e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
121s
max time network
133s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c050e8dee0ecfccab6e06491c39fe078.exe
Size

12KB
MD5

c050e8dee0ecfccab6e06491c39fe078
SHA1

39f9f5b7055a11e32f97be97764fcefdb0db7885
SHA256

a69b5776da05eb7c96ed317dfb00e2a677e79b74aaf7544bbe071a4654e97590
SHA512

b632a74947d7d3aa044ff5c4176b4e305293b7f0c8e369920f36c06deffd5ef9b5f209f948d639e73f2619e277a57bbb024af2d9cba6a72957f1ea8c327662d0
SSDEEP

384:LL7li/2z3q2DcEQvdfcJKLTp/NK9xa0y:fDMZQ9c0y

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2600	tmp344B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2600	tmp344B.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2524	c050e8dee0ecfccab6e06491c39fe078.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp344B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c050e8dee0ecfccab6e06491c39fe078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	c050e8dee0ecfccab6e06491c39fe078.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2780	2524	c050e8dee0ecfccab6e06491c39fe078.exe	31
PID 2524 wrote to memory of 2780	2524	c050e8dee0ecfccab6e06491c39fe078.exe	31
PID 2524 wrote to memory of 2780	2524	c050e8dee0ecfccab6e06491c39fe078.exe	31
PID 2524 wrote to memory of 2780	2524	c050e8dee0ecfccab6e06491c39fe078.exe	31
PID 2780 wrote to memory of 2856	2780	vbc.exe	33
PID 2780 wrote to memory of 2856	2780	vbc.exe	33
PID 2780 wrote to memory of 2856	2780	vbc.exe	33
PID 2780 wrote to memory of 2856	2780	vbc.exe	33
PID 2524 wrote to memory of 2600	2524	c050e8dee0ecfccab6e06491c39fe078.exe	34
PID 2524 wrote to memory of 2600	2524	c050e8dee0ecfccab6e06491c39fe078.exe	34
PID 2524 wrote to memory of 2600	2524	c050e8dee0ecfccab6e06491c39fe078.exe	34
PID 2524 wrote to memory of 2600	2524	c050e8dee0ecfccab6e06491c39fe078.exe	34

C:\Users\Admin\AppData\Local\Temp\c050e8dee0ecfccab6e06491c39fe078.exe
"C:\Users\Admin\AppData\Local\Temp\c050e8dee0ecfccab6e06491c39fe078.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ll1fobz3\ll1fobz3.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3968.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43AABC20C78247339315837ABF6F1EF.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Users\Admin\AppData\Local\Temp\tmp344B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp344B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\c050e8dee0ecfccab6e06491c39fe078.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
8e662a4aec2fd8ed42979da1495548ee

SHA1
9829ab6af5e1a9f9e4e952a40f0c70e2b3942e03

SHA256
9460b8c7e70df0f639872ffa4069862b48923375635ade977b15eecaabd5fd81

SHA512
f5c74106b9a80a852907c563cc1bf60f8dad85aac1d94a30acdf498f834ef7c3c8fe98aa35dcfc7f5a23dbb78f874df1185dc3e74eef864dc0bffca90b97866f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3968.tmp

Filesize
1KB

MD5
e2ea65f4d6704c10dcac4a12402724ba

SHA1
bc86897ab3d54a472cbd425f70335d1263b2afb2

SHA256
aeee3f5629b28f848c2267d4e2742a18414788f973c3fbc64e3b0ee98ddcd538

SHA512
9f125f6349446d66d35eb8417d634e8ae88d0070af9c8e2fbc3e1f786de4e6bc5f16f5220b74a2b019db1ef2ee4dd33d7382358069ee33f947f6f715bd7cbbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ll1fobz3\ll1fobz3.0.vb

Filesize
2KB

MD5
7a2518c42db92b29251d4ae95f7be393

SHA1
3cc6950d268159c61b14e91f8f715755752740f8

SHA256
3ce37a1c31547bbd5e357196e9a07482868a146049e43908a9f5846ca1a37e17

SHA512
a46ec01019595223429a69eca2b164ec1ea2d90df535dc8476f712062ddce7ddc62ecd9ebbec47a57021eff238795ae67499725918755de4ddc1b8346523b18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ll1fobz3\ll1fobz3.cmdline

Filesize
273B

MD5
9217e56b1ff6847e6b389fd30c658709

SHA1
813394714c058a3b4539b217aa5838244debe519

SHA256
682377acd454927b97c652ceda915be04357acd85de9440ef3704408a516c404

SHA512
880226410de8fc161f5de124a53c4976f3731bec78d890024855e99d243571ca2d98becae943f5479445829b0fb3b17bb5e75a877df5555abd865757d85068bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp344B.tmp.exe

Filesize
12KB

MD5
c5a7dc179ad83062a27aeb1090686a22

SHA1
844c391f8e0780e2d5b753816fddc36d3d5945b1

SHA256
6ec259a5150a7c13d1f1f6cfa0ded62fea46c0676e6e303fbe9b396a801af55c

SHA512
bdb5b167975752d18f0cbc4cc034455051667e8a3070cc3e6a5ddad376b55c88f7346a9d40f121fe03581f6085e00d65aefd940c8262e5abe2cb4434106bc473

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc43AABC20C78247339315837ABF6F1EF.TMP

Filesize
1KB

MD5
14576facbfef3c8d7f261c5a11de1b51

SHA1
451670e7ee803924901e28c753b2b94eb9ab771e

SHA256
2a66967db10b092def1f73ba84e4c3c0461c4e0ec66dbc9e14835ef33618b370

SHA512
e1d764fae53837e655a1527268f38840a39c76349f4ea09d8cd3ca44460faae20baa7d1e413759dd70e3fa72184de202f4a5c1ecfa72f31f6bafd6540e2f32d5

Download Submit
memory/2524-0-0x000000007445E000-0x000000007445F000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/2524-6-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-24-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-23-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download