35e26bdbdea45ece8f73ddac192c584868bc55018cd95fcf669695c0f68260d7

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fab98623ff825ef3c56bf150ac25d34d.exe
Size

78KB
MD5

fab98623ff825ef3c56bf150ac25d34d
SHA1

0aacdb9038e7cc75c3ab5f1e372443fd14169034
SHA256

b390dbd5fb779b5cd769c4ff27bcb90b10b4516578ef184f0030008ad4413610
SHA512

203052dfd4463b61374e0c7407fc3399198ed1a33ef89a22f85be41435a10b670128038ab16822eafc212841685eee27d7cf12c7bedea4948f01be021c5d6bff
SSDEEP

1536:4V5jS9dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6r9/615A:4V5jSon7N041QqhgE9/l

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2288	tmp9434.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	fab98623ff825ef3c56bf150ac25d34d.exe
2532	fab98623ff825ef3c56bf150ac25d34d.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp9434.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp9434.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fab98623ff825ef3c56bf150ac25d34d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	fab98623ff825ef3c56bf150ac25d34d.exe
Token: SeDebugPrivilege	2288	tmp9434.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1180	2532	fab98623ff825ef3c56bf150ac25d34d.exe	30
PID 2532 wrote to memory of 1180	2532	fab98623ff825ef3c56bf150ac25d34d.exe	30
PID 2532 wrote to memory of 1180	2532	fab98623ff825ef3c56bf150ac25d34d.exe	30
PID 2532 wrote to memory of 1180	2532	fab98623ff825ef3c56bf150ac25d34d.exe	30
PID 1180 wrote to memory of 2712	1180	vbc.exe	32
PID 1180 wrote to memory of 2712	1180	vbc.exe	32
PID 1180 wrote to memory of 2712	1180	vbc.exe	32
PID 1180 wrote to memory of 2712	1180	vbc.exe	32
PID 2532 wrote to memory of 2288	2532	fab98623ff825ef3c56bf150ac25d34d.exe	33
PID 2532 wrote to memory of 2288	2532	fab98623ff825ef3c56bf150ac25d34d.exe	33
PID 2532 wrote to memory of 2288	2532	fab98623ff825ef3c56bf150ac25d34d.exe	33
PID 2532 wrote to memory of 2288	2532	fab98623ff825ef3c56bf150ac25d34d.exe	33

C:\Users\Admin\AppData\Local\Temp\fab98623ff825ef3c56bf150ac25d34d.exe
"C:\Users\Admin\AppData\Local\Temp\fab98623ff825ef3c56bf150ac25d34d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-npymwar.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94C1.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- C:\Users\Admin\AppData\Local\Temp\tmp9434.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9434.tmp.exe" C:\Users\Admin\AppData\Local\Temp\fab98623ff825ef3c56bf150ac25d34d.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-npymwar.0.vb

Filesize
14KB

MD5
703da0d47f5027ccfc1f7f370acbdf36

SHA1
617476cbc7790091aa50cf5e4ca813eabb4b4a54

SHA256
1594d1fdde21a75c2011864cfa9543ac01699a19c1d37391d65897e425c6e583

SHA512
6eb794e92ff70c8beeee0c58c9700e5ccbfb7a436eb3632b904e040dbbe5a377143fbed598f8ec276fdb6f93cb5b1071446d39d785f07b4a33ba28e900b6e442

Download Submit
C:\Users\Admin\AppData\Local\Temp\-npymwar.cmdline

Filesize
266B

MD5
726bd75a5b96cfcebfa5c590f36e9db4

SHA1
1f26e49a53c5db7699c9e450500281ca4c9e5e0e

SHA256
9c8f7ed1e7ab7b139ac6c984109f7aefaa549bfad6f0c80c6a6d99393124eb3a

SHA512
d5831ca8d2236d8655641d957abc8ab14278b5ce138915c8e0c1ab96fab7e298d211481aa21900f552dbabe46637e12a1d48e7dfebbdf1f67c80c44301ee74d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES94C2.tmp

Filesize
1KB

MD5
5f7030920d57eb065af3544179e33d73

SHA1
465046837f98fa6ba830e8343b695518750150ab

SHA256
8b19303faaa7a509c9a997b91f43f9e0edfd0e56bb09909a1e32f5ea6ca7e28c

SHA512
b29063cf15ac51aed4f9c3bfa6731a30d070349dd25cf60bc7515498e025db643740a485adc43ee744efb0fcd7bb45d1caee6cb772d79e4a2b82afe894f0baf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9434.tmp.exe

Filesize
78KB

MD5
94fd0b0ea6176f9dad3c3fe29e4b676b

SHA1
1d90063eb75e31199dcf2abbbd9e53de5d67a23e

SHA256
27df9d231733d81d311c4cd7b06f13d2ca1e90dd88dae6fb9043d377ec51c975

SHA512
c40736dba929d70ca1fe6cfea408c4a633055ec11bc5ccdabf1e032a167ffb432c5ebfff1ab9a7f319bd0458aa6b713615e182b28f083049d55f7c364a385fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc94C1.tmp

Filesize
660B

MD5
ec3d91c5fac55256cf82bef967d78b94

SHA1
78a03a0d0f53a75f96ccd3bf0aa60fa4184377b7

SHA256
6c99e6e6a1f7f2c52b127ac531726797bc58733115d7ab3ff949fa8c8f5eab30

SHA512
90c407e0a668ad683121870e051231bc671d502fcddb9fc9ee0b95ff759664b1868084daaa1d6f0f9ad1439c8965f19a673c91f35f12caf8b2dd811ec791b95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1180-8-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1180-18-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-0-0x0000000074631000-0x0000000074632000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-2-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-24-0x0000000074630000-0x0000000074BDB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads