Analysis Overview
SHA256
3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566
Threat Level: Known bad
The file 3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566 was found to be: Known bad.
Malicious Activity Summary
CrypVault
Process spawned unexpected child process
Deletes shadow copies
Executes dropped EXE
Adds policy Run key to start application
Checks computer location settings
Drops startup file
Uses the VBS compiler for execution
Loads dropped DLL
Adds Run key to start application
AutoIT Executable
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-01 14:10
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-01 14:10
Reported
2022-07-01 14:38
Platform
win7-20220414-en
Max time kernel
45s
Max time network
56s
Command Line
Signatures
CrypVault
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\vssadmin.exe |
Deletes shadow copies
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IEData = "C:\\Windows\\SysWOW64\\IEData\\IEData.lnk" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IEData = "C:\\Windows\\SysWOW64\\IEData\\IEData.lnk" | C:\Windows\SysWOW64\tasklist.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\plGbK6.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\nPSJHqv7sImdXngC = "C:\\Users\\Admin\\AppData\\Roaming\\WXYT4cfXl0u4ZrGW\\0BBJCMxzSLI7uJFL.lnk" | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\IEData\api-ms-win-core-console-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IEData\IEData.cmd | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\IEData.cmd | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\AltTab.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\apds.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\api-ms-win-core-misc-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\api-ms-win-core-processthreads-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IEData | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\IEData.lnk | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\api-ms-win-core-debug-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\api-ms-win-core-processenvironment-l1-1-0.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IEData\IEData.lnk | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\accessibilitycpl.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IEData\accessibilitycpl.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\aclui.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\ActionCenterCPL.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IEData\aeevts.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1648 set thread context of 1836 | N/A | C:\ProgramData\plGbK6.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\PROGRA~3\plGbK6.vbs | C:\ProgramData\plGbK6.exe | N/A |
| File opened for modification | C:\PROGRA~3\Xhlm7tWi | C:\ProgramData\plGbK6.exe | N/A |
| File created | C:\PROGRA~3\plGbK6.backup | C:\ProgramData\plGbK6.exe | N/A |
| File opened for modification | C:\PROGRA~3\plGbK6.backup | C:\ProgramData\plGbK6.exe | N/A |
| File created | C:\PROGRA~3\plGbK61.backup | C:\ProgramData\plGbK6.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\plGbK6.exe | N/A |
| N/A | N/A | C:\ProgramData\plGbK6.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe
"C:\Users\Admin\AppData\Local\Temp\3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\plGbK61.vbs
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\plGbK61.vbs"
C:\ProgramData\plGbK6.exe
"C:\ProgramData\plGbK6.exe" C:\ProgramData\plGbK6.au3
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\PROGRA~3\plGbK6.vbs
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PROGRA~3\plGbK6.vbs"
C:\Windows\SysWOW64\tasklist.exe
C:\Windows\SysWOW64\tasklist.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process call create "vssadmin.exe delete shadows /all /quiet"
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\mshta.exe
mshta.exe C:\Users\Admin\Desktop\VAULT.hta
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 744
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | waveiscomingsoon.com | udp |
Files
memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
memory/1380-55-0x0000000000000000-mapping.dmp
C:\ProgramData\plGbK61.vbs
| MD5 | cda398717513da50830b084697723e1d |
| SHA1 | fe120f38ddce40e9e5dc7a680df87557337ab948 |
| SHA256 | 3252524e7063782846866933b9bb7f30d24c101279905e8cd78a15348f2a4422 |
| SHA512 | 3dfbf16256cc43df34c2c1df1ef1854c77751abe8dec0795fb80b582c8f8832014ba878af30bc986451f5259667f17bd768184e961ac1c924dd1bf701fd2338e |
memory/1172-58-0x0000000000000000-mapping.dmp
C:\ProgramData\plGbK6.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
\ProgramData\plGbK6.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
memory/1648-62-0x0000000000000000-mapping.dmp
C:\ProgramData\plGbK6.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\ProgramData\plGbK6.au3
| MD5 | d7ae10e0c6e165746d5b6cd960e11835 |
| SHA1 | 9011a7efcccad994025cc49a6d33ea8be3f06177 |
| SHA256 | 7fbb4f71146b85919af9166225cd8d87b314bb867b63ab4a0a785d5be8e71dbe |
| SHA512 | e26f2a1b24e963d0129bca6de7b98345923121f19227abb7d3f4998f8fd50bf96d96c4264a50cd52f721b0639af79167704d2b4b905e12b969108cad15952f27 |
C:\ProgramData\plGbK6
| MD5 | f22becbde3aa82e56d20a475a7122670 |
| SHA1 | f8eb33dd6cc868176048ee552f16e893c6269649 |
| SHA256 | 036181c87137ebebeb51d1462e615cf21c5b8bd75354dea855c35915ab080a7a |
| SHA512 | 739c008fc414edb56440796235b78799468b1791592600028ea591345cc4245ba35a67452cd54fb5c40e423c9a22a0280ce194755412a905713737c6ada7b4f9 |
C:\PROGRA~3\plGbK6.folder
| MD5 | 33a6417430acf3de0d63ce51ea379446 |
| SHA1 | 1edd015375aafbcfb019fbbff2e5f155fdc56bd0 |
| SHA256 | 4fe93a90b2deab9e438b21127815cefebb8c3686c301b0cb110eb8ac18ec403a |
| SHA512 | 4f1f28fb96463b82403a43cb559b3a8a27d617864995adeb74b34f2d2856e5a9c11c1f562b28a867859cf7f59bf2b303a6434f27474e8d5e3fb9d3b8acb2faa3 |
C:\PROGRA~3\plGbK6.path
| MD5 | 96a5701b8802017f8eb5c0b12f2d6648 |
| SHA1 | bf2674795d2adaf68b4427ea31c06ea8c28c1341 |
| SHA256 | 080979ee8e1989d94b3da1442ae87c25d9ce888b7358daa5a7fc6ba3db24c72b |
| SHA512 | 924ad1f07b399f01b7268b01b05d2c33b6087551172f39f7d3e381395e8b7a8036774949076cd4109f3e79a7a72c9bdd137eea38b6695d6a47a2dbe3c9546468 |
memory/1836-69-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1836-70-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1836-72-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1836-73-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1836-74-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1836-76-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1836-77-0x0000000000406F4A-mapping.dmp
memory/684-79-0x0000000000000000-mapping.dmp
memory/1836-80-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1152-82-0x0000000000000000-mapping.dmp
memory/1836-83-0x0000000000400000-0x000000000040A228-memory.dmp
C:\PROGRA~3\plGbK6.vbs
| MD5 | ee5c36bd87008356db08a36bb6657602 |
| SHA1 | 874c97cce3c010a24e3b8817c34c70c04668b42d |
| SHA256 | 044ae0c0d26bdaa388ae02cf80c945a7ec542aeb34b0de046f2e1590ff530585 |
| SHA512 | f0169f74b93f2841fe146b1dedc471606511b3bebcd5c4498270cb7cebdb5e68fc5bcf7dc5036bd18ae3b4bea094fcebe9c5b180b9f58384123ddc61ecd2b370 |
memory/1848-86-0x0000000000000000-mapping.dmp
memory/1152-87-0x0000000074981000-0x0000000074983000-memory.dmp
\ProgramData\plGbK6.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
memory/1808-90-0x0000000000000000-mapping.dmp
memory/1152-91-0x0000000000B30000-0x0000000000DB1000-memory.dmp
C:\Windows\SysWOW64\IEData\IEData.cmd
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
memory/1568-97-0x0000000000000000-mapping.dmp
memory/308-99-0x0000000000BB0000-0x0000000000E31000-memory.dmp
memory/308-96-0x00000000748F1000-0x00000000748F3000-memory.dmp
memory/308-94-0x0000000000000000-mapping.dmp
memory/1500-100-0x0000000000000000-mapping.dmp
memory/1568-102-0x0000000000BF0000-0x0000000000BF8000-memory.dmp
memory/1808-101-0x00000000003C0000-0x00000000003D6000-memory.dmp
memory/1936-103-0x0000000000000000-mapping.dmp
C:\Users\Admin\Desktop\VAULT.hta
| MD5 | cfd06e26fb55549b4af98bcbf3cb9931 |
| SHA1 | c1f51c7b81be9f3f63d904d61a0452606f09837b |
| SHA256 | a7c38911204a4b9d424473ff0d4526f42b14b3040a434381831c04637e1b17df |
| SHA512 | e9565b90ab6627d67b2d71f0901a02a78ee5f6009abe4190bdb328920457ca600e2c21b494e336165ce30cf3fc9d87ea1f5a3e34cce938709b3a106771ac3b87 |
memory/996-105-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\IEData\IEData.lnk
| MD5 | adc7ea78b22e52cf3251ddc1f5c30adc |
| SHA1 | ecdf71211bddf848fa427b75420fad7d284d94ff |
| SHA256 | 22abe10db7c72932a781925d161801777aa179967ed683ab5a08217d4957ed6d |
| SHA512 | 5b140e2c34daf1a6e5bba08b63cfed68b09ad323276e3994cb980f4ac6844a34674e4d35a9149810af5a1fb34e11424da90f23039d5c4c67b777690c2b6c485e |
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-01 14:10
Reported
2022-07-01 14:38
Platform
win10v2004-20220414-en
Max time kernel
147s
Max time network
161s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\plGbK6.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nPSJHqv7sImdXngC = "C:\\Users\\Admin\\AppData\\Roaming\\WXYT4cfXl0u4ZrGW\\0BBJCMxzSLI7uJFL.lnk" | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\IE5BAKEX\AcXtrnal.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\adsldpc.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\apds.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\altspace.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\accessibilitycpl.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\AcLayers.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\AcSpecfc.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\ActionCenter.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\acwow64.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\IE5BAKEX.cmd | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IE5BAKEX\IE5BAKEX.cmd | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\AboveLockAppHost.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\aeevts.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\aepic.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\Apphlpdm.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IE5BAKEX | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IE5BAKEX\AboveLockAppHost.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\AccountsRt.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\acppage.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\adsldp.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
| File created | C:\Windows\SysWOW64\IE5BAKEX\advpack.dll | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4952 set thread context of 1996 | N/A | C:\ProgramData\plGbK6.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\plGbK6.backup | C:\ProgramData\plGbK6.exe | N/A |
| File opened for modification | C:\PROGRA~3\plGbK6.backup | C:\ProgramData\plGbK6.exe | N/A |
| File created | C:\PROGRA~3\plGbK61.backup | C:\ProgramData\plGbK6.exe | N/A |
| File opened for modification | C:\PROGRA~3\plGbK6.vbs | C:\ProgramData\plGbK6.exe | N/A |
| File opened for modification | C:\PROGRA~3\Xhlm7tWi | C:\ProgramData\plGbK6.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\plGbK6.exe | N/A |
| N/A | N/A | C:\ProgramData\plGbK6.exe | N/A |
| N/A | N/A | C:\ProgramData\plGbK6.exe | N/A |
| N/A | N/A | C:\ProgramData\plGbK6.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe
"C:\Users\Admin\AppData\Local\Temp\3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\plGbK61.vbs
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\plGbK61.vbs"
C:\ProgramData\plGbK6.exe
"C:\ProgramData\plGbK6.exe" C:\ProgramData\plGbK6.au3
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\PROGRA~3\plGbK6.vbs
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SYSTEM32\explorer.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PROGRA~3\plGbK6.vbs"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 804
Network
| Country | Destination | Domain | Proto |
| US | 104.208.16.90:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
Files
memory/4556-130-0x0000000000000000-mapping.dmp
C:\ProgramData\plGbK61.vbs
| MD5 | cda398717513da50830b084697723e1d |
| SHA1 | fe120f38ddce40e9e5dc7a680df87557337ab948 |
| SHA256 | 3252524e7063782846866933b9bb7f30d24c101279905e8cd78a15348f2a4422 |
| SHA512 | 3dfbf16256cc43df34c2c1df1ef1854c77751abe8dec0795fb80b582c8f8832014ba878af30bc986451f5259667f17bd768184e961ac1c924dd1bf701fd2338e |
memory/4908-132-0x0000000000000000-mapping.dmp
C:\ProgramData\plGbK6.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
memory/4952-134-0x0000000000000000-mapping.dmp
C:\ProgramData\plGbK6.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\ProgramData\plGbK6.au3
| MD5 | d7ae10e0c6e165746d5b6cd960e11835 |
| SHA1 | 9011a7efcccad994025cc49a6d33ea8be3f06177 |
| SHA256 | 7fbb4f71146b85919af9166225cd8d87b314bb867b63ab4a0a785d5be8e71dbe |
| SHA512 | e26f2a1b24e963d0129bca6de7b98345923121f19227abb7d3f4998f8fd50bf96d96c4264a50cd52f721b0639af79167704d2b4b905e12b969108cad15952f27 |
C:\PROGRA~3\plGbK6.folder
| MD5 | 33a6417430acf3de0d63ce51ea379446 |
| SHA1 | 1edd015375aafbcfb019fbbff2e5f155fdc56bd0 |
| SHA256 | 4fe93a90b2deab9e438b21127815cefebb8c3686c301b0cb110eb8ac18ec403a |
| SHA512 | 4f1f28fb96463b82403a43cb559b3a8a27d617864995adeb74b34f2d2856e5a9c11c1f562b28a867859cf7f59bf2b303a6434f27474e8d5e3fb9d3b8acb2faa3 |
C:\PROGRA~3\plGbK6.path
| MD5 | 96a5701b8802017f8eb5c0b12f2d6648 |
| SHA1 | bf2674795d2adaf68b4427ea31c06ea8c28c1341 |
| SHA256 | 080979ee8e1989d94b3da1442ae87c25d9ce888b7358daa5a7fc6ba3db24c72b |
| SHA512 | 924ad1f07b399f01b7268b01b05d2c33b6087551172f39f7d3e381395e8b7a8036774949076cd4109f3e79a7a72c9bdd137eea38b6695d6a47a2dbe3c9546468 |
C:\ProgramData\plGbK6
| MD5 | f22becbde3aa82e56d20a475a7122670 |
| SHA1 | f8eb33dd6cc868176048ee552f16e893c6269649 |
| SHA256 | 036181c87137ebebeb51d1462e615cf21c5b8bd75354dea855c35915ab080a7a |
| SHA512 | 739c008fc414edb56440796235b78799468b1791592600028ea591345cc4245ba35a67452cd54fb5c40e423c9a22a0280ce194755412a905713737c6ada7b4f9 |
memory/1996-140-0x0000000000000000-mapping.dmp
memory/1996-141-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3772-143-0x0000000000000000-mapping.dmp
memory/1996-144-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1996-146-0x0000000000400000-0x000000000040A228-memory.dmp
memory/4404-145-0x0000000000000000-mapping.dmp
C:\PROGRA~3\plGbK6.vbs
| MD5 | ee5c36bd87008356db08a36bb6657602 |
| SHA1 | 874c97cce3c010a24e3b8817c34c70c04668b42d |
| SHA256 | 044ae0c0d26bdaa388ae02cf80c945a7ec542aeb34b0de046f2e1590ff530585 |
| SHA512 | f0169f74b93f2841fe146b1dedc471606511b3bebcd5c4498270cb7cebdb5e68fc5bcf7dc5036bd18ae3b4bea094fcebe9c5b180b9f58384123ddc61ecd2b370 |
memory/4288-148-0x0000000000000000-mapping.dmp
memory/4404-149-0x0000000000F70000-0x00000000013A3000-memory.dmp