Analysis
-
max time kernel
103s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 09:07
Static task
static1
Behavioral task
behavioral1
Sample
032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe
Resource
win10v2004-20241007-en
General
-
Target
032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe
-
Size
78KB
-
MD5
feaf6e3c345c4b6f8a908fcacd81ba50
-
SHA1
2a0366ca6c6dea2efd2fe50f6ee14d29a3ad844b
-
SHA256
032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758a
-
SHA512
08e346e38c006b6a692bcd39df6955f1f05f7190ed34b85e22df455c3da53be72dd4edf92c653c8bf8c9edefa8149231181569f02ca5254f7de38548e93730aa
-
SSDEEP
1536:Qmy58QvZv0kH9gDDtWzYCnJPeoYrGQtC67Q9/o1x0:vy58Ql0Y9MDYrm7jQ9/r
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe -
Executes dropped EXE 1 IoCs
pid Process 3176 tmpC7D4.tmp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\peverify = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft.CSharp.exe\"" tmpC7D4.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmpC7D4.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4716 032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe Token: SeDebugPrivilege 3176 tmpC7D4.tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4716 wrote to memory of 2040 4716 032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe 85 PID 4716 wrote to memory of 2040 4716 032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe 85 PID 4716 wrote to memory of 2040 4716 032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe 85 PID 2040 wrote to memory of 4860 2040 vbc.exe 87 PID 2040 wrote to memory of 4860 2040 vbc.exe 87 PID 2040 wrote to memory of 4860 2040 vbc.exe 87 PID 4716 wrote to memory of 3176 4716 032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe 88 PID 4716 wrote to memory of 3176 4716 032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe 88 PID 4716 wrote to memory of 3176 4716 032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe"C:\Users\Admin\AppData\Local\Temp\032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0ovl-oxa.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc61E676479D5048599DF3307121DCDBD.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:4860
-
-
-
C:\Users\Admin\AppData\Local\Temp\tmpC7D4.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpC7D4.tmp.exe" C:\Users\Admin\AppData\Local\Temp\032280959242085a69a1afc7491f5987fcd3ccc32d2fd324938e090f121f758aN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD51563da9e8de8f81f23d1094b177bc5f0
SHA10b87dd56f8e1403426339501c2a9abb28a70fa4a
SHA2567998dd80362efe600f6512941c4ba86ada3029bc4a8419cff7938d211b897fd0
SHA512a7c117b708f0dcb32f229f168ce89d9317ff7849520df28790bee85552923113596e54e3829252c50d0df6c1558a094727e251a9fcc3a826b9df57e18014a65f
-
Filesize
266B
MD55cd08689e84de6a543ed7b2b263953a1
SHA10b05d5623f2b50b0e9f684be2d3ac5c15dc8893c
SHA256e1c25da4cc7d9d9e8c6797d2572332d34bf48ac0e5d38de4b183ec04a68b84be
SHA512e16344f5fd31b1583901925a9fdcd8552bf9c1bfbbf2461af157216cd70e4b8046f0e4d287026df3584963f08aed22820383585e27966c92880a619d18794d97
-
Filesize
1KB
MD5a2ec16f8780361deccf6fe44418ac219
SHA19bf60328990f719e88dbbe5006906798c5a31a78
SHA2569980de5092ab230ce08fcf7d72ec0f0e20e09cad10bebd18b11613788f01d075
SHA512ae863bb1bb5f52655b4ce228dad0beff558d7667324489f33f42703fdc2339e77afd792e3ac06c31f5faff201e79f9d55e4aa04fb2b889efe896628dd5dc8955
-
Filesize
78KB
MD5ca8c4e6886523bb9070de8af16b681c1
SHA10d337bc35b5f4fda95f04b4e6d53bcdafd8873a1
SHA25679d3d0c7287ca6a64654a2b8e61c4b25f8c97933bd63f040d3c40621615c984e
SHA512e6a24f56d064fc66f39a52d62f39d869b6490bf73f9c70c7afb4c82bbc43a0c2dfe8758a3bcd4e042e272bee2adc52892e3655dd29f3347687ad0bea75b11320
-
Filesize
660B
MD593ea9853925580802ebf4b8078cb7f08
SHA124ec2c3d750e09901f78b7c955632ecade377a3c
SHA25644c6a62c737d3b84e1dfc93e82e9e47ee7426be0f48f8ed51492216ff9f1a7b0
SHA5127d2fa73f49cfc8435334bacd5c749ad757058549e8dfd3c66bf3dc33b98769219a5b23ee579a80aadaea780c57dc7b4cc29414ee5e878d56cfcf31cafbd2c108
-
Filesize
62KB
MD58b25b4d931908b4c77ce6c3d5b9a2910
SHA188b65fd9733484c8f8147dad9d0896918c7e37c7
SHA25679c261ab6b394ee23ab0fd0af48bcd96f914c6bb88b36b6815b6bbf787ecd56e
SHA5126d954066cec5eca118601f2f848f5c9deebe3761ac285c6d45041df22e4bc4e9e2fd98c1aa4fbb6b9c735151bf8d5fffa5acddf7060a4cf3cb7e09271a4a926d