aa0efd3c8e3806d3f794875441f34351070ca601ad2181b25b7ef3f1623a941e

General

Target

876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe
Size

498KB
MD5

7ab1da3d85f6eb7583bc9d7d44da989a
SHA1

c18a98fd2813f75c7142bb0be9c61085b1bd9de2
SHA256

876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80
SHA512

5abd4f512e579b9df942a6faa14fada1bb484d8e9ccacdf56512e618b9643af2470607c9379b103e076c50164d79c6d4c2242dab717b67ff323e415a497c05d2

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vbcoon.exe

pid process

1632 vbcoon.exe
Loads dropped DLL 1 IoCs

Processes:

876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe

pid process

2040 876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe

pid	process
1632	vbcoon.exe

pid	process
2040	876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe

NTFS ADS 1 IoCs

Processes:

876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe

description	ioc	process
File created	\??\c:\programdata\17c92f7746\vbcoon.exe:Zone.Identifier	876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exevbcoon.exe

pid process

2040 876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe
1632 vbcoon.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exevbcoon.exe

pid process

2040 876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe
1632 vbcoon.exe

pid	process
2040	876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe
1632	vbcoon.exe

pid	process
2040	876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe
1632	vbcoon.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exevbcoon.exe

description	pid	process	target process
PID 2040 wrote to memory of 1632	2040	876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe	vbcoon.exe
PID 2040 wrote to memory of 1632	2040	876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe	vbcoon.exe
PID 2040 wrote to memory of 1632	2040	876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe	vbcoon.exe
PID 2040 wrote to memory of 1632	2040	876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe	vbcoon.exe
PID 1632 wrote to memory of 1484	1632	vbcoon.exe	REG.exe
PID 1632 wrote to memory of 1484	1632	vbcoon.exe	REG.exe
PID 1632 wrote to memory of 1484	1632	vbcoon.exe	REG.exe
PID 1632 wrote to memory of 1484	1632	vbcoon.exe	REG.exe

C:\Users\Admin\AppData\Local\Temp\876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe
"C:\Users\Admin\AppData\Local\Temp\876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2040

\??\c:\programdata\17c92f7746\vbcoon.exe
c:\programdata\17c92f7746\vbcoon.exe
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\REG.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\17c92f7746
3⤵
PID:1484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\0
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\17c92f7746\vbcoon.exe
Filesize
498KB

MD5
7ab1da3d85f6eb7583bc9d7d44da989a

SHA1
c18a98fd2813f75c7142bb0be9c61085b1bd9de2

SHA256
876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80

SHA512
5abd4f512e579b9df942a6faa14fada1bb484d8e9ccacdf56512e618b9643af2470607c9379b103e076c50164d79c6d4c2242dab717b67ff323e415a497c05d2

Download Submit
\ProgramData\17c92f7746\vbcoon.exe
Filesize
498KB

MD5
7ab1da3d85f6eb7583bc9d7d44da989a

SHA1
c18a98fd2813f75c7142bb0be9c61085b1bd9de2

SHA256
876602eb517acecfd824b695225966c78a074f6e002641062d242999f9e5eb80

SHA512
5abd4f512e579b9df942a6faa14fada1bb484d8e9ccacdf56512e618b9643af2470607c9379b103e076c50164d79c6d4c2242dab717b67ff323e415a497c05d2

Download Submit
memory/1484-63-0x0000000000000000-mapping.dmp

Download
memory/1632-57-0x0000000000000000-mapping.dmp

Download
memory/1632-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2040-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/2040-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2040-60-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing