4acea05ab0905a50470e55fcb4575e6feee6e7f5ae857bdd388818cee7a562c6

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51a043361bd59e21a64fdb95fb472f63.exe
Size

78KB
MD5

51a043361bd59e21a64fdb95fb472f63
SHA1

e605acc42664303e4776e95977af26cfcab3e02a
SHA256

751f6b8d77920eec4226c83b41e972117864bd8749369f33da5591bee60a3814
SHA512

fb8726f88ec0ed281eb6f38d70360208b5fefbcb66479541d17455d96446816c6522900e26057c79d9bb5587d53b6c4c1dbce0b7faa9623de21e9d9fba429ecc
SSDEEP

1536:He5sdy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtN6W9/t1l0:He5bn7N041Qqhg19/K

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	51a043361bd59e21a64fdb95fb472f63.exe

Executes dropped EXE 1 IoCs

pid	Process
3156	tmp6820.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmp6820.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51a043361bd59e21a64fdb95fb472f63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp6820.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	51a043361bd59e21a64fdb95fb472f63.exe
Token: SeDebugPrivilege	3156	tmp6820.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 3100	2448	51a043361bd59e21a64fdb95fb472f63.exe	88
PID 2448 wrote to memory of 3100	2448	51a043361bd59e21a64fdb95fb472f63.exe	88
PID 2448 wrote to memory of 3100	2448	51a043361bd59e21a64fdb95fb472f63.exe	88
PID 3100 wrote to memory of 3224	3100	vbc.exe	90
PID 3100 wrote to memory of 3224	3100	vbc.exe	90
PID 3100 wrote to memory of 3224	3100	vbc.exe	90
PID 2448 wrote to memory of 3156	2448	51a043361bd59e21a64fdb95fb472f63.exe	91
PID 2448 wrote to memory of 3156	2448	51a043361bd59e21a64fdb95fb472f63.exe	91
PID 2448 wrote to memory of 3156	2448	51a043361bd59e21a64fdb95fb472f63.exe	91

C:\Users\Admin\AppData\Local\Temp\51a043361bd59e21a64fdb95fb472f63.exe
"C:\Users\Admin\AppData\Local\Temp\51a043361bd59e21a64fdb95fb472f63.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nr-6cf1z.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6968.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E405DD4ADF64241955546D13738F32.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3224
- C:\Users\Admin\AppData\Local\Temp\tmp6820.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6820.tmp.exe" C:\Users\Admin\AppData\Local\Temp\51a043361bd59e21a64fdb95fb472f63.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6968.tmp

Filesize
1KB

MD5
a3a0100035ff2e8d03b19d824b3ea17e

SHA1
ff4e183646a0d26925d2c82321847bbc0daf6614

SHA256
b08c49246258bbec7b9302b81f8a1b0339236e62f454472323903d9402117028

SHA512
7bb48fb1e54475f67b2b8db61959b8e9ec6a2a4a036bf0ec8bf7a4f345a5df7a60776fc87eb09b56c508810dbc7c7df5d505bf16d4860b2d20e3e8f7be15b68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nr-6cf1z.0.vb

Filesize
14KB

MD5
a3f421a60351175e559ccb3c15283914

SHA1
4ecb1596b139333598c1f7fa0d32344dc5dcd453

SHA256
e0a21c1ce868a0534cea4bcda68fc8f59d57828b67b5289b394be3d8e8b7f801

SHA512
9c5850e0dfb17425fcc265e9fa9e04caf3f1288be84d017b07a09780e9f6d8d826dc195bf5a9b0e7a64c3f69b30d511157b8ab1430bc0936f1cc4d83af18e9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nr-6cf1z.cmdline

Filesize
266B

MD5
0794e17e20075f6c3909f61e63e7fc77

SHA1
1e1357f05f57397eb40eeffab435972b3d18d7d8

SHA256
e95205088de26e3a9d8ae6e741db31d36ad997a86dff08120db44616cdd52fc3

SHA512
e72b56d2777dafa5b5dbee9934e9c52199751ca964a56abca290df5862dce520b7dc8fd5c872c97b556869bde3aa6ba401329c2f64237669bfc1331857cb79bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6820.tmp.exe

Filesize
78KB

MD5
1988d283c2e23bd89e653041d0ec7398

SHA1
81e5ed29669663daaca11d3b7fc30a7359a13c01

SHA256
6406ad0a3152a0796eea959c58fba702892be8ac7a8d4c39ea24d5e42fc85d6b

SHA512
09e503466ce116c6ec241a8ad884d7f6d601a5d43ae7a56bdb06051e37d6a905a649842c9022493f778a9552d63f7da4f900d3b511281f6e5a95909228ac8cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3E405DD4ADF64241955546D13738F32.TMP

Filesize
660B

MD5
1e0c3ad39ded59ed7c6365c510345e46

SHA1
1b6c650e88cfbfad3109321b25c05105be689284

SHA256
6c3228e18b33a694e9ab3de22cd6c1baac2f49ba746fb5fa26ea36e7b0e8d2f7

SHA512
5daf892a5e68f41f37aa55c1539cef6b94c8e9bc3ea83692a426986fc42c93c800c352cfaf154bb87aa886394e19d6d00827d1696d49517496b9c6baff954a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/2448-22-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2448-2-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2448-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/2448-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmp

Filesize
4KB

Download
memory/3100-9-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3100-18-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3156-23-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3156-24-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3156-26-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3156-27-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3156-28-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads