35e26bdbdea45ece8f73ddac192c584868bc55018cd95fcf669695c0f68260d7

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba6f3a4d4330513edec704de64fa9b5.exe
Size

12KB
MD5

fba6f3a4d4330513edec704de64fa9b5
SHA1

19de35a13c98834019e75efc26ba4055d153633a
SHA256

56e5a7de1ecff4ac94a3c8efb0a1592b8df057062996e20bab3312cf32d352ca
SHA512

4b7ab16c957b634da29fc9db68588f6e2ff3824e82a5e154e751e58e2d590b53988464d4a05df8e4e4335dc4a658591446e04eb910caf38c917370a0810ecccd
SSDEEP

384:0L7li/2z5q2DcEQvdacJKLTp/NK9xaZz:iZMIQ9cZz

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2284	tmp530.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	tmp530.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2776	fba6f3a4d4330513edec704de64fa9b5.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fba6f3a4d4330513edec704de64fa9b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp530.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	fba6f3a4d4330513edec704de64fa9b5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2632	2776	fba6f3a4d4330513edec704de64fa9b5.exe	31
PID 2776 wrote to memory of 2632	2776	fba6f3a4d4330513edec704de64fa9b5.exe	31
PID 2776 wrote to memory of 2632	2776	fba6f3a4d4330513edec704de64fa9b5.exe	31
PID 2776 wrote to memory of 2632	2776	fba6f3a4d4330513edec704de64fa9b5.exe	31
PID 2632 wrote to memory of 2560	2632	vbc.exe	33
PID 2632 wrote to memory of 2560	2632	vbc.exe	33
PID 2632 wrote to memory of 2560	2632	vbc.exe	33
PID 2632 wrote to memory of 2560	2632	vbc.exe	33
PID 2776 wrote to memory of 2284	2776	fba6f3a4d4330513edec704de64fa9b5.exe	34
PID 2776 wrote to memory of 2284	2776	fba6f3a4d4330513edec704de64fa9b5.exe	34
PID 2776 wrote to memory of 2284	2776	fba6f3a4d4330513edec704de64fa9b5.exe	34
PID 2776 wrote to memory of 2284	2776	fba6f3a4d4330513edec704de64fa9b5.exe	34

C:\Users\Admin\AppData\Local\Temp\fba6f3a4d4330513edec704de64fa9b5.exe
"C:\Users\Admin\AppData\Local\Temp\fba6f3a4d4330513edec704de64fa9b5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsx05t3h\qsx05t3h.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES696.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA849ACFBE1464FFB9682FC386911674.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
- C:\Users\Admin\AppData\Local\Temp\tmp530.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp530.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fba6f3a4d4330513edec704de64fa9b5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
72cfea5b9ab0d00615f9193af27751a9

SHA1
d0b99400510e2f4b280c9876047fa389ff660bef

SHA256
9f02c33cc7f6037aadff6820ae87e53c1fd6a362866536d48b0b2f2fcfc840f3

SHA512
a4bf2c20b383e86bdacf8e1cb877bdbc187c70d18dcdef9c4f064485563d108af35a727f72bf7735b7d96801980319e2a606c61d3639fef85033a74988409b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES696.tmp

Filesize
1KB

MD5
101aa1a5c7f252423aa7cb43b937e924

SHA1
b0214a7bf461e8a381aa5d92e31a8dc23e7693fc

SHA256
b9ae20c631650aad48144946d0e69a51fa329d054d110434aa28613e5bf2b69e

SHA512
614fead7f363a303bd9489907ed23ceed26b71bb83b5e340e586e91c0f890bfc7c5aea2a0c296b268f8ea14a84c177abc8df34e04834cbbc8bcab3aaf89bcc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsx05t3h\qsx05t3h.0.vb

Filesize
2KB

MD5
1917ea283c54057cbfc470621710dcea

SHA1
bfcdd3c101e1086d0656e8a3e066df25c6aa4016

SHA256
5c975a00aa6e0f1f1899ea1699f1ade975264098bf433fc549c8944cd2c7ca67

SHA512
c95fb08df95d54738cfeaef974902d3b6e766a0317f8af73ce50393a4b68c426589a5352288edb9bee5dbf8c3fc90f4c15f5362e4bfa5545966bf03dc19c84cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsx05t3h\qsx05t3h.cmdline

Filesize
272B

MD5
a44ef028681e9c1b66f6b6663975a957

SHA1
d3ae3aaa005b31dd2e80a74b5d89de9851fb2aba

SHA256
583a7f72983f50948bb5e52b111158ceb46a83ce35be8d5af1099dae325224fe

SHA512
0fd6b4aa145f063f26db0ba9501ad733ee3ffa6ae0cccb39f115ae825eed5f97c212e2a6744804a9e6404d95f8ad7f23058cc9f97834f91dd9101e062cf649c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp530.tmp.exe

Filesize
12KB

MD5
95b5b6379ee158fa64a778b396b5a227

SHA1
db79fe538911a273d08486b3a5fec4a22d16914f

SHA256
968810ca55d4e451a6a44bad2f42c8cfe323c6a0ebe4f980ba81ac22d899c528

SHA512
364402d948de0e1d92265f90be674e8671370a241bcd0328b376171a382cebb6cceae0930513f5a71deddceddc90ce27f0340ffcd243e7ab8383b783fa0dcbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA849ACFBE1464FFB9682FC386911674.TMP

Filesize
1KB

MD5
a569b85a84e30f5854cc86a3a77c808e

SHA1
d1512bb8a0c1775057ed4b80aa7ad88c401f82f2

SHA256
c525be80e94fdec81d9b2d19dc8ece048aecd37cfdd598297cc824db38845b38

SHA512
6ac50a882ba2c34311a6594a8e0ed8a8be1daa226e84d5c65c9950cbe011246959763cd2b7f88ab75f833badd99b309d4a28b5f6ae93ca4b8fe1904c36ae5133

Download Submit
memory/2284-24-0x0000000000070000-0x000000000007A000-memory.dmp

Filesize
40KB

Download
memory/2776-0-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

Filesize
4KB

Download
memory/2776-1-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/2776-7-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-23-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download