f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe

General

Target

f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe
Size

17KB
MD5

0282e3f3c85d9dc212922206b57c075f
SHA1

a91370bc6c253102f091489f65580f6318e2f3ca
SHA256

f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe
SHA512

bdd5021930bca1cf2f68f01593ee223815fa49d2a7c2dfc530fa7a4098eb74e12195beea8c743a5e8dd326ce1af5198268a4ae8721257c747feebb67d8e0d6e5

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowpowershell.exe vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowpowershell.exe	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe"	f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe

description pid process

Token: SeDebugPrivilege 1652 f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe

description	pid	process
Token: SeDebugPrivilege	1652	f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exevbc.exe

description	pid	process	target process
PID 1652 wrote to memory of 1108	1652	f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe	vbc.exe
PID 1652 wrote to memory of 1108	1652	f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe	vbc.exe
PID 1652 wrote to memory of 1108	1652	f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe	vbc.exe
PID 1108 wrote to memory of 1968	1108	vbc.exe	cvtres.exe
PID 1108 wrote to memory of 1968	1108	vbc.exe	cvtres.exe
PID 1108 wrote to memory of 1968	1108	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe
"C:\Users\Admin\AppData\Local\Temp\f08b4bf9d69bb3d0d8331da658d55642c03537ce985075b9c95ba6dfc69587fe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hge5tgf_.cmdline"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES535D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc535C.tmp"
3⤵
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES535D.tmp

MD5
6aff876eb4b5544a544e8e99965ed02e

SHA1
e27dc8b50eeace3419ac785b397c1f967aed5507

SHA256
619b4ecd39f94df56cebe885f1069be853b22b84f8e802647dd2af37398cf4ae

SHA512
c4fe6e1e7006aaecd4c6df3a5fc5e088ce769e25bafad18f0f3ddd95a7abb30753cc091b4f81269b9d648356a9e9f7a58b749d3fc488fb9ac7b3de43906db626

Download Submit
C:\Users\Admin\AppData\Local\Temp\hge5tgf_.0.vb

MD5
5e1babc2c49951c337755c68a0c8cef2

SHA1
a2386a7f02f8ddf533cb64840aa8c403d2d9c8ef

SHA256
5d4ac62a1d49e36917d5a3f742c858d86dd4a17ef59e01895208fa9101d24178

SHA512
dfb56a88c30942596cde0842fea511de75eb6e2729e1b45135bb438f411ef67a6a234c8dfa5d46fceea9811a3b1b158acd7d7d8316f1b1cdc40192874002362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hge5tgf_.cmdline

MD5
73fc70c44444b40cdd7ffcca637645f3

SHA1
e3b9bf5d89f09cc4bfd8ae271021cd1630300b22

SHA256
cfb05902144f7d021b415062d695addbf0c4a2bb6afb349bb9c382ef78aaa27a

SHA512
67d69327ee7cbcce3dfe4cb52abc48151057676b478dccf45d8eb8ae92328b004c2343aac79a42e11063017895698c92e275941d220a5b3e105cb5fa9f44ec20

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc535C.tmp

MD5
f065edcc3c756284c420ca7e2166b256

SHA1
ff2263359a903bbe6ef940b2448633048576a11f

SHA256
2e7c232a32f406e00d696c81f6b3767d91d2a152852080db01d94203dfb3eab5

SHA512
974faf5494176a8080fab8be7d7d1bfcd2733e34d0c482a86bfe101bccc4c84a24757492ce50c2492101b5f05b9b288b1bce062bfea8f865bd644411f1881471

Download Submit
memory/1652-54-0x0000000001EC0000-0x0000000001EC2000-memory.dmp

Filesize
8KB

Download
memory/1652-55-0x000007FEF1C00000-0x000007FEF2C96000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing