56eaeb544a5b324a1b498dc1839a346277ea0ba6840f6d5ceb898b823f14d2d5

Analysis

max time kernel
148s
max time network
166s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

736e4ed2299f5ec127d8f98265dc5a93.exe
Size

78KB
MD5

736e4ed2299f5ec127d8f98265dc5a93
SHA1

2874662d53902e4712fba6e70eb57b4989ad581a
SHA256

29f4e4c8d63c893a79a2136b7bd550e446d53f0f3295d686af51798bf1f985dd
SHA512

886db800a10586d6142f6d6cdbb64fb22109c65a42fe2c13b54cf96d3f5d777224deb1e9dfc94232ec25a4d63ceb741f2a973831231064fab2e16b46273f7068
SSDEEP

1536:gHFo6638dy0MochZDsC8Kl/99Z242UdIAkn3jKZPjoYaoQtu9/p1X/:gHFo53Ln7N041Qqhgu9/j

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	tmpC8DB.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1128	736e4ed2299f5ec127d8f98265dc5a93.exe
1128	736e4ed2299f5ec127d8f98265dc5a93.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\""	tmpC8DB.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	736e4ed2299f5ec127d8f98265dc5a93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC8DB.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	736e4ed2299f5ec127d8f98265dc5a93.exe
Token: SeDebugPrivilege	3064	tmpC8DB.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2184	1128	736e4ed2299f5ec127d8f98265dc5a93.exe	30
PID 1128 wrote to memory of 2184	1128	736e4ed2299f5ec127d8f98265dc5a93.exe	30
PID 1128 wrote to memory of 2184	1128	736e4ed2299f5ec127d8f98265dc5a93.exe	30
PID 1128 wrote to memory of 2184	1128	736e4ed2299f5ec127d8f98265dc5a93.exe	30
PID 2184 wrote to memory of 2036	2184	vbc.exe	32
PID 2184 wrote to memory of 2036	2184	vbc.exe	32
PID 2184 wrote to memory of 2036	2184	vbc.exe	32
PID 2184 wrote to memory of 2036	2184	vbc.exe	32
PID 1128 wrote to memory of 3064	1128	736e4ed2299f5ec127d8f98265dc5a93.exe	33
PID 1128 wrote to memory of 3064	1128	736e4ed2299f5ec127d8f98265dc5a93.exe	33
PID 1128 wrote to memory of 3064	1128	736e4ed2299f5ec127d8f98265dc5a93.exe	33
PID 1128 wrote to memory of 3064	1128	736e4ed2299f5ec127d8f98265dc5a93.exe	33

C:\Users\Admin\AppData\Local\Temp\736e4ed2299f5ec127d8f98265dc5a93.exe
"C:\Users\Admin\AppData\Local\Temp\736e4ed2299f5ec127d8f98265dc5a93.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-oigfgds.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBD8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBC7.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2036
- C:\Users\Admin\AppData\Local\Temp\tmpC8DB.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpC8DB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\736e4ed2299f5ec127d8f98265dc5a93.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-oigfgds.0.vb

Filesize
15KB

MD5
f6f0de9233baee15ebbeef93f8517eb6

SHA1
50ef8a18c7061358fccb3b52ad3acb3d12d790fa

SHA256
ec16c799977717f00d50b3217a4e5ea6ee7c91ad2b76182a6543fd84f33cecfb

SHA512
9dc81b98739a8b2e5b9629ada66ba747bccc6b3324fa278d65ae39d7e0dc6c30f053da4e0322eefe95b8c4f1ada51b89c80f5c9b12ec01b4c219c8a35b25478f

Download Submit
C:\Users\Admin\AppData\Local\Temp\-oigfgds.cmdline

Filesize
266B

MD5
459caa3315c9829fe861a8a41c4934e7

SHA1
337a9183a313bb52ad7eadccf223a7306575a617

SHA256
b48f5fe7417b7ef15f5105f026f13d81aea100a1eedb0fa15f8a8dd2f1ad3173

SHA512
773da395ab4ca255b45ff3d0b5cc67fc981b80cc6d636ae366a0ee825b0c227306f0767fc7d5a6a2b538e11d4f5baa50c8f8f53e134be11ff96e8b6c7b285e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCBD8.tmp

Filesize
1KB

MD5
2517df5d18d3f8145f6df75326bbfb1e

SHA1
2f68eb66fbde7c7ba52c3fd67573c452f900937d

SHA256
03a75b601fde30b130fb9c8adc235e8cae7689963efeca5b5734306839bf4201

SHA512
ce9603ef3cf21cd744271fe81679e03eb4c27cef39ae6757cac69e838a33056527effd9173c530b98cdf327dbd7e00e99d1f45fb6afb4ac0f9febcf60efc7383

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC8DB.tmp.exe

Filesize
78KB

MD5
e0fef08be6000cbe1e69233cb2c48325

SHA1
ea40a6ffa2753d3097279a5228aa06f12f34b2d4

SHA256
a33aa24b36439bcf3a164278a6d9c2d0834004dd10952b18f5119a583b250076

SHA512
3dff20f33c17894e3cf1efa50a5bc3452d8836ffee40fc21976d8aca9d57bb44c9795dce2616b4147e92c6c0bfadfec6fb9eca75dcc49822bfa1c01c5fabaa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCBC7.tmp

Filesize
660B

MD5
60f9341a50f51ec6d1a2ac2dc5eaa0b3

SHA1
c11cfe687a03889b986e5d8441473804333d9081

SHA256
27bb470e0a44a489461edc80bc69e23528d4da63af9bcab25cdf877daec784ed

SHA512
32c201c925b541905fbe5740227405704147b0a47ca9c0bbc228293014b909c346a284dacf3b6ccd378102096dd311b687ac3f4a0c3190d68e3e4aee2a673314

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
aa4bdac8c4e0538ec2bb4b7574c94192

SHA1
ef76d834232b67b27ebd75708922adea97aeacce

SHA256
d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430

SHA512
0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

Download Submit
memory/1128-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

Filesize
4KB

Download
memory/1128-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/1128-2-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/1128-24-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-8-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-18-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads