Overview

overview

8

Static

static

winprofile

windows7-x64

8

winprofile

windows10-1703-x64

8

Analysis

  • max time kernel
    52s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    113f1373aaeefbde43b540abc97e5a07130b6e4c926c09390e1c8fdcb622baeb.exe

  • Size

    424KB

  • MD5

    23e5784ebbdc329735c7f902049b33ae

  • SHA1

    21795c04c6aaeb050e80485a740c3bd3d1a790a2

  • SHA256

    113f1373aaeefbde43b540abc97e5a07130b6e4c926c09390e1c8fdcb622baeb

  • SHA512

    e785dbad42e11cf1ce312e27acf0b21958202be48d1308bc57f065d95c71a0cf6283139ec4d9fba27a79a29a9a1f45db72b3b4f7e6aec2e9810e334286bb72f0

  • SSDEEP

    12288:Qce6k34fTqLLvvmZ9osRNoBMnJbaRCzdG01:XzWXyosRNoBUlz1

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\113f1373aaeefbde43b540abc97e5a07130b6e4c926c09390e1c8fdcb622baeb.exe
    "C:\Users\Admin\AppData\Local\Temp\113f1373aaeefbde43b540abc97e5a07130b6e4c926c09390e1c8fdcb622baeb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\ProgramData\vbc\vbc.exe
        "C:\ProgramData\vbc\vbc.exe" --run
        3⤵
        • Executes dropped EXE
        PID:464
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Security Notification Icon"
      2⤵
        PID:288
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Security Notification Icon\Windows Security Notification Icon.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:832
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Security Notification Icon\Windows Security Notification Icon.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:1900
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\113f1373aaeefbde43b540abc97e5a07130b6e4c926c09390e1c8fdcb622baeb.exe" "C:\Users\Admin\AppData\Roaming\Windows Security Notification Icon\Windows Security Notification Icon.exe"
        2⤵
          PID:1556
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {56019283-6A09-4C33-B2F4-9620522016AA} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
        1⤵
          PID:1100

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\vbc\vbc.exe
          Filesize

          2.6MB

          MD5

          1f7bccc57d21a4bfeddaafe514cfd74d

          SHA1

          4dab09179a12468cb1757cb7ca26e06d616b0a8d

          SHA256

          d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

          SHA512

          9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

          Download Submit

        • C:\ProgramData\vbc\vbc.exe
          Filesize

          2.6MB

          MD5

          1f7bccc57d21a4bfeddaafe514cfd74d

          SHA1

          4dab09179a12468cb1757cb7ca26e06d616b0a8d

          SHA256

          d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

          SHA512

          9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

          Download Submit

        • \ProgramData\vbc\vbc.exe
          Filesize

          2.6MB

          MD5

          1f7bccc57d21a4bfeddaafe514cfd74d

          SHA1

          4dab09179a12468cb1757cb7ca26e06d616b0a8d

          SHA256

          d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

          SHA512

          9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

          Download Submit

        • memory/288-77-0x0000000000000000-mapping.dmp

          Download

        • memory/464-73-0x0000000000000000-mapping.dmp

          Download

        • memory/832-78-0x0000000000000000-mapping.dmp

          Download

        • memory/1064-64-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1064-74-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1064-67-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1064-60-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1064-68-0x00000000004164DA-mapping.dmp

          Download

        • memory/1064-71-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1064-65-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1064-62-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1064-81-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1064-58-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1064-57-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1484-56-0x00000000009E0000-0x0000000000A36000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1484-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1484-54-0x00000000001C0000-0x0000000000230000-memory.dmp

          Filesize

          448KB

          Download

        • memory/1556-79-0x0000000000000000-mapping.dmp

          Download

        • memory/1900-80-0x0000000000000000-mapping.dmp

          Download