a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce

General

Target

a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe
Size

2.4MB
MD5

9e7ea9b64b79efe2cbfddc73d885a42f
SHA1

93414df1a44175703342e200b56822b1ee1d2bf5
SHA256

a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce
SHA512

12d60eb613ee7a9d13582db1859754231a87ecc2792297cf661adf3c8d42e9e8d29b57294b8a79e6fa30e4470d036e65a63ff75c59cf565fed56b71c982aafd2
SSDEEP

24576:BQQDQWrQDbwMxSPlFY6YKNz/bJMSOX00dr90iAJZf/j34Pkw7VceLYewl3RuQ55Z:BRDQzxSPJ9Z/D4Pb7VceCl3

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 98396	1728	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	29

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
98496	powershell.exe
98592	powershell.exe
98652	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	98496	powershell.exe
Token: SeDebugPrivilege	98396	vbc.exe
Token: SeDebugPrivilege	98592	powershell.exe
Token: SeDebugPrivilege	98652	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 98396	1728	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	29
PID 1728 wrote to memory of 98396	1728	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	29
PID 1728 wrote to memory of 98396	1728	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	29
PID 1728 wrote to memory of 98396	1728	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	29
PID 1728 wrote to memory of 98396	1728	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	29
PID 1728 wrote to memory of 98396	1728	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	29
PID 98396 wrote to memory of 98460	98396	vbc.exe	30
PID 98396 wrote to memory of 98460	98396	vbc.exe	30
PID 98396 wrote to memory of 98460	98396	vbc.exe	30
PID 98396 wrote to memory of 98460	98396	vbc.exe	30
PID 98460 wrote to memory of 98484	98460	cmd.exe	32
PID 98460 wrote to memory of 98484	98460	cmd.exe	32
PID 98460 wrote to memory of 98484	98460	cmd.exe	32
PID 98460 wrote to memory of 98484	98460	cmd.exe	32
PID 98460 wrote to memory of 98496	98460	cmd.exe	33
PID 98460 wrote to memory of 98496	98460	cmd.exe	33
PID 98460 wrote to memory of 98496	98460	cmd.exe	33
PID 98460 wrote to memory of 98496	98460	cmd.exe	33
PID 98460 wrote to memory of 98592	98460	cmd.exe	34
PID 98460 wrote to memory of 98592	98460	cmd.exe	34
PID 98460 wrote to memory of 98592	98460	cmd.exe	34
PID 98460 wrote to memory of 98592	98460	cmd.exe	34
PID 98460 wrote to memory of 98652	98460	cmd.exe	35
PID 98460 wrote to memory of 98652	98460	cmd.exe	35
PID 98460 wrote to memory of 98652	98460	cmd.exe	35
PID 98460 wrote to memory of 98652	98460	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe
"C:\Users\Admin\AppData\Local\Temp\a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:98396
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:98460
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:98484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98496
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:98652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
20d2985e1e9bf188106b9983c86516bf

SHA1
330ceee3ce4f519a51492e75c7b579d8a7e6ce38

SHA256
da6bc76735e34b6e483e75b4079ee9605cbed834a2159dde933a94d587872d30

SHA512
b5a7f6015e09bb7ebbb638be51572930a3a7ba94c8c1dfd8698c03923416cf3739f2e1f584e7ed7589fd5061cc677561300170cf455fca617ee3b596e0849bac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e140b0ca2c97b6213ac49f3c1a5b3819

SHA1
32919b8be2fa342d5e70042eaf8e3e5438933b00

SHA256
633ef1a5bf341a4fc2b1f32b179da3d9425a44f0cd1b115c1422f403d81bff06

SHA512
dd6369b00fa44317ddd640065f843ff938a989566e735a0767a1563b59b91b0db88f06102410413e44bd00b9c9404917c22feb8496f3fbc4bf6b34215db9e2a0

Download Submit
memory/98396-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/98396-63-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/98396-62-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/98396-64-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/98396-54-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/98496-71-0x000000006F5E0000-0x000000006FB8B000-memory.dmp

Filesize
5.7MB

Download
memory/98496-70-0x000000006F5E0000-0x000000006FB8B000-memory.dmp

Filesize
5.7MB

Download
memory/98496-69-0x000000006F5E0000-0x000000006FB8B000-memory.dmp

Filesize
5.7MB

Download
memory/98592-75-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/98652-79-0x000000006F330000-0x000000006F8DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing