6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57

General

Target

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
Size

322KB
MD5

60ed5a19cb1e429e27a49ac1cecc1199
SHA1

96c0e8775887e85e9ecd0137d120e70da447c00d
SHA256

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57
SHA512

99304365ddee503eba659022dc13e56643c5d3d19a07f85ae8b61122d744b8b2e798d9fd3528ae5325c931efbfba876063af5b1d61b0093c681d8189471d3630
SSDEEP

6144:tp+HhQ7fH9gH/MaQojHY5LYwBgY3xbimcDbcDF82xrjTswnowIa:tp+HhQJiMhsHYPSigmcDbCF82RTTow

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1968-56-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1968-58-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1968-59-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1968-62-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1968-63-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral1/memory/1968-77-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

description	pid	process	target process
PID 2040 set thread context of 1968	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

vbc.exe

description ioc process

File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe vbc.exe
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

924 reg.exe
1324 reg.exe
1040 reg.exe
1092 reg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	vbc.exe

pid	process
924	reg.exe
1324	reg.exe
1040	reg.exe
1092	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

pid	process
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
Token: 1	1968	vbc.exe
Token: SeCreateTokenPrivilege	1968	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1968	vbc.exe
Token: SeLockMemoryPrivilege	1968	vbc.exe
Token: SeIncreaseQuotaPrivilege	1968	vbc.exe
Token: SeMachineAccountPrivilege	1968	vbc.exe
Token: SeTcbPrivilege	1968	vbc.exe
Token: SeSecurityPrivilege	1968	vbc.exe
Token: SeTakeOwnershipPrivilege	1968	vbc.exe
Token: SeLoadDriverPrivilege	1968	vbc.exe
Token: SeSystemProfilePrivilege	1968	vbc.exe
Token: SeSystemtimePrivilege	1968	vbc.exe
Token: SeProfSingleProcessPrivilege	1968	vbc.exe
Token: SeIncBasePriorityPrivilege	1968	vbc.exe
Token: SeCreatePagefilePrivilege	1968	vbc.exe
Token: SeCreatePermanentPrivilege	1968	vbc.exe
Token: SeBackupPrivilege	1968	vbc.exe
Token: SeRestorePrivilege	1968	vbc.exe
Token: SeShutdownPrivilege	1968	vbc.exe
Token: SeDebugPrivilege	1968	vbc.exe
Token: SeAuditPrivilege	1968	vbc.exe
Token: SeSystemEnvironmentPrivilege	1968	vbc.exe
Token: SeChangeNotifyPrivilege	1968	vbc.exe
Token: SeRemoteShutdownPrivilege	1968	vbc.exe
Token: SeUndockPrivilege	1968	vbc.exe
Token: SeSyncAgentPrivilege	1968	vbc.exe
Token: SeEnableDelegationPrivilege	1968	vbc.exe
Token: SeManageVolumePrivilege	1968	vbc.exe
Token: SeImpersonatePrivilege	1968	vbc.exe
Token: SeCreateGlobalPrivilege	1968	vbc.exe
Token: 31	1968	vbc.exe
Token: 32	1968	vbc.exe
Token: 33	1968	vbc.exe
Token: 34	1968	vbc.exe
Token: 35	1968	vbc.exe
Token: SeDebugPrivilege	1968	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vbc.exe

pid process

1968 vbc.exe
1968 vbc.exe
1968 vbc.exe
1968 vbc.exe

pid	process
1968	vbc.exe
1968	vbc.exe
1968	vbc.exe
1968	vbc.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exevbc.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 1968	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 2040 wrote to memory of 1968	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 2040 wrote to memory of 1968	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 2040 wrote to memory of 1968	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 2040 wrote to memory of 1968	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 2040 wrote to memory of 1968	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 2040 wrote to memory of 1968	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 2040 wrote to memory of 1968	2040	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 1968 wrote to memory of 336	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 336	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 336	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 336	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1508	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1508	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1508	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1508	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1976	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1976	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1976	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1976	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1868	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1868	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1868	1968	vbc.exe	cmd.exe
PID 1968 wrote to memory of 1868	1968	vbc.exe	cmd.exe
PID 336 wrote to memory of 1040	336	cmd.exe	reg.exe
PID 336 wrote to memory of 1040	336	cmd.exe	reg.exe
PID 336 wrote to memory of 1040	336	cmd.exe	reg.exe
PID 336 wrote to memory of 1040	336	cmd.exe	reg.exe
PID 1976 wrote to memory of 1092	1976	cmd.exe	reg.exe
PID 1976 wrote to memory of 1092	1976	cmd.exe	reg.exe
PID 1976 wrote to memory of 1092	1976	cmd.exe	reg.exe
PID 1976 wrote to memory of 1092	1976	cmd.exe	reg.exe
PID 1508 wrote to memory of 924	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 924	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 924	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 924	1508	cmd.exe	reg.exe
PID 1868 wrote to memory of 1324	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 1324	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 1324	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 1324	1868	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
"C:\Users\Admin\AppData\Local\Temp\6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:924

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1092

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-69-0x0000000000000000-mapping.dmp

Download
memory/924-75-0x0000000000000000-mapping.dmp

Download
memory/1040-73-0x0000000000000000-mapping.dmp

Download
memory/1092-74-0x0000000000000000-mapping.dmp

Download
memory/1324-76-0x0000000000000000-mapping.dmp

Download
memory/1508-70-0x0000000000000000-mapping.dmp

Download
memory/1868-72-0x0000000000000000-mapping.dmp

Download
memory/1968-59-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1968-63-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1968-62-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1968-60-0x00000000004792B0-mapping.dmp

Download
memory/1968-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1968-56-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1968-55-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1968-77-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1976-71-0x0000000000000000-mapping.dmp

Download
memory/2040-65-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads