35e26bdbdea45ece8f73ddac192c584868bc55018cd95fcf669695c0f68260d7

Analysis

max time kernel
102s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba6f3a4d4330513edec704de64fa9b5.exe
Size

12KB
MD5

fba6f3a4d4330513edec704de64fa9b5
SHA1

19de35a13c98834019e75efc26ba4055d153633a
SHA256

56e5a7de1ecff4ac94a3c8efb0a1592b8df057062996e20bab3312cf32d352ca
SHA512

4b7ab16c957b634da29fc9db68588f6e2ff3824e82a5e154e751e58e2d590b53988464d4a05df8e4e4335dc4a658591446e04eb910caf38c917370a0810ecccd
SSDEEP

384:0L7li/2z5q2DcEQvdacJKLTp/NK9xaZz:iZMIQ9cZz

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	fba6f3a4d4330513edec704de64fa9b5.exe

Deletes itself 1 IoCs

pid	Process
3460	tmp4C3C.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3460	tmp4C3C.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fba6f3a4d4330513edec704de64fa9b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4C3C.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	fba6f3a4d4330513edec704de64fa9b5.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4832	4416	fba6f3a4d4330513edec704de64fa9b5.exe	92
PID 4416 wrote to memory of 4832	4416	fba6f3a4d4330513edec704de64fa9b5.exe	92
PID 4416 wrote to memory of 4832	4416	fba6f3a4d4330513edec704de64fa9b5.exe	92
PID 4832 wrote to memory of 4932	4832	vbc.exe	94
PID 4832 wrote to memory of 4932	4832	vbc.exe	94
PID 4832 wrote to memory of 4932	4832	vbc.exe	94
PID 4416 wrote to memory of 3460	4416	fba6f3a4d4330513edec704de64fa9b5.exe	95
PID 4416 wrote to memory of 3460	4416	fba6f3a4d4330513edec704de64fa9b5.exe	95
PID 4416 wrote to memory of 3460	4416	fba6f3a4d4330513edec704de64fa9b5.exe	95

C:\Users\Admin\AppData\Local\Temp\fba6f3a4d4330513edec704de64fa9b5.exe
"C:\Users\Admin\AppData\Local\Temp\fba6f3a4d4330513edec704de64fa9b5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xrsr5zlp\xrsr5zlp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D26.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE6F89DA728144AE9FD8D31DE133C53D.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4932
- C:\Users\Admin\AppData\Local\Temp\tmp4C3C.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4C3C.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fba6f3a4d4330513edec704de64fa9b5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
15210095f5e51b3906c35a952adf4f34

SHA1
db24a64ca980bacaf27ac433a6ca10158517c687

SHA256
4f9b289383403695bf11ceb1eb524332372abac476d9ada4424177e27a93ab05

SHA512
31a92760e1d70800d79f802e52076218a01ee5bdb7c1093a687005ec451d08b9b3485f92c53344a89acbcf84d3b5b7030350845140e9c418d18b934befdf8166

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4D26.tmp

Filesize
1KB

MD5
fa977b1298efc057329589f3d3d5e65f

SHA1
d4ae11ae800920772481ae18163d69579a31b3a1

SHA256
f6b5ba6e7d9309fce109186efa452ff464c091322c54fc8245a4b114db8a7098

SHA512
3bd37fc3682112066170d3d261845c9d1f3e48fa8fb85a0750c4811317cd88ebd525ee0b93fd673bf479e8b09848f2fa7e2ebb13b34222a9984e33fc9f50af8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C3C.tmp.exe

Filesize
12KB

MD5
f15d61f36540ac08f790cda23b0316ec

SHA1
d49998d4e673852c9f9280a0b89f8ed0b8ef59ea

SHA256
7e2d0ac869e17851da7d41de39b43998518e85e84420fe3afe9ddbdeddc744f4

SHA512
8a2a526cb6f9b376275e822b5f68f3c2eccfa721505cade740271542aab184b416f5e7b589a79b29f609c53f11b1b04460efac52c017c3ac16d0df896a0cb08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE6F89DA728144AE9FD8D31DE133C53D.TMP

Filesize
1KB

MD5
e0ed091ba41c369865749ae908bb1784

SHA1
5535be2fd4d8d20a4329ba097b83c3389ed85c3d

SHA256
4b5f24552a8bff311d452b49a26e2637f0f00010e540091042cfd9098a67565d

SHA512
cb4efcf3159b124fc602a023704db2509059c96c4e567d381adfbc46c9edd98c9cb161e5672b4cca0734afc4e466e86abf4a48b339ab700ed69350be5d4cf8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrsr5zlp\xrsr5zlp.0.vb

Filesize
2KB

MD5
823ef7aaae1ac87312a7dc9c5c70cbab

SHA1
e90ff193964e4448783f77292c89e681bd27b5a4

SHA256
3729679b8858f9c8b454bd768317bda2f1678bd3d8796a36fafa8c95efd50d17

SHA512
b6bcb9281cadd9f2ed5c45b59eb4a111b444ef7f5d21d6312465682dea67851f29b36b98dd2169c70ad77d1a76df8f038d321225cbe407e64f724a50bd754972

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrsr5zlp\xrsr5zlp.cmdline

Filesize
273B

MD5
b74611dce05bad80548724f61788edc3

SHA1
206706fe327ff32bc03fdf019f54bd6b7a2fd077

SHA256
b04e6583d76136f7e84e2d91763f3b8155fc14cc68b3f2a7a0084729aa9c0206

SHA512
c82ccd867271a94edf21f3e38bd0c843db0529db634e8052785d524490e62b37f03c8a93bb35807ec92d11d3c5af3faf725c3ae5d5dc1c8cbd7c1ca63e79f8ad

Download Submit
memory/3460-25-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/3460-26-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/3460-27-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/3460-28-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/3460-30-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4416-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download
memory/4416-8-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/4416-1-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/4416-2-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/4416-24-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download