Analysis
-
max time kernel
167s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 12:41
Static task
static1
Behavioral task
behavioral1
Sample
04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
Resource
win10v2004-20220414-en
General
-
Target
04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
-
Size
78KB
-
MD5
018d10259ffaff7a1e3a1bf59ddf2f94
-
SHA1
13b8899a70738b5d5034ba31bb4ef0e751846342
-
SHA256
04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1
-
SHA512
613633cd547daa4e94660093fa285fe03e574bcad2ec0a8a2c71974d8d7fcc8b1ae4e95ac808855f15e973c4556e1f780862f00db9bd154e651a08b17012a3fb
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7BE3C083-B1DB-4DE3-A6C9-62BFC3061A95}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3AD539C5-1336-4E7C-A52F-6B7E7073FF21}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exedescription pid process Token: SeDebugPrivilege 3980 04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exedescription pid process target process PID 3980 wrote to memory of 2424 3980 04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe vbc.exe PID 3980 wrote to memory of 2424 3980 04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe vbc.exe PID 3980 wrote to memory of 2424 3980 04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe"C:\Users\Admin\AppData\Local\Temp\04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gmqpb9gj.cmdline"2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gmqpb9gj.cmdlineFilesize
266B
MD5d5c9acb006b156cf96361052ec4d94b3
SHA1e8acb1ff2fbf8e49471f34270c3e806575efc405
SHA256960dc93e96ee57b45d7f41e7c31383ccebd58a0002a71f8c8373603cb56479d5
SHA5128028b6515eedb532308dfc43e859dac231c51d9668dc046791b7bd0af52b891cfcd5459d5513be840ce305953b9501096c4020300b2a8aa70d6510ab86416c8c
-
memory/2424-131-0x0000000000000000-mapping.dmp
-
memory/3980-130-0x0000000074CC0000-0x0000000075271000-memory.dmpFilesize
5.7MB