4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
448s
max time network
450s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f780377dd90d33c8280734d882fc2ac9.exe
Size

12KB
MD5

f780377dd90d33c8280734d882fc2ac9
SHA1

2ca8e1e97f1d9893389ea6f7505fe7c24924b387
SHA256

d44c91defb81890cb0045d3a612485a4db65c1f4e52ce405efa453b8a07229e7
SHA512

ffa397cbe485bef45d52cbe19527bd7e16d5fe3847e80844dbb45fe96effefb8f0c3cfdcfa9d164786a063d6bc74a38c99ec2bab132b3841caaefb72b26be643
SSDEEP

384:SL7li/2zcq2DcEQvdfcJKLTp/NK9xa4f:MYMZQ9c4f

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	f780377dd90d33c8280734d882fc2ac9.exe

Deletes itself 1 IoCs

pid	Process
5940	tmp4F0B.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5940	tmp4F0B.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4F0B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f780377dd90d33c8280734d882fc2ac9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5760	f780377dd90d33c8280734d882fc2ac9.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5760 wrote to memory of 4476	5760	f780377dd90d33c8280734d882fc2ac9.exe	90
PID 5760 wrote to memory of 4476	5760	f780377dd90d33c8280734d882fc2ac9.exe	90
PID 5760 wrote to memory of 4476	5760	f780377dd90d33c8280734d882fc2ac9.exe	90
PID 4476 wrote to memory of 4760	4476	vbc.exe	93
PID 4476 wrote to memory of 4760	4476	vbc.exe	93
PID 4476 wrote to memory of 4760	4476	vbc.exe	93
PID 5760 wrote to memory of 5940	5760	f780377dd90d33c8280734d882fc2ac9.exe	94
PID 5760 wrote to memory of 5940	5760	f780377dd90d33c8280734d882fc2ac9.exe	94
PID 5760 wrote to memory of 5940	5760	f780377dd90d33c8280734d882fc2ac9.exe	94

C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe
"C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fxfuyhoy\fxfuyhoy.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5023.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE2437B0A9E84695B87C65D715D396C5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4760
- C:\Users\Admin\AppData\Local\Temp\tmp4F0B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4F0B.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5940

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
fed096e92b299eb75f5a7e4d1a10e4a5

SHA1
598d93301191c3efbd7134269385e37164c914f5

SHA256
249dfaabaa15f5194aa1b2a3fddd7292d6d3e3b0787dd8b1a50130774de63b30

SHA512
2a99b78f9359e20ef168130864f12366d12701ef8c40c1ee5c72f134d17c3188e4a625538f4a64961c493ed1240c5aed679ac665ccc1bc251f8595e506c86322

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5023.tmp

Filesize
1KB

MD5
a8f2e791a859bcf7c4067e0af42b9b73

SHA1
cce78cb0c0be948e520cfc1670134cf4704b7028

SHA256
01274643c1adf29dcfd096eede85cba7d0b02caf00c43db55411ebe2008eff62

SHA512
1c8f0842f5767ebabc8d7e9709f72d4ae2d1a84054e7632f7a0ff135712bac9f7917ce29b63bbdddf18072949e4874728907eb4178c78eb236478d4835208d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxfuyhoy\fxfuyhoy.0.vb

Filesize
2KB

MD5
80af92fd4bc6642983024ef611fae21c

SHA1
beb66176ece391ec767db33651b3aaafac6cc951

SHA256
881e88f523e12130aaac6630867889453297c0d4b618d4dfaaaa5f66ae65969d

SHA512
f19700b12bd5faeda800a3a16ac34d0c63e64f535a8e1c367a659bd681ee215ee2c2536ff09ad1b2004196b198c4e0aacccdbe64b9f7c0ed6d9cde560940281f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxfuyhoy\fxfuyhoy.cmdline

Filesize
273B

MD5
13531ab7189499c5074121891bcd6817

SHA1
6a4d6b7e0aa107fe1f35863b0d17b14d6cfd7db1

SHA256
a6853b9306a1ab51b8139a90678f2e948728329b0c43ecc29cffb23d8412974c

SHA512
9533beb8047af8b275117af7574fc81e97f7c76593137f5421d449484f2c34296cb70debbc15ec23bfab71ebff6ccd4b251fbabb50cb46363bec2f9c7a7d4831

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F0B.tmp.exe

Filesize
12KB

MD5
04690f74e518a18403ad4ec374908419

SHA1
510c411fb4e437d2249724c9b4f99e0085e6885e

SHA256
24cc5e0f857eff27a582c96b4f429e043fdb8860ef7b21a595d68a1456d294ca

SHA512
dcf9cbcdf5d6f3bfed463b7b23b5a937fecfaa87d23de4b66c847e4f1025b260809cf821457a8ce2d913b64cdd4be7fa6f05fca53e30c144efe8186c8ff8d57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcCE2437B0A9E84695B87C65D715D396C5.TMP

Filesize
1KB

MD5
a1fe3bc0245df688df938144ad4e7a6c

SHA1
1e05bfa93a63cb04c16f90b8fe37b509711b66c1

SHA256
affe226ad6b4583d83e82fa36660ab3073040bd08353d2f3edbe07b00ef4814b

SHA512
5188352491b0f4a76af42a59109daef6dc232fb3f2c554e6d4a3b876dc9e6b65f8ccc4a5507e49d5c92e86af790da728b875124df31b84087ff080e51f2eda06

Download Submit
memory/5760-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/5760-8-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/5760-2-0x0000000004CB0000-0x0000000004D4C000-memory.dmp

Filesize
624KB

Download
memory/5760-1-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/5760-26-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/5940-25-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/5940-24-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/5940-27-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/5940-28-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/5940-30-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download