e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
100s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c050e8dee0ecfccab6e06491c39fe078.exe
Size

12KB
MD5

c050e8dee0ecfccab6e06491c39fe078
SHA1

39f9f5b7055a11e32f97be97764fcefdb0db7885
SHA256

a69b5776da05eb7c96ed317dfb00e2a677e79b74aaf7544bbe071a4654e97590
SHA512

b632a74947d7d3aa044ff5c4176b4e305293b7f0c8e369920f36c06deffd5ef9b5f209f948d639e73f2619e277a57bbb024af2d9cba6a72957f1ea8c327662d0
SSDEEP

384:LL7li/2z3q2DcEQvdfcJKLTp/NK9xa0y:fDMZQ9c0y

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	c050e8dee0ecfccab6e06491c39fe078.exe

Deletes itself 1 IoCs

pid	Process
3944	tmp78AB.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3944	tmp78AB.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp78AB.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c050e8dee0ecfccab6e06491c39fe078.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	c050e8dee0ecfccab6e06491c39fe078.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4372	4820	c050e8dee0ecfccab6e06491c39fe078.exe	86
PID 4820 wrote to memory of 4372	4820	c050e8dee0ecfccab6e06491c39fe078.exe	86
PID 4820 wrote to memory of 4372	4820	c050e8dee0ecfccab6e06491c39fe078.exe	86
PID 4372 wrote to memory of 4476	4372	vbc.exe	90
PID 4372 wrote to memory of 4476	4372	vbc.exe	90
PID 4372 wrote to memory of 4476	4372	vbc.exe	90
PID 4820 wrote to memory of 3944	4820	c050e8dee0ecfccab6e06491c39fe078.exe	91
PID 4820 wrote to memory of 3944	4820	c050e8dee0ecfccab6e06491c39fe078.exe	91
PID 4820 wrote to memory of 3944	4820	c050e8dee0ecfccab6e06491c39fe078.exe	91

C:\Users\Admin\AppData\Local\Temp\c050e8dee0ecfccab6e06491c39fe078.exe
"C:\Users\Admin\AppData\Local\Temp\c050e8dee0ecfccab6e06491c39fe078.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ecefffus\ecefffus.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7995.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc27A0695DFF2847779F4B5ABB145BA4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4476
- C:\Users\Admin\AppData\Local\Temp\tmp78AB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp78AB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c050e8dee0ecfccab6e06491c39fe078.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
b85143a02f0fc149322a174ab1b5faac

SHA1
55388cd4584266508ff414f17641aec4899d72df

SHA256
155917dae10c3743433172a8541cc100aa96f22552bf5922a383aa43a31f7d02

SHA512
339bed126ff8e868c322accd9d0f5218312faa6e424cd3f30ff13c7c075d7a2d69660c17c930db4f687f68e135a5a3b4f61a96a0d11d3a183b84d5be9bb493e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7995.tmp

Filesize
1KB

MD5
6392ed8091f4e4f1852190eea539c2a0

SHA1
56f3906282f01425d63b0ade1a029c6753ffac19

SHA256
95188af94c0d73a83261bbf6a91900424885d531cf5a545910df647bbcbb5d07

SHA512
ff442582aec2fc873cc74001b1ca6cc78a10a8988e13d866c01fb0f4aa3d2167fb636ce4fb2ebb08d2af260f6777fba52aa98ca0c7ecc175ad36b3fc5e513523

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecefffus\ecefffus.0.vb

Filesize
2KB

MD5
93371bf6918a58e4683a69afa8889b5a

SHA1
1e999003ba61bb31d1538356c53460ff279506da

SHA256
d5ce47d3b0520c10cffbb293dbec60606fde063d06b9fc0af6fe534f6bb83fcd

SHA512
0e9f14b00cc801a2009b02cc8179f2788cf931e14ef2fad02ff5f7162c67e8d17e1a545f4cda60630e83370058bd97f45da35d7e340d282fb91cc299c9a9893b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecefffus\ecefffus.cmdline

Filesize
273B

MD5
4fdada82bba71010e040837756918096

SHA1
fdb35bcd2439f21a4aee00ff0f7259d363774764

SHA256
2cb42abe7a1e932ab3f6e15ecfacb62b239b4a1be81bc367f3a82b29a821e900

SHA512
28d7e46f1cbb8f3cae2a236a1208bc2239e5ae871198f2c2f339839f51493df72d4b0b36f86f5094832aef7a185a936b07a417d222d6867070df71f89aefe0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp78AB.tmp.exe

Filesize
12KB

MD5
8b14e4376bf43ba71fee5ba6b70c6271

SHA1
0b8b125d433bf8dbfb5aaf7cd3cab1d753da639e

SHA256
9987ec1324ead0caaa521e4fa24b3a10598bb84983efb0dac149f4bb0ae1fe57

SHA512
8dbe7c6a7a03e56178dea1a99f6c6d7dd5a93e90cef75bf5cdb47a8a908118a0edab6333642096c44caf3ee1ffaee1001cd68a9922de8a866b6c96898ee84b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc27A0695DFF2847779F4B5ABB145BA4.TMP

Filesize
1KB

MD5
3a64cd59f91e4f4e75b7a168d6379473

SHA1
73456192a76e0adb5c917bebc4b1734014a96396

SHA256
1569e1431cf8d187175f41cccecedb84f9fab64a8a5b349fdc8efe0994eeed4f

SHA512
26f39f482c0fd430e004f3e2c5609384e5a1d25c6f528ec0817ebd65c194aa16c0a7ee1a3b7889ea8e9d33f3ab25eaef1447ab6b85b17d724ac12b0317af7b7c

Download Submit
memory/3944-25-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/3944-26-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/3944-27-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/3944-28-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/3944-30-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4820-0-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/4820-8-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4820-2-0x0000000004B60000-0x0000000004BFC000-memory.dmp

Filesize
624KB

Download
memory/4820-1-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/4820-24-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download