5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4

General

Target

5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe
Size

1.2MB
MD5

63f5159752a9afe0314f637f8895e080
SHA1

d36ab5738b43bfd150122b566418de2224adae37
SHA256

5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4
SHA512

46d7d33ea046f9b2d2fcb527e4a6b470e9e3b7b169ebd30cd0f3f2d5344d1336dd0f5d38b4d63c2a6a47f0a24a5e3c69a7bc0a1ae5f9309905018949796e85ec
SSDEEP

24576:zuivlA4vZQJh7pMxNgdYaMhCqRobaEg37fFI/uMI:zL2hKg+aMoq+bah37fFIG

Score

7^/10

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3684	3488	5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe	83
PID 3488 wrote to memory of 3684	3488	5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe	83
PID 3488 wrote to memory of 3684	3488	5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe	83
PID 3684 wrote to memory of 3808	3684	vbc.exe	84
PID 3684 wrote to memory of 3808	3684	vbc.exe	84
PID 3684 wrote to memory of 3808	3684	vbc.exe	84

C:\Users\Admin\AppData\Local\Temp\5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe
"C:\Users\Admin\AppData\Local\Temp\5f5af01f9d6f2c03a29baac6c4f06fab134f911ab4956a1a8a9900f77b52f9e4.exe"
1⤵
- Drops startup file
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\70v23vxe.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB163.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc392EE4C35A934FEB950D1BC31977D6C.TMP"
    3⤵
    PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55466HR7Y.resources

Filesize
837KB

MD5
0dd6ee68b5d1c95fe57f69fd71e62cf4

SHA1
9e28eac57f6e5e5a4390a1b84af4534c81ce6f09

SHA256
a5d54306c43a066d7779550e96d8a57687ee9911e97ca540cdca6af724d1e13a

SHA512
ed4cecd95cff9d6821d709628d88c1b860de8274e479803a0025dbefb5b710f9f27a9976a11c838a4f4a2351bd59e04f3ab5c2987e5fc1014b7a52a228cd73ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\70v23vxe.0.vb

Filesize
106KB

MD5
35d02199d7db67c9e47f6289756718c1

SHA1
2d9de6a6d92e5838d8b3bcebca696b51fa225929

SHA256
0931abc8fc51b2a2b71586cbae0534650f582a8c28e4306c8d921a78156f8c7c

SHA512
488db203ae21dab1d0d9257cfcc3e66cf6aa6f14da8f371b53802a3a27972646729976563492324d642e9615fef919a43b544e1117b3dbfe15a443678d7ecd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\70v23vxe.cmdline

Filesize
382B

MD5
bcb6e0735a7f6829b4f1154951fbea9f

SHA1
3cf9b5e3aecbf96654e599321a3b237fd857f5ab

SHA256
02131474cc7efb1c28ccd8b3fd2bc7e416e452a7ea847b9313aa2147a8c4e1f8

SHA512
38c319b85b05020634a0ee90a28726c6f791a47bddd5a8538a15960adf3c697959a719023b5e36b936fd5969b594a84755f29152553feac34ad8770304131df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\70v23vxe.exe

Filesize
916KB

MD5
c624febe08e688f0c436029585ce9d0c

SHA1
c586a5acc6e2107e2d1e8dd08486f1884be50073

SHA256
1f1a926a25b69c7674e61dedef5ed0ae5ffb48fe21d19aed7fb21271ba1ccf92

SHA512
2d2f4bf28cedfeec308c6bd86f0673294185b480f1fe7e6bb80a86da9af036f5085ce6077eb23da6d7f547372e7bb7b18a6ee9ac6734eb9b4ed41d67089f9325

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSNPSharp.dll

Filesize
832KB

MD5
6065f66bf5cc088e7344f13f5a63cfa4

SHA1
d23abadbe3a2fe5b102a2f889d30ae2a8da44baf

SHA256
cae1b97f3bb7e41d6f56d28b77bd36ce418f3b52503351e36d8486cfe1d509a4

SHA512
f2a555107e305975b2caa47726cfe9cf0aea3814380a7467e1eef9e89ef0d9ffbd4e36b70d6f839cdba8827aa4f7e61852c01e87f5f7c5840985217dc96acf95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB163.tmp

Filesize
1KB

MD5
f96d4f7d2dcaafe561e1095d2ac69ee6

SHA1
8ecc66cf3bc997412637e65eb59fe9f4e303dbfd

SHA256
536e695958d0df45b9b0e2c4b53c58a81b3a3e23c51645938c77168d248306d4

SHA512
c4a3efa455038ce86e9cb30051d8144321d6f00d4bb95dbece457de3123b8c49462e92c6560770cb669cb99110cfc56402da37c61233155df4fe6622f0fa52bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc392EE4C35A934FEB950D1BC31977D6C.TMP

Filesize
652B

MD5
9571725525f0bd98105ee51044cca804

SHA1
20b94d41c13a64a5cc424cfeb1f507418481c9cd

SHA256
7f7d7fbfbe61c524d149c3475bbbe72c77ab19d0a91f07af2abfa6e6f4f7a2e0

SHA512
3805de471953340b81ba9452bd269772eedf28d6aed0e7e723c9fa0b12e5375a09e1abfd8ad568c5d29b1d8d127b8b659e2ed4b9278204970408694f1d7c2710

Download Submit
memory/3488-132-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download
memory/3488-142-0x0000000075300000-0x00000000758B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing