5b1a883fc342ab1654912c119190f04771ae47477f1a006b932150129675134c

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38e8b4b1294e5d3ddacd9be4727487cf.exe
Size

78KB
MD5

38e8b4b1294e5d3ddacd9be4727487cf
SHA1

40c172c9c1986d88f4d06c9a2442b395b4d20272
SHA256

2507c5df7551477aaab6eaf7c07ea04f3989dd052986bd4a4b17f9e947f524b3
SHA512

b6da35f3673f9070d2a909a955817927bf4394d00016f2a09e023e9363a289099813bc0f905836ecfe89797fc6b2708707b2c81761fc87d79ea162ce03cbfd34
SSDEEP

1536:3WV5jS/dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQt9629/e1y3:3WV5jSen7N041QqhgN9/7

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	38e8b4b1294e5d3ddacd9be4727487cf.exe

Executes dropped EXE 1 IoCs

pid	Process
4588	tmp53EC.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp53EC.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38e8b4b1294e5d3ddacd9be4727487cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp53EC.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	38e8b4b1294e5d3ddacd9be4727487cf.exe
Token: SeDebugPrivilege	4588	tmp53EC.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 3036	2936	38e8b4b1294e5d3ddacd9be4727487cf.exe	89
PID 2936 wrote to memory of 3036	2936	38e8b4b1294e5d3ddacd9be4727487cf.exe	89
PID 2936 wrote to memory of 3036	2936	38e8b4b1294e5d3ddacd9be4727487cf.exe	89
PID 3036 wrote to memory of 4484	3036	vbc.exe	91
PID 3036 wrote to memory of 4484	3036	vbc.exe	91
PID 3036 wrote to memory of 4484	3036	vbc.exe	91
PID 2936 wrote to memory of 4588	2936	38e8b4b1294e5d3ddacd9be4727487cf.exe	92
PID 2936 wrote to memory of 4588	2936	38e8b4b1294e5d3ddacd9be4727487cf.exe	92
PID 2936 wrote to memory of 4588	2936	38e8b4b1294e5d3ddacd9be4727487cf.exe	92

C:\Users\Admin\AppData\Local\Temp\38e8b4b1294e5d3ddacd9be4727487cf.exe
"C:\Users\Admin\AppData\Local\Temp\38e8b4b1294e5d3ddacd9be4727487cf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_sv-buoh.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5563.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc30EC166C3F56488CADA184279073A02F.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
- C:\Users\Admin\AppData\Local\Temp\tmp53EC.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp53EC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\38e8b4b1294e5d3ddacd9be4727487cf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5563.tmp

Filesize
1KB

MD5
4db9af90d291f96e944196b45b68f246

SHA1
3e2dc54fc03973208915a88b040933532d055f0a

SHA256
07321d1b0e0dc05614d07d2f9cbe7731dd5c78d0c39b9c753c3bac677820dbe0

SHA512
cd945fbd7bf5810c7219cf135a0a78d076781b534f75349c7b699501c01fc9c4a3dc3094f98ff17cb725d36260eb369cfef78f4436d3ff38bbdf6a7418f42104

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sv-buoh.0.vb

Filesize
14KB

MD5
dad79d03f06e23006cb12f67b252232f

SHA1
a83267389df30f133510cb1cd2d9449d7dbdea9e

SHA256
97da623a56ea19f6a1a83334faa2fa81b6f0207857582b7a8aca2134704fcc97

SHA512
8e1984b79681840b97ee94c72c40a34bcf2dd0f4f888a121561b66e9ee0e7da883525b5e9fc419e9b0b69bc2ac44e0781fce77349fa463de2939be719c13571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sv-buoh.cmdline

Filesize
266B

MD5
31c3f177b034b6f8b57d04fcee90081e

SHA1
bab7bef26b2f4bf2a089a5c92fd5032e6f1c9820

SHA256
4113ccab99d90aa0a140aae7d3b227bc5c2e45aaa11bc8f7f53dd7e907aebc0a

SHA512
b64b12f30acdec64494e6bd2458ca891e6049993f563ce24bea2a22165a0b3bf153f833667cd79c45f0dedaddbbeae22c3c4ce2cd9dffe2a31dd46ad2a0db4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp53EC.tmp.exe

Filesize
78KB

MD5
d910d83589bf1dcccdad7ffdc9292491

SHA1
e4dfa3c11da3f51da2d411bf5117cd4ca8abd2c6

SHA256
455cddfca5b5541fb7f751b9ec2da409af8bd42ae9b38de454bccc6c6ab2449b

SHA512
f486e64f2e8e14df8ece12282aa93ac8518a4ea06502d67d12972a034132e85a24bac33f7346ee8759522288c70a3a35ae41a425b4301711d4b9e31743b9d2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc30EC166C3F56488CADA184279073A02F.TMP

Filesize
660B

MD5
cc7a6d034b47a4ad836f75b188583b74

SHA1
9261385e052f305979ff3a140ed16ce08a3a1143

SHA256
9cd342f324aaf3c9b94477f944507b73be28c5f389488b9854241f6ce3504b66

SHA512
1077d569bd749f92ef5a7b9adae069ec4088dfb93fc726aedfc8b4b596b02fb702ac6f5d20edbb274dad66778b9165210f9609ecfc54755003d60271b2fd7fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2936-1-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/2936-2-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/2936-0-0x0000000075572000-0x0000000075573000-memory.dmp

Filesize
4KB

Download
memory/2936-22-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/3036-8-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/3036-18-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4588-23-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4588-24-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4588-26-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4588-27-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4588-28-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4588-29-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download
memory/4588-30-0x0000000075570000-0x0000000075B21000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads