4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
100s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f780377dd90d33c8280734d882fc2ac9.exe
Size

12KB
MD5

f780377dd90d33c8280734d882fc2ac9
SHA1

2ca8e1e97f1d9893389ea6f7505fe7c24924b387
SHA256

d44c91defb81890cb0045d3a612485a4db65c1f4e52ce405efa453b8a07229e7
SHA512

ffa397cbe485bef45d52cbe19527bd7e16d5fe3847e80844dbb45fe96effefb8f0c3cfdcfa9d164786a063d6bc74a38c99ec2bab132b3841caaefb72b26be643
SSDEEP

384:SL7li/2zcq2DcEQvdfcJKLTp/NK9xa4f:MYMZQ9c4f

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5228	tmp4E6F.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5228	tmp4E6F.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4E6F.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f780377dd90d33c8280734d882fc2ac9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3124	f780377dd90d33c8280734d882fc2ac9.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 5536	3124	f780377dd90d33c8280734d882fc2ac9.exe	78
PID 3124 wrote to memory of 5536	3124	f780377dd90d33c8280734d882fc2ac9.exe	78
PID 3124 wrote to memory of 5536	3124	f780377dd90d33c8280734d882fc2ac9.exe	78
PID 5536 wrote to memory of 2700	5536	vbc.exe	80
PID 5536 wrote to memory of 2700	5536	vbc.exe	80
PID 5536 wrote to memory of 2700	5536	vbc.exe	80
PID 3124 wrote to memory of 5228	3124	f780377dd90d33c8280734d882fc2ac9.exe	81
PID 3124 wrote to memory of 5228	3124	f780377dd90d33c8280734d882fc2ac9.exe	81
PID 3124 wrote to memory of 5228	3124	f780377dd90d33c8280734d882fc2ac9.exe	81

C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe
"C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rv4a54w2\rv4a54w2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7DB5EE172784B0B99ACAB50EBD719F6.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- C:\Users\Admin\AppData\Local\Temp\tmp4E6F.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4E6F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f780377dd90d33c8280734d882fc2ac9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5228

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
edd1445ec43a61e6fbc0ccb98d762b54

SHA1
430ba0714e42cd3944e4a6ad90b4d42e7250066c

SHA256
990fffd8454a4ffd63b2de87810d9dde156842209664adf5b961bd5594ce7dbc

SHA512
5c0296b3db6fa2f5ece33fc6baa02eb4da2855d722c8eb02edee28848fd999b1e8527e413722553dbff020a9f3555aa2b58d4ac72dc9ade2c29014fdaac5e2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4F78.tmp

Filesize
1KB

MD5
b9bcab0b63dd8d4aa83afa66a051b299

SHA1
df22eaa2d38b37f18d3ae1764a4a04912b580c92

SHA256
3efddaa82dcaf2e95826bfcfc71b1d9b1facb3cb574ead9b6165995df363c898

SHA512
1178fe2636d6db4419e186e69149b53a52f23e0d1182370cc9d558a85c613f45edd8985feb0dbce1d8cb4dfd90e48116611110fc84ebf633bc41b5ab37eaeb21

Download Submit
C:\Users\Admin\AppData\Local\Temp\rv4a54w2\rv4a54w2.0.vb

Filesize
2KB

MD5
f9078eea0ebf5159828d44fae8e47687

SHA1
925ed2b8a04f956de05a936b14792fe482b0fbaf

SHA256
a2f974cfe11024ee41f5ce930ee525a77f221c99edec1e59b210dfe3bc9c24b5

SHA512
1669e37829cfcf3efff4ec4140abc71995794659f9fdd8df590707b28090abf78d47d0839fb22cd4ee330ac516f06d5869cc4554b427269ad89cff9bd16a71d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rv4a54w2\rv4a54w2.cmdline

Filesize
273B

MD5
b76c6ed98bb53e736c45c0af19b65f90

SHA1
a2796c15a2d0b0609abdbac9bf7e36d90c18c6ff

SHA256
26ec19a34b3d464014a77d0bdfeef1a0576a6f0eb14320b3272c4353e18c3206

SHA512
ac434bd9b6a51328bf4fe08e75cc02d2b23ca3b9b7b1f1e72707172c875e380e724a3c284e42ec6e19c3e6eb2e2fdeb4b183345173e82431c7344083c5a099f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E6F.tmp.exe

Filesize
12KB

MD5
a81ad24c8db6f99332d87e17d38ef734

SHA1
77c8424597ee3b6118db7607d6e420ba43b887b5

SHA256
96a56095ce6724c60f1f79edccaff9443f095ed71c8572e386f2d153cb2277c1

SHA512
703a70284ad45905ca18b3c5b7eaa5dd2f18e564667356acd060dc7614234d110e6bc594d103a04fb7bd73c974d4521b52ac8d9e7a1b8ea6a5cc9737814137ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7DB5EE172784B0B99ACAB50EBD719F6.TMP

Filesize
1KB

MD5
600225ea75e0f8aa9b595da9790b6069

SHA1
4aff7eb3c3ef0a3d1d1359e61573d5448ae60fdf

SHA256
4497ba592d89f1b920c859ddce13d0129f0e0a93812957945688ada3cdeaca0a

SHA512
204c5631f0a38e7361e9db391daf760b8fb92c05e57eda224f86e53347c5322cc8719073ae0ebebeb2d8c0146050a6564eef27de47d2d9431ebff4b8d79a3180

Download Submit
memory/3124-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/3124-8-0x0000000074420000-0x0000000074BD1000-memory.dmp

Filesize
7.7MB

Download
memory/3124-2-0x0000000004DF0000-0x0000000004E8C000-memory.dmp

Filesize
624KB

Download
memory/3124-1-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/3124-26-0x0000000074420000-0x0000000074BD1000-memory.dmp

Filesize
7.7MB

Download
memory/5228-24-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/5228-25-0x0000000074420000-0x0000000074BD1000-memory.dmp

Filesize
7.7MB

Download
memory/5228-28-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/5228-27-0x0000000005B60000-0x0000000006106000-memory.dmp

Filesize
5.6MB

Download
memory/5228-30-0x0000000074420000-0x0000000074BD1000-memory.dmp

Filesize
7.7MB

Download