4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e297800457d823c0597e833d555135.exe
Size

78KB
MD5

f6e297800457d823c0597e833d555135
SHA1

bef99c4a2e1ad4c2c478f156089158cbc624f7d2
SHA256

da2a754ce56ec13af9f429d5dcd20ff88aadc429a1b0a74d68f217f87e31b42f
SHA512

69ae7dc2898887531ef8faa9740d56e6e40af3d0bafca4f2c78e4e4a37a643afa731985d9fbb9792ea61fd61927d043356a418be09b5ad1b48c73aec81af1790
SSDEEP

1536:7V5jSYLT8hn2Ep7WzPdVj6Ju8B3AZ242UdIAkD4x3HT4hPVoYdVQtt6H9/0V1aj:7V5jS+E2EwR4uY41HyvYg9/0g

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2540	tmp2DE.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	f6e297800457d823c0597e833d555135.exe
2656	f6e297800457d823c0597e833d555135.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\sortkey.exe\""	tmp2DE.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6e297800457d823c0597e833d555135.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp2DE.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	f6e297800457d823c0597e833d555135.exe
Token: SeDebugPrivilege	2540	tmp2DE.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2708	2656	f6e297800457d823c0597e833d555135.exe	30
PID 2656 wrote to memory of 2708	2656	f6e297800457d823c0597e833d555135.exe	30
PID 2656 wrote to memory of 2708	2656	f6e297800457d823c0597e833d555135.exe	30
PID 2656 wrote to memory of 2708	2656	f6e297800457d823c0597e833d555135.exe	30
PID 2708 wrote to memory of 2672	2708	vbc.exe	32
PID 2708 wrote to memory of 2672	2708	vbc.exe	32
PID 2708 wrote to memory of 2672	2708	vbc.exe	32
PID 2708 wrote to memory of 2672	2708	vbc.exe	32
PID 2656 wrote to memory of 2540	2656	f6e297800457d823c0597e833d555135.exe	33
PID 2656 wrote to memory of 2540	2656	f6e297800457d823c0597e833d555135.exe	33
PID 2656 wrote to memory of 2540	2656	f6e297800457d823c0597e833d555135.exe	33
PID 2656 wrote to memory of 2540	2656	f6e297800457d823c0597e833d555135.exe	33

C:\Users\Admin\AppData\Local\Temp\f6e297800457d823c0597e833d555135.exe
"C:\Users\Admin\AppData\Local\Temp\f6e297800457d823c0597e833d555135.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dnueijon.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
- C:\Users\Admin\AppData\Local\Temp\tmp2DE.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp2DE.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f6e297800457d823c0597e833d555135.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES34C.tmp

Filesize
1KB

MD5
aafa09e63bfec5052d78612d96a6cb11

SHA1
697076a53424c40b12f4c9da804a5711770b4f70

SHA256
0b7017906c0f5a3328b0a7a9e4e5352ae3cd59d7cf7b547111411a08f9a70cf6

SHA512
55f97b5b0d2461cbb2ce7e0a7eab7046396be7120e7bdca3e05e7cb178de36487673b8de586076083a6c2273fc7a582b8ea85e2156af269083cefcd83ef9087f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnueijon.0.vb

Filesize
14KB

MD5
78d048c5811abb46f444b75766da2575

SHA1
82cdbc629256fa3a28967ad6461b204877fb97b0

SHA256
2f4826bf43564bece9f5913faedee088c459372f425508c5463465a9d0bd5d57

SHA512
1a66a799368a718009546fe8798fd99cb71380d39b6bf18515a424a005bee2896ad18e9d087cc58093aeda5230f95123b27919afae25329f55f655d058e7e5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnueijon.cmdline

Filesize
265B

MD5
c31ef903937790cf37622f72505dda69

SHA1
4c701ec140b5de14e25092700dd53b6f58aa233a

SHA256
d9f2da5616f33fd7715ccf17fe5696b155689366acd6b4d53b404cbbac14d69d

SHA512
cf1fc0f571406e2baa86ff2b682e34fea4bb015652843c94fe0fd644e6222eb3496d2633c21485d71225c31009242d8af9021c7f027be62daf5c464e4b599c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2DE.tmp.exe

Filesize
78KB

MD5
a12c5386d8176e3377a88a7a91a5c33f

SHA1
71735d950fbfe7e4dadaf816ed27123a397ff502

SHA256
9474c32acd786eeab6f58f755a211e356b6d1b06a3deaf770df845182ff0434e

SHA512
f88e21565fb73a2f04925192a14ef6024a9cb798381264af256a8c39311b9d2b813d60464b21bde0b879b820f8ea56fa47901c0cd2db0a4d06774796dc446990

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc34B.tmp

Filesize
660B

MD5
de39356a6ea36d7f6e2309f3f800f227

SHA1
dff002adbdb93c3a492e6f9270861a6e21943fdc

SHA256
6389949a3a406a973a454af705be6c64acf3a79a4c63d85fa3bd3e6c7e589ddf

SHA512
1bf30b72b6e3fba381897891070d5ff21cbccc37a702ba25dc81843471934633c6d1c90b3542fd8041c7a0de52bf1371985f6b16e39b5a7283b3efae0f9de828

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
6870a276e0bed6dd5394d178156ebad0

SHA1
9b6005e5771bb4afb93a8862b54fe77dc4d203ee

SHA256
69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4

SHA512
3b6f412d4bdf0939677ab6890a6417da6f737376e13375d2a60871de195aa14344b8340d254b819c850d75a443629cbf26f35533e07aaba9532fdc5284132809

Download Submit
memory/2656-0-0x00000000744E1000-0x00000000744E2000-memory.dmp

Filesize
4KB

Download
memory/2656-2-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-1-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2656-24-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-8-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-18-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads