9a94526af5d19bcf180fce60337990aa2ca9faae1e6e2c913904e5f66f1c0bca

Analysis

max time kernel
152s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2022 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAOISKUDTHHDBENR.exe
Size

300.0MB
MD5

75982f6745193533c0794af8942c23fd
SHA1

1883c8aa732a0f3b280edb3d3426b8dfcd5bdb09
SHA256

9a94526af5d19bcf180fce60337990aa2ca9faae1e6e2c913904e5f66f1c0bca
SHA512

c9de7e051e14f40a93e620eca74d964d4ac13bafdab3e9aa14ae302a3f524343dfb1524bde53a062f38c2edc2e9d61fe423aabf6672fddcd546495a81a9a3534

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

gvbeds.exe

pid process

1792 gvbeds.exe

pid	process
1792	gvbeds.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/212-139-0x0000000000BB0000-0x0000000000F94000-memory.dmp	upx
behavioral2/memory/212-140-0x0000000000BB0000-0x0000000000F94000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

MAOISKUDTHHDBENR.exe

description pid process target process

PID 4084 set thread context of 212 4084 MAOISKUDTHHDBENR.exe vbc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4076 212 WerFault.exe vbc.exe
1632 212 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4156 schtasks.exe

description	pid	process	target process
PID 4084 set thread context of 212	4084	MAOISKUDTHHDBENR.exe	vbc.exe

pid	pid_target	process	target process
4076	212	WerFault.exe	vbc.exe
1632	212	WerFault.exe	vbc.exe

pid	process
4156	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

MAOISKUDTHHDBENR.execmd.exe

description	pid	process	target process
PID 4084 wrote to memory of 4448	4084	MAOISKUDTHHDBENR.exe	cmd.exe
PID 4084 wrote to memory of 4448	4084	MAOISKUDTHHDBENR.exe	cmd.exe
PID 4084 wrote to memory of 4448	4084	MAOISKUDTHHDBENR.exe	cmd.exe
PID 4448 wrote to memory of 4156	4448	cmd.exe	schtasks.exe
PID 4448 wrote to memory of 4156	4448	cmd.exe	schtasks.exe
PID 4448 wrote to memory of 4156	4448	cmd.exe	schtasks.exe
PID 4084 wrote to memory of 4980	4084	MAOISKUDTHHDBENR.exe	cmd.exe
PID 4084 wrote to memory of 4980	4084	MAOISKUDTHHDBENR.exe	cmd.exe
PID 4084 wrote to memory of 4980	4084	MAOISKUDTHHDBENR.exe	cmd.exe
PID 4084 wrote to memory of 212	4084	MAOISKUDTHHDBENR.exe	vbc.exe
PID 4084 wrote to memory of 212	4084	MAOISKUDTHHDBENR.exe	vbc.exe
PID 4084 wrote to memory of 212	4084	MAOISKUDTHHDBENR.exe	vbc.exe
PID 4084 wrote to memory of 212	4084	MAOISKUDTHHDBENR.exe	vbc.exe
PID 4084 wrote to memory of 212	4084	MAOISKUDTHHDBENR.exe	vbc.exe
PID 4084 wrote to memory of 212	4084	MAOISKUDTHHDBENR.exe	vbc.exe
PID 4084 wrote to memory of 212	4084	MAOISKUDTHHDBENR.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\MAOISKUDTHHDBENR.exe
"C:\Users\Admin\AppData\Local\Temp\MAOISKUDTHHDBENR.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\gvbeds.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\gvbeds.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4156

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\MAOISKUDTHHDBENR.exe" "C:\Users\Admin\AppData\Roaming\gvbeds.exe"
2⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 184
3⤵
- Program crash
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 232
3⤵
- Program crash
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 212 -ip 212
1⤵
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 212 -ip 212
1⤵
PID:4340

C:\Users\Admin\AppData\Roaming\gvbeds.exe
C:\Users\Admin\AppData\Roaming\gvbeds.exe
1⤵
- Executes dropped EXE
PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\gvbeds.exe
Filesize
169.3MB

MD5
3215194217540c94040c2f65e55ab607

SHA1
9586930dcf9a6a977a487c965c53a2d0851fbc45

SHA256
b91d5d78dd405e57a0dda50a9940816584c84a4124f917d95746577d79ea8d60

SHA512
e0bad0a6516e4374ac5d4794f8032f330194460e8f453a9b03cb0d7888888440bf55aeb167a41c6e728ee658450b158761921aed4a23e18df9872ff6bb5a453a

Download Submit
C:\Users\Admin\AppData\Roaming\gvbeds.exe
Filesize
168.4MB

MD5
03ff44e51f7e0eb4122d47289e8b7e08

SHA1
435cd06f85ca1c6461cd8aed0dfe576139aceb75

SHA256
9eb72d7ddef6e822fd36d0f2d9c40150d9a30d91e85cdb92814849c8b7f42555

SHA512
cb9d1eb279c6c0467c1f8e48113acdc3dfe96d3d64626a12f9a7b54de9447e6818d19d3523cdd83bdad55b7b37c9e65418492bded4e8a8e7b0794e41a9aaca7a

Download Submit
memory/212-137-0x0000000000000000-mapping.dmp

Download
memory/212-139-0x0000000000BB0000-0x0000000000F94000-memory.dmp

Filesize
3.9MB

Download
memory/212-140-0x0000000000BB0000-0x0000000000F94000-memory.dmp

Filesize
3.9MB

Download
memory/4084-132-0x00000000008B0000-0x0000000000A3C000-memory.dmp

Filesize
1.5MB

Download
memory/4084-135-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/4156-134-0x0000000000000000-mapping.dmp

Download
memory/4448-133-0x0000000000000000-mapping.dmp

Download
memory/4980-136-0x0000000000000000-mapping.dmp

Download