04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1

General

Target

04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
Size

78KB
MD5

018d10259ffaff7a1e3a1bf59ddf2f94
SHA1

13b8899a70738b5d5034ba31bb4ef0e751846342
SHA256

04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1
SHA512

613633cd547daa4e94660093fa285fe03e574bcad2ec0a8a2c71974d8d7fcc8b1ae4e95ac808855f15e973c4556e1f780862f00db9bd154e651a08b17012a3fb

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7BE3C083-B1DB-4DE3-A6C9-62BFC3061A95}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3AD539C5-1336-4E7C-A52F-6B7E7073FF21}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe

description pid process

Token: SeDebugPrivilege 3980 04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe

description	pid	process
Token: SeDebugPrivilege	3980	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe

description	pid	process	target process
PID 3980 wrote to memory of 2424	3980	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	vbc.exe
PID 3980 wrote to memory of 2424	3980	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	vbc.exe
PID 3980 wrote to memory of 2424	3980	04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe
"C:\Users\Admin\AppData\Local\Temp\04c9457c082bc0ae742a18eaa58e4d83f9d38e0778099606f6db166dcd7d15b1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gmqpb9gj.cmdline"
2⤵
PID:2424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:5112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gmqpb9gj.cmdline
Filesize
266B

MD5
d5c9acb006b156cf96361052ec4d94b3

SHA1
e8acb1ff2fbf8e49471f34270c3e806575efc405

SHA256
960dc93e96ee57b45d7f41e7c31383ccebd58a0002a71f8c8373603cb56479d5

SHA512
8028b6515eedb532308dfc43e859dac231c51d9668dc046791b7bd0af52b891cfcd5459d5513be840ce305953b9501096c4020300b2a8aa70d6510ab86416c8c

Download Submit
memory/2424-131-0x0000000000000000-mapping.dmp

Download
memory/3980-130-0x0000000074CC0000-0x0000000075271000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads