4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f780377dd90d33c8280734d882fc2ac9.exe
Size

12KB
MD5

f780377dd90d33c8280734d882fc2ac9
SHA1

2ca8e1e97f1d9893389ea6f7505fe7c24924b387
SHA256

d44c91defb81890cb0045d3a612485a4db65c1f4e52ce405efa453b8a07229e7
SHA512

ffa397cbe485bef45d52cbe19527bd7e16d5fe3847e80844dbb45fe96effefb8f0c3cfdcfa9d164786a063d6bc74a38c99ec2bab132b3841caaefb72b26be643
SSDEEP

384:SL7li/2zcq2DcEQvdfcJKLTp/NK9xa4f:MYMZQ9c4f

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2332	tmpC14D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	tmpC14D.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	f780377dd90d33c8280734d882fc2ac9.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f780377dd90d33c8280734d882fc2ac9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC14D.tmp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	f780377dd90d33c8280734d882fc2ac9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2476	2172	f780377dd90d33c8280734d882fc2ac9.exe	30
PID 2172 wrote to memory of 2476	2172	f780377dd90d33c8280734d882fc2ac9.exe	30
PID 2172 wrote to memory of 2476	2172	f780377dd90d33c8280734d882fc2ac9.exe	30
PID 2172 wrote to memory of 2476	2172	f780377dd90d33c8280734d882fc2ac9.exe	30
PID 2476 wrote to memory of 2600	2476	vbc.exe	32
PID 2476 wrote to memory of 2600	2476	vbc.exe	32
PID 2476 wrote to memory of 2600	2476	vbc.exe	32
PID 2476 wrote to memory of 2600	2476	vbc.exe	32
PID 2172 wrote to memory of 2332	2172	f780377dd90d33c8280734d882fc2ac9.exe	33
PID 2172 wrote to memory of 2332	2172	f780377dd90d33c8280734d882fc2ac9.exe	33
PID 2172 wrote to memory of 2332	2172	f780377dd90d33c8280734d882fc2ac9.exe	33
PID 2172 wrote to memory of 2332	2172	f780377dd90d33c8280734d882fc2ac9.exe	33

C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe
"C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sio3gnyp\sio3gnyp.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2A3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9990A34C2A6F4264BDEDA994364071E4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\tmpC14D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC14D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
5b78b1b7e7cdcd4bef40a4f6f44a0b1b

SHA1
aa63161b9f62f268e65db1b0d7724cb136aebab2

SHA256
4e9204c06e0e0643815972f136571cf6079067c6ce508a72dc3b57e3c2aaa34e

SHA512
d0b68549ce7a6c2f7e4f4ff78a33008d80fc2f7b31c2b5085a5ce9e9c8f4fa35f5ab5932ca4724cdd78659727138b9d7b3225b523cee034ef519a31410e37adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2A3.tmp

Filesize
1KB

MD5
a4b537a9b3c236a3d7b1d85271e5269b

SHA1
42f26f215b5a79f921f3f5faeebe48838f86ac34

SHA256
19cf97bc8f757e247292b70eb37e7ce5ccfd4875a12283b7dfbad484b7ea8ca2

SHA512
b846ba2ff2fcdc1c2dc28dec9900a9197fcd6e8be3798e691ee1466a46684c7c80cfc4820a261a1e8098df8c881ad9c3d0a25b3c6139c0245f7681309323c073

Download Submit
C:\Users\Admin\AppData\Local\Temp\sio3gnyp\sio3gnyp.0.vb

Filesize
2KB

MD5
f208f3afa9e24f8a3a7918eb73df530f

SHA1
15818c1c3da9c8ccf98e26985661dd66f86e204a

SHA256
c01c0987efef812679391a58fe71aba3f124b4e64bf087eb044cf511c086a6aa

SHA512
db1ac29800e6ac399b413ca3c9c31aed5c7a09801c74a954d26df105097df001299c4f95b4a530b407335469e62f53abdb3c0d516364a149a43b964449d8586f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sio3gnyp\sio3gnyp.cmdline

Filesize
273B

MD5
5d0b39df21f0b98a7028d35e40a3563d

SHA1
fd6fd3e96ed187d96d483793a8d9a567ac1ba93d

SHA256
cd45916c672fadc3783a983a3243c19c99b3d8d5b7e81ab1e2df5cd21a694005

SHA512
c8ece542e76c07fb4f28ef1ccc9004fbfa8c3e70e6357db0243fdc64ce134fea4a98847284ce3497c5b13605900a52af44f7adf88e929272888d106a84c8dae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC14D.tmp.exe

Filesize
12KB

MD5
0c7c1d0fa5ede4cd00673c94aa383e6a

SHA1
e1acac0352b0c4c1a6af593194b3766185e16444

SHA256
e1f38b46d860d145cc78d8ff5634b2d1d23eda592d86f93223f951f37b7e16be

SHA512
8c8ab1b08990b9e40da53a05312943bf9d8e74117de4a5dbe1faef45bacb81bf7755da4a0f020bc53ad8902d3dbb87d6fad38a1c5a2820962e551986e905019b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9990A34C2A6F4264BDEDA994364071E4.TMP

Filesize
1KB

MD5
3bf3ea17548883b3a8c25e7538533c3f

SHA1
ec1e4b0765df321d577657166384751adaba21be

SHA256
eb2e42fd23e36fbed74df34812e2fbf09921673de4b0306e88c5f58d690e4831

SHA512
538e363a73b8241f49bbd8ce86a94bab894af30c88cd694fa3dca7f0f745005cc0e06f51b430630f6c903471d64a01336dd2c763016332b1716f38079737cf80

Download Submit
memory/2172-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2172-6-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-24-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2332-23-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download