728418b13e48aacdb925ae8b891e0f0a35ec8482c92f65fefe8bd4ab890224d2

Resubmissions

25-02-2022 03:09

220225-dnmz3sffbn 10

23-02-2022 04:21

220223-eym89sabhr 10

Analysis

max time kernel
1606s
max time network
1430s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
25-02-2022 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

1.5MB
MD5

7264b8eb7076a2b78617e0e38058d0f3
SHA1

03cd675e664f434773d9c069c0a59b428cd1bedc
SHA256

728418b13e48aacdb925ae8b891e0f0a35ec8482c92f65fefe8bd4ab890224d2
SHA512

47f1d0fef411ab7fcc587b1fad1b143c69dc0723ff58f7d0d8f9d29efe2bcc8ca016b6536996a2a3bc7af2b49a378c68d03876962d5a84eea01c0f119a0643e1

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1196 created 820 1196 WerFault.exe vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	pid	process	target process
PID 1196 created 820	1196	WerFault.exe	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DelhiBrosBP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a.exe"	a.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a.exe

description pid process target process

PID 3692 set thread context of 820 3692 a.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1464 820 WerFault.exe vbc.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

a.exe

pid process

3692 a.exe
3692 a.exe
3692 a.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

a.exe

pid process

3692 a.exe
3692 a.exe
3692 a.exe

description	pid	process	target process
PID 3692 set thread context of 820	3692	a.exe	vbc.exe

pid	pid_target	process	target process
1464	820	WerFault.exe	vbc.exe

pid	process
3692	a.exe
3692	a.exe
3692	a.exe

pid	process
3692	a.exe
3692	a.exe
3692	a.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a.exeWerFault.exe

description	pid	process	target process
PID 3692 wrote to memory of 820	3692	a.exe	vbc.exe
PID 3692 wrote to memory of 820	3692	a.exe	vbc.exe
PID 3692 wrote to memory of 820	3692	a.exe	vbc.exe
PID 3692 wrote to memory of 820	3692	a.exe	vbc.exe
PID 1196 wrote to memory of 820	1196	WerFault.exe	vbc.exe
PID 1196 wrote to memory of 820	1196	WerFault.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 80
3⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 820 -ip 820
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads