MB

  • memory/400-8-0x0000000074C40000-0x00000000751EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1268-0-0x0000000074C41000-0x0000000074C42000-memory.dmp

    Filesize

    4KB

  • memory/1268-1-0x0000000074C40000-0x00000000751EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1268-2-0x0000000074C40000-0x00000000751EB000-memory.dmp

    Filesize

    5.7MB

  • memory/1268-24-0x0000000074C40000-0x00000000751EB000-memory.dmp

    Filesize

    5.7MB