Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
06-12-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
Resource
win10v2004-20241007-en
General
-
Target
8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe
-
Size
78KB
-
MD5
f13f1d01a28fbee71a5c6a16f4122970
-
SHA1
606f92dfd349b012ec54f9912192ee6d4942c857
-
SHA256
8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d
-
SHA512
1fc59f8232612d5d3810aab9f0f259ac4de5ee0e72ce1e8b8a27f8ab4da9dae98e69d7fce3baf13a6dee65f3513a20ebcb1882581fab96224d10f5b72fed00e9
-
SSDEEP
1536:l+5jSNpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti67Y9/PC1aw8:I5jS7JywQjDgTLopLwdCFJzDY9/E8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2968 tmpCFFC.tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpCFFC.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1268 wrote to memory of 400 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe 31 PID 1268 wrote to memory of 400 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe 31 PID 1268 wrote to memory of 400 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe 31 PID 1268 wrote to memory of 400 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe 31 PID 400 wrote to memory of 2612 400 vbc.exe 33 PID 400 wrote to memory of 2612 400 vbc.exe 33 PID 400 wrote to memory of 2612 400 vbc.exe 33 PID 400 wrote to memory of 2612 400 vbc.exe 33 PID 1268 wrote to memory of 2968 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe 34 PID 1268 wrote to memory of 2968 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe 34 PID 1268 wrote to memory of 2968 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe 34 PID 1268 wrote to memory of 2968 1268 8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe"C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jpbc4_-o.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD089.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD088.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpCFFC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpCFFC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\8465a5829155846b98234a0bf0e79f2351d5ae22c245451e9c7cdff18f05d46d.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD551a11225105df3e40445f5eea52a4711
SHA18a001f3ad1e5a2d60dd9dfcf01ff1a5a1729040f
SHA25662d65f9c9816b67aa8d4d93ca4d3a4c962117ff30b54e72f97f1b1142a76ebcd
SHA51272e417f1c891e10f150cd8eef9ff141bb6afc4be859eba4673bbc7722fb88eb079a73b16db4d21a991904a8e7f86c45a5d6567ae543425df2615cf2d139ae394
-
Filesize
14KB
MD53061e82a1b407b189ee8c4fb9340d34e
SHA161beadfab86c760847a52c5df293c349af507479
SHA256ea29ffa74c74caa5cb5db3120a0f1108c526de6ad8bc8192930d6669a889985f
SHA512bf53af62607ea00ccee36cd61680e22c2c089751c3fdb57e16a60b0d7f71eef9e375bfb341e3cd497a73f57015b822d33b13482a4f5eb1f86e3340ac3477a154
-
Filesize
266B
MD54bb913fd365ec3272568c0a93c49e778
SHA105822ba7407955367a3b9beef7091900477ee1da
SHA2567f07535167a9e1920e75b97ad334a443090eb880c20c5a33d807f509e006a353
SHA51277531ad2a38be35f1963a80f43b4d3d97b0c049ce6200586fdb6ce6440445fa8d3d2ae8641bdf13bab0655ab25158795e0f576039f2240316de566345f8e6a22
-
Filesize
78KB
MD514acd0dbe9bf1d48ac024df8042758d9
SHA1ce47aed682d83233e350f27bc71f170e970ff84e
SHA256c8dd7b55c455e882a768dcf9dfc23a683ea68038de6104838c3830fb0fa779c2
SHA512319d80713fb11ed69a3b80718777ce5015adf3d3e45eed2cb6edc2d9e27831ce75440faaafff18337daeaf931c0da9dacc61517e80380e1b579dca9430bbd0e7
-
Filesize
660B
MD5b784389a7743b992d05c506ba11b9911
SHA1e010d6d9a7b488509009c09ea4def8f61e2b649e
SHA256d98ccab7cc55c0ca956984d174bcfbf43f546a6dc1c371ef8d26739dce2abfd5
SHA5123b8e1bea4a19a208708a0e360fda7acbfa917c54c74baec0087a5fbb2b79899d49696489758dc2a2860b21126e1b9c773f554c85b672c497817c2dfa69d30a1a
-
Filesize
62KB
MD5484967ab9def8ff17dd55476ca137721
SHA1a84012f673fe1ac9041e7827cc3de4b20a1194e2
SHA2569c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b
SHA5121e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7