Analysis
-
max time kernel
86s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe
Resource
win10-20220812-en
General
-
Target
a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe
-
Size
2.4MB
-
MD5
9e7ea9b64b79efe2cbfddc73d885a42f
-
SHA1
93414df1a44175703342e200b56822b1ee1d2bf5
-
SHA256
a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce
-
SHA512
12d60eb613ee7a9d13582db1859754231a87ecc2792297cf661adf3c8d42e9e8d29b57294b8a79e6fa30e4470d036e65a63ff75c59cf565fed56b71c982aafd2
-
SSDEEP
24576:BQQDQWrQDbwMxSPlFY6YKNz/bJMSOX00dr90iAJZf/j34Pkw7VceLYewl3RuQ55Z:BRDQzxSPJ9Z/D4Pb7VceCl3
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1728 set thread context of 98396 1728 a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe 29 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 98496 powershell.exe 98592 powershell.exe 98652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 98496 powershell.exe Token: SeDebugPrivilege 98396 vbc.exe Token: SeDebugPrivilege 98592 powershell.exe Token: SeDebugPrivilege 98652 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1728 wrote to memory of 98396 1728 a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe 29 PID 1728 wrote to memory of 98396 1728 a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe 29 PID 1728 wrote to memory of 98396 1728 a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe 29 PID 1728 wrote to memory of 98396 1728 a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe 29 PID 1728 wrote to memory of 98396 1728 a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe 29 PID 1728 wrote to memory of 98396 1728 a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe 29 PID 98396 wrote to memory of 98460 98396 vbc.exe 30 PID 98396 wrote to memory of 98460 98396 vbc.exe 30 PID 98396 wrote to memory of 98460 98396 vbc.exe 30 PID 98396 wrote to memory of 98460 98396 vbc.exe 30 PID 98460 wrote to memory of 98484 98460 cmd.exe 32 PID 98460 wrote to memory of 98484 98460 cmd.exe 32 PID 98460 wrote to memory of 98484 98460 cmd.exe 32 PID 98460 wrote to memory of 98484 98460 cmd.exe 32 PID 98460 wrote to memory of 98496 98460 cmd.exe 33 PID 98460 wrote to memory of 98496 98460 cmd.exe 33 PID 98460 wrote to memory of 98496 98460 cmd.exe 33 PID 98460 wrote to memory of 98496 98460 cmd.exe 33 PID 98460 wrote to memory of 98592 98460 cmd.exe 34 PID 98460 wrote to memory of 98592 98460 cmd.exe 34 PID 98460 wrote to memory of 98592 98460 cmd.exe 34 PID 98460 wrote to memory of 98592 98460 cmd.exe 34 PID 98460 wrote to memory of 98652 98460 cmd.exe 35 PID 98460 wrote to memory of 98652 98460 cmd.exe 35 PID 98460 wrote to memory of 98652 98460 cmd.exe 35 PID 98460 wrote to memory of 98652 98460 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe"C:\Users\Admin\AppData\Local\Temp\a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:98396 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"3⤵
- Suspicious use of WriteProcessMemory
PID:98460 -
C:\Windows\SysWOW64\chcp.comchcp 12514⤵PID:98484
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:98496
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:98592
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:98652
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD520d2985e1e9bf188106b9983c86516bf
SHA1330ceee3ce4f519a51492e75c7b579d8a7e6ce38
SHA256da6bc76735e34b6e483e75b4079ee9605cbed834a2159dde933a94d587872d30
SHA512b5a7f6015e09bb7ebbb638be51572930a3a7ba94c8c1dfd8698c03923416cf3739f2e1f584e7ed7589fd5061cc677561300170cf455fca617ee3b596e0849bac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5e140b0ca2c97b6213ac49f3c1a5b3819
SHA132919b8be2fa342d5e70042eaf8e3e5438933b00
SHA256633ef1a5bf341a4fc2b1f32b179da3d9425a44f0cd1b115c1422f403d81bff06
SHA512dd6369b00fa44317ddd640065f843ff938a989566e735a0767a1563b59b91b0db88f06102410413e44bd00b9c9404917c22feb8496f3fbc4bf6b34215db9e2a0