4052cabc6efdd8910b0c92b973d1a37172a92ee408fc53209d746cfb65e08dcc

General

Target

PO894749745.exe
Size

441KB
MD5

65fe80a7288aebb3e14c7db814feb974
SHA1

38df46f7e47abefe45503b57474673e8f5e15c24
SHA256

4052cabc6efdd8910b0c92b973d1a37172a92ee408fc53209d746cfb65e08dcc
SHA512

7415b082c8644f3406c743ab65db55e4e34817d380a6638065ac12547451382a0c51f1c921fa3b07df3eb5aaf75a2eb3cc4cddf2407e044023424c1cb5d64122

Score

7^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1012	1440	PO894749745.exe	24
PID 1440 wrote to memory of 1012	1440	PO894749745.exe	24
PID 1440 wrote to memory of 1012	1440	PO894749745.exe	24
PID 1440 wrote to memory of 1012	1440	PO894749745.exe	24
PID 1440 wrote to memory of 748	1440	PO894749745.exe	25
PID 1440 wrote to memory of 748	1440	PO894749745.exe	25
PID 1440 wrote to memory of 748	1440	PO894749745.exe	25
PID 1440 wrote to memory of 748	1440	PO894749745.exe	25
PID 1440 wrote to memory of 308	1440	PO894749745.exe	26
PID 1440 wrote to memory of 308	1440	PO894749745.exe	26
PID 1440 wrote to memory of 308	1440	PO894749745.exe	26
PID 1440 wrote to memory of 308	1440	PO894749745.exe	26
PID 1440 wrote to memory of 1064	1440	PO894749745.exe	27
PID 1440 wrote to memory of 1064	1440	PO894749745.exe	27
PID 1440 wrote to memory of 1064	1440	PO894749745.exe	27
PID 1440 wrote to memory of 1064	1440	PO894749745.exe	27
PID 1440 wrote to memory of 1064	1440	PO894749745.exe	27
PID 1440 wrote to memory of 1064	1440	PO894749745.exe	27
PID 1440 wrote to memory of 1064	1440	PO894749745.exe	27
PID 1244 wrote to memory of 1528	1244	Explorer.EXE	28
PID 1244 wrote to memory of 1528	1244	Explorer.EXE	28
PID 1244 wrote to memory of 1528	1244	Explorer.EXE	28
PID 1244 wrote to memory of 1528	1244	Explorer.EXE	28
PID 1528 wrote to memory of 1700	1528	NETSTAT.EXE	29
PID 1528 wrote to memory of 1700	1528	NETSTAT.EXE	29
PID 1528 wrote to memory of 1700	1528	NETSTAT.EXE	29
PID 1528 wrote to memory of 1700	1528	NETSTAT.EXE	29

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1064	vbc.exe
1064	vbc.exe
1064	vbc.exe
1064	vbc.exe
1528	NETSTAT.EXE
1528	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	PO894749745.exe
Token: SeDebugPrivilege	1064	vbc.exe
Token: SeDebugPrivilege	1528	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1440	PO894749745.exe
1440	PO894749745.exe
1440	PO894749745.exe
1064	vbc.exe
1064	vbc.exe
1064	vbc.exe
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE
1528	NETSTAT.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1440 set thread context of 1064	1440	PO894749745.exe	27
PID 1064 set thread context of 1244	1064	vbc.exe	20
PID 1064 set thread context of 1244	1064	vbc.exe	20
PID 1528 set thread context of 1244	1528	NETSTAT.EXE	20

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE
1244	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
PID:1244
- C:\Users\Admin\AppData\Local\Temp\PO894749745.exe
  "C:\Users\Admin\AppData\Local\Temp\PO894749745.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetThreadContext
  PID:1440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "{path}"
    3⤵
    PID:1012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "{path}"
    3⤵
    PID:748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "{path}"
    3⤵
    PID:308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "{path}"
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetThreadContext
    PID:1064
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetThreadContext
  PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1244-4-0x00000000064E0000-0x00000000065E4000-memory.dmp

Filesize
1.0MB

Download
memory/1528-6-0x0000000000050000-0x0000000000059000-memory.dmp

Filesize
36KB

Download
memory/1528-8-0x0000000001FB0000-0x000000000210C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing