ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffc0421deeff7949183a7fbc2e55850b.exe
Size

78KB
MD5

ffc0421deeff7949183a7fbc2e55850b
SHA1

5b888b2bf9e78a7c4c1eababc2446b748278c72c
SHA256

55d9d11da5706ae89bb9891ea49eb9c86b1bc7e253d7bd3cd5d4ce6c28a91a4c
SHA512

c2bb1eb1353ec4903555dac8371ac1740739f5a56976e81c5d6c904047f38c039bd6e302b889278663ddd66f63407f54601ea261919e3155fb8849dc6c35712c
SSDEEP

1536:dHY6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtM9/Q1GI:dHY53Ln7N041QqhgM9/m

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ffc0421deeff7949183a7fbc2e55850b.exe

Deletes itself 1 IoCs

pid	Process
736	tmp6496.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
736	tmp6496.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp6496.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6496.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffc0421deeff7949183a7fbc2e55850b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	ffc0421deeff7949183a7fbc2e55850b.exe
Token: SeDebugPrivilege	736	tmp6496.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 4340	1420	ffc0421deeff7949183a7fbc2e55850b.exe	88
PID 1420 wrote to memory of 4340	1420	ffc0421deeff7949183a7fbc2e55850b.exe	88
PID 1420 wrote to memory of 4340	1420	ffc0421deeff7949183a7fbc2e55850b.exe	88
PID 4340 wrote to memory of 4884	4340	vbc.exe	91
PID 4340 wrote to memory of 4884	4340	vbc.exe	91
PID 4340 wrote to memory of 4884	4340	vbc.exe	91
PID 1420 wrote to memory of 736	1420	ffc0421deeff7949183a7fbc2e55850b.exe	92
PID 1420 wrote to memory of 736	1420	ffc0421deeff7949183a7fbc2e55850b.exe	92
PID 1420 wrote to memory of 736	1420	ffc0421deeff7949183a7fbc2e55850b.exe	92

C:\Users\Admin\AppData\Local\Temp\ffc0421deeff7949183a7fbc2e55850b.exe
"C:\Users\Admin\AppData\Local\Temp\ffc0421deeff7949183a7fbc2e55850b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z8gpcp-9.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65BF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC0DB57C9A64A40D49070D5DB1E78FEC5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\tmp6496.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6496.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ffc0421deeff7949183a7fbc2e55850b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES65BF.tmp

Filesize
1KB

MD5
664560908a6957037e536ae94731f328

SHA1
415d53aa50199895cbcd6a552c0a23e03abce6da

SHA256
afbe5813c4907e2b016c63641426fcde54f5737740892b2405bf94a5469ce5e7

SHA512
627242270b4cbb25b5dfb5773f39aa365b212c52f2e56608bc93af5a575370814657326d67de4f0aa65aaddf61a36a5633895c818b51549ff39d1d78dd18c16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6496.tmp.exe

Filesize
78KB

MD5
8a506ea31f3c98165c5347d17ffe4d5e

SHA1
0b5b0488e10d79f48bdfd9becf4eaec8313457f1

SHA256
355377ee5eaa5bd83f086fe51cb812590a4745358997f08e0ff3442fbc5b35e1

SHA512
13c5763924034da2a378c14381491a73edd2e6d828db1eb8385e17d28c3551a49ca513989317780d4d87184534e8b505173bcadcba2a99fe1d44a941677ba0aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC0DB57C9A64A40D49070D5DB1E78FEC5.TMP

Filesize
660B

MD5
1724394b18fc3ff83a0ce8e4a1970c43

SHA1
9416a335d94d6da27c7cd471f52ea09831794f25

SHA256
43aba9280d60218cf7549cacb634948cbff5690ac9c7cbcf771394701674888d

SHA512
9ba9a0e42f43206a43895860601f46d8a6553e64e9d08bec7b227f9150e5c2305408206d14f53984beaf57033f5d1bbaed7c8ca9c49b5282359c0718b5be7ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\z8gpcp-9.0.vb

Filesize
15KB

MD5
2677c32c44b9d7d81da8e739abd86751

SHA1
f5cbd0a09cd788ef5c2462eba311b8e47f6a31f3

SHA256
ad35e7441dd7a6e362c1611d7eb2044c71d687f6e3dbf7f568e64b48d5d72a69

SHA512
ef044ec0058fe1d5ab9f0cec329d6f36c2fb828079bf9c5a2582fda292b2d5a6b9b7138dad0a2a1329a90b9cda950512c1187f3c8f9c5fe84111b5e17e79e54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\z8gpcp-9.cmdline

Filesize
266B

MD5
f0429e4d642ee8b8df4ec42600044efa

SHA1
2594ab642741e07ab5ac7ee8ac1a4680e8dab1f1

SHA256
1e6ca6857f92cd1618f79727cf88feff8dd3e2fd4b610014faeb79c4580fb28d

SHA512
266b14068e91f6e119487475e7dde40b80049a80d8c49387cef9596cfec64ff57fa3a9c464784f282a4551f7088ec382bfd2d46b1e47aeaf283dae08abe0e3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/736-24-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/736-25-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/736-22-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/736-27-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/736-28-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/736-29-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/1420-2-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/1420-1-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/1420-0-0x0000000074DD2000-0x0000000074DD3000-memory.dmp

Filesize
4KB

Download
memory/1420-23-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/4340-9-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download
memory/4340-18-0x0000000074DD0000-0x0000000075381000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads