286e0821c9dff60f28f608fbc48788495e4fc25616f718991a9b1979fce08cac

Analysis

max time kernel
102s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b274fcd0b7cf29d6ccc27de01ba359bb.exe
Size

12KB
MD5

b274fcd0b7cf29d6ccc27de01ba359bb
SHA1

64cba723549eeada97dd8a8a06da30de49b58924
SHA256

8d2dfc74cf07e6eefe91c734574c11d8f967d50a3ef0c9224db27a1aeaf5fd6b
SHA512

8ede2502d657bb9c7f8ef26a17a853c4c697ff4a55c02fe4828c7eb7789e53466f894ed76f3a23312b6cbbe62d33638be4f353d5bdbecfc14d7b735e5c1e321e
SSDEEP

384:xL7li/2z2q2DcEQvdfcJKLTp/NK9xacZ:xWMZQ9ccZ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	b274fcd0b7cf29d6ccc27de01ba359bb.exe

Deletes itself 1 IoCs

pid	Process
4764	tmp693A.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4764	tmp693A.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp693A.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b274fcd0b7cf29d6ccc27de01ba359bb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	b274fcd0b7cf29d6ccc27de01ba359bb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 4916	2840	b274fcd0b7cf29d6ccc27de01ba359bb.exe	88
PID 2840 wrote to memory of 4916	2840	b274fcd0b7cf29d6ccc27de01ba359bb.exe	88
PID 2840 wrote to memory of 4916	2840	b274fcd0b7cf29d6ccc27de01ba359bb.exe	88
PID 4916 wrote to memory of 2160	4916	vbc.exe	90
PID 4916 wrote to memory of 2160	4916	vbc.exe	90
PID 4916 wrote to memory of 2160	4916	vbc.exe	90
PID 2840 wrote to memory of 4764	2840	b274fcd0b7cf29d6ccc27de01ba359bb.exe	91
PID 2840 wrote to memory of 4764	2840	b274fcd0b7cf29d6ccc27de01ba359bb.exe	91
PID 2840 wrote to memory of 4764	2840	b274fcd0b7cf29d6ccc27de01ba359bb.exe	91

C:\Users\Admin\AppData\Local\Temp\b274fcd0b7cf29d6ccc27de01ba359bb.exe
"C:\Users\Admin\AppData\Local\Temp\b274fcd0b7cf29d6ccc27de01ba359bb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yk54tgsi\yk54tgsi.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A24.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc579A8CFA12C44BBBABE873678A1E585.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
- C:\Users\Admin\AppData\Local\Temp\tmp693A.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp693A.tmp.exe" C:\Users\Admin\AppData\Local\Temp\b274fcd0b7cf29d6ccc27de01ba359bb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
ab6ec25bc86de4ef94bfc21d9d57663d

SHA1
644941fb5b176ee21ea7049942ad17435f371a4a

SHA256
da092552cae342d15feb55ff79840b139b023e9ee52331d2f24f6c833ecfcc44

SHA512
f9a821e64762ab7ddfa25b78a34351da8e6195af28b8d09929d2e938234c3cd0e0936037710582382823cfe68db5d41cf6b10b47b66f235a0db003c2e43cb1c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A24.tmp

Filesize
1KB

MD5
0f8f1ec97eff5ea187ce5ca2a1db3acc

SHA1
aee8123d9bf428295078b0a28e0ad628c1a9e867

SHA256
d66da87bd5a4e5aa2925ca29563f8e77b212f2116df71fb3489b660088fce24a

SHA512
e18d36c2a5bb89f3434b3cc9c92804a9bbced8a330ae0df0f7d1ba31ef322304b1c8b6ca61737f9f4a7146aef4bcee9aaef0144980afe25cfd45037e53247b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp693A.tmp.exe

Filesize
12KB

MD5
1103b248d1576b1ee4c786b82e766230

SHA1
c5ca653ae3f14655135e5eefe4b0a4a40e541ce7

SHA256
3825b9ae523bd3294691910077d99240190e8a48c8e5ed1eba05ab31e2215743

SHA512
bc2bd15c052737dcd9b325487f54e330e2ff9e978794e26a7231f06e4f80a4953016dc3c72726410723faf68172a34b334d2a1d8f30823d72a155e58ae5da7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc579A8CFA12C44BBBABE873678A1E585.TMP

Filesize
1KB

MD5
3bba9265893adcf3b557bf9e5e0fef7d

SHA1
195eea795ccd0d5705ddfaf5a7f06f15d2f819ec

SHA256
dfd4de3131f0d696f68bd102c940776405bc83db175d548b9d58f5b5e7df7ad8

SHA512
d1868eaefb2de1261eec75f5ec41f250b959b89e85ad93e8c5a5c42c3a25ccfd79b12334ae663b119899789392cb165fc6f8163167524ebd11b635acd59d3d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yk54tgsi\yk54tgsi.0.vb

Filesize
2KB

MD5
eef1e8b4a9e26b45f8d9aaa8351af9ef

SHA1
bda7cd9ebbd7262c4f6749a76e75ff4a83ee5a47

SHA256
5b35b310bb08e1b10c11804945e50c21d621267073a587ccfaeedaf949a28204

SHA512
28b2ce744552a18d80c6e86b44d8d2b623abc9e9e89c3800c4318e2b532e2d43c0ed388d52a24c3d9e8eeef1698ad26fbc1c051be50381decb47ca89639e3bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yk54tgsi\yk54tgsi.cmdline

Filesize
273B

MD5
c62be62c8bd1d6994e875bb0473ed6be

SHA1
86ce354b4230474ca49fc3a802a9c93a27a6007a

SHA256
112174839568a6cf1469fded6d6a40289dea937721e506d44f6ac1f8c359c75d

SHA512
b25bb9deaf500f84aaeb70f2a73d6b16185d9212e579a283946b6d1d25f7042355ddd9d13b3ce0a54069e74aff7fda05d42db6bd32e6ccc387c90d2fec195249

Download Submit
memory/2840-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/2840-8-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/2840-24-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/2840-2-0x0000000005070000-0x000000000510C000-memory.dmp

Filesize
624KB

Download
memory/2840-1-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/4764-25-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/4764-26-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/4764-27-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/4764-28-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/4764-30-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download