4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Analysis

max time kernel
103s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f780377dd90d33c8280734d882fc2ac9.exe
Size

12KB
MD5

f780377dd90d33c8280734d882fc2ac9
SHA1

2ca8e1e97f1d9893389ea6f7505fe7c24924b387
SHA256

d44c91defb81890cb0045d3a612485a4db65c1f4e52ce405efa453b8a07229e7
SHA512

ffa397cbe485bef45d52cbe19527bd7e16d5fe3847e80844dbb45fe96effefb8f0c3cfdcfa9d164786a063d6bc74a38c99ec2bab132b3841caaefb72b26be643
SSDEEP

384:SL7li/2zcq2DcEQvdfcJKLTp/NK9xa4f:MYMZQ9c4f

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	f780377dd90d33c8280734d882fc2ac9.exe

Deletes itself 1 IoCs

pid	Process
4656	tmp5E6D.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4656	tmp5E6D.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp5E6D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f780377dd90d33c8280734d882fc2ac9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	f780377dd90d33c8280734d882fc2ac9.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 4608	1048	f780377dd90d33c8280734d882fc2ac9.exe	89
PID 1048 wrote to memory of 4608	1048	f780377dd90d33c8280734d882fc2ac9.exe	89
PID 1048 wrote to memory of 4608	1048	f780377dd90d33c8280734d882fc2ac9.exe	89
PID 4608 wrote to memory of 4700	4608	vbc.exe	91
PID 4608 wrote to memory of 4700	4608	vbc.exe	91
PID 4608 wrote to memory of 4700	4608	vbc.exe	91
PID 1048 wrote to memory of 4656	1048	f780377dd90d33c8280734d882fc2ac9.exe	92
PID 1048 wrote to memory of 4656	1048	f780377dd90d33c8280734d882fc2ac9.exe	92
PID 1048 wrote to memory of 4656	1048	f780377dd90d33c8280734d882fc2ac9.exe	92

C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe
"C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cfg0nykm\cfg0nykm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B9A2C7AF49F4528B47678A2CD7B6A27.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700
- C:\Users\Admin\AppData\Local\Temp\tmp5E6D.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5E6D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
6ea4ffc9fe40b7fedd371a15b1763d9a

SHA1
760b93056e4ab3da2b0aff418f4fd337d614a30a

SHA256
1ca94f18a1bfe87b627d7b152c6976ba4bcac855661e8fb84b2a9e3a7924355e

SHA512
1e643e852abbf4f1fa5c41ceec1e998d449974213c9777a50a855c2f071ee8627dad0c94fefe8ab64b00bd8ec849ff1b2b3b3002026b5dea1014e74d62e41ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp

Filesize
1KB

MD5
50a26931eb2cf5552136f9fb0bc80ba3

SHA1
2fb1172a2e198f3121f61040354620302c828dcb

SHA256
7eed24dfe8c3c7f0cb3ac15e184f9bc01c41244e21ca6ca5553f970e18dbc2ab

SHA512
f872d9f1653f99703b5c7c54378c678f3c8bacbe1115cf27bf76a97567327f455515c0b5f05bee1f0bfe14aeaa11f2a96e9b8de9922c5c8f589c4d488d533361

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfg0nykm\cfg0nykm.0.vb

Filesize
2KB

MD5
96d85ba62108788298fcfbfc728e057f

SHA1
04b8419644a37635904aa173ca519b1e186bf30c

SHA256
fe5a73148c28ddb0e5fa812df006dc2c940463855c7680672d95c1db4c5a068e

SHA512
decdedad91986f966885651f7d4443a72e800c0b0a17fb7fbf938adf807274ef6687c6c68cf3d90c375c8172ecff6621803cfaadbfe87d144ec1ee2f3d5d6e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfg0nykm\cfg0nykm.cmdline

Filesize
273B

MD5
6a1cc91d32ac3f4daf01adb8d8ba1c8b

SHA1
fba4da3f15ba8eaf96f7b004cbcd640267e8bbd1

SHA256
812cb862aba65b2cb954a22ec2bee1362977071229077bbbb0aaf531f76fc1ec

SHA512
e5ddaa8aed2191d63c49fcb4258299a8de555b41d4bdbe39a377be7871bb18fa94bd972ce8b5e20bf207cad9c15ba52d311c36a5ff1b18d36d560b2de1d318e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E6D.tmp.exe

Filesize
12KB

MD5
2fb632b92785c4d1570ebde34d49fb90

SHA1
6cf3e7526214c2650d582690625e2e59556a393a

SHA256
37f065dc09e575bab63cc6385b83e3dadd2ed48744775e6f884d5f9a832bba60

SHA512
8763f33b108d2c7892ec8836d02d21838c250afaec42a9c2b06a5623caf6d3d3d2c2503675a616d129523b887eb5ceef76747711f5fad015227c5120e74a7f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7B9A2C7AF49F4528B47678A2CD7B6A27.TMP

Filesize
1KB

MD5
ae5f265285e68694ee708dfb9e3781d5

SHA1
92ca73b9456e0e813806ade0d614430c106aee3d

SHA256
390f71b1e760db7a4760c44ebed3624b79935cf7f84b7d9adf1c1988e19f56f4

SHA512
50c39885a485a8c80c48be43405cc53bba9037bfdd5345bee1769112a9b4acca4477e9d5c163528fa5e297a3b2311ed8294c833d1347bbd4595d671bb330f4d2

Download Submit
memory/1048-8-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/1048-1-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/1048-0-0x000000007513E000-0x000000007513F000-memory.dmp

Filesize
4KB

Download
memory/1048-24-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/1048-2-0x0000000005360000-0x00000000053FC000-memory.dmp

Filesize
624KB

Download
memory/4656-26-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/4656-25-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download
memory/4656-28-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/4656-27-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/4656-30-0x0000000075130000-0x00000000758E0000-memory.dmp

Filesize
7.7MB

Download