Analysis
-
max time kernel
164s -
max time network
194s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:38
Static task
static1
Behavioral task
behavioral1
Sample
6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
Resource
win10v2004-20220901-en
General
-
Target
6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
-
Size
322KB
-
MD5
60ed5a19cb1e429e27a49ac1cecc1199
-
SHA1
96c0e8775887e85e9ecd0137d120e70da447c00d
-
SHA256
6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57
-
SHA512
99304365ddee503eba659022dc13e56643c5d3d19a07f85ae8b61122d744b8b2e798d9fd3528ae5325c931efbfba876063af5b1d61b0093c681d8189471d3630
-
SSDEEP
6144:tp+HhQ7fH9gH/MaQojHY5LYwBgY3xbimcDbcDF82xrjTswnowIa:tp+HhQJiMhsHYPSigmcDbCF82RTTow
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe" vbc.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F} vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe" vbc.exe -
Processes:
resource yara_rule behavioral1/memory/1968-56-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/1968-58-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/1968-59-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/1968-62-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/1968-63-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral1/memory/1968-77-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exedescription pid process target process PID 2040 set thread context of 1968 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe vbc.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 924 reg.exe 1324 reg.exe 1040 reg.exe 1092 reg.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exepid process 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exevbc.exedescription pid process Token: SeDebugPrivilege 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe Token: 1 1968 vbc.exe Token: SeCreateTokenPrivilege 1968 vbc.exe Token: SeAssignPrimaryTokenPrivilege 1968 vbc.exe Token: SeLockMemoryPrivilege 1968 vbc.exe Token: SeIncreaseQuotaPrivilege 1968 vbc.exe Token: SeMachineAccountPrivilege 1968 vbc.exe Token: SeTcbPrivilege 1968 vbc.exe Token: SeSecurityPrivilege 1968 vbc.exe Token: SeTakeOwnershipPrivilege 1968 vbc.exe Token: SeLoadDriverPrivilege 1968 vbc.exe Token: SeSystemProfilePrivilege 1968 vbc.exe Token: SeSystemtimePrivilege 1968 vbc.exe Token: SeProfSingleProcessPrivilege 1968 vbc.exe Token: SeIncBasePriorityPrivilege 1968 vbc.exe Token: SeCreatePagefilePrivilege 1968 vbc.exe Token: SeCreatePermanentPrivilege 1968 vbc.exe Token: SeBackupPrivilege 1968 vbc.exe Token: SeRestorePrivilege 1968 vbc.exe Token: SeShutdownPrivilege 1968 vbc.exe Token: SeDebugPrivilege 1968 vbc.exe Token: SeAuditPrivilege 1968 vbc.exe Token: SeSystemEnvironmentPrivilege 1968 vbc.exe Token: SeChangeNotifyPrivilege 1968 vbc.exe Token: SeRemoteShutdownPrivilege 1968 vbc.exe Token: SeUndockPrivilege 1968 vbc.exe Token: SeSyncAgentPrivilege 1968 vbc.exe Token: SeEnableDelegationPrivilege 1968 vbc.exe Token: SeManageVolumePrivilege 1968 vbc.exe Token: SeImpersonatePrivilege 1968 vbc.exe Token: SeCreateGlobalPrivilege 1968 vbc.exe Token: 31 1968 vbc.exe Token: 32 1968 vbc.exe Token: 33 1968 vbc.exe Token: 34 1968 vbc.exe Token: 35 1968 vbc.exe Token: SeDebugPrivilege 1968 vbc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
vbc.exepid process 1968 vbc.exe 1968 vbc.exe 1968 vbc.exe 1968 vbc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exevbc.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2040 wrote to memory of 1968 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe vbc.exe PID 2040 wrote to memory of 1968 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe vbc.exe PID 2040 wrote to memory of 1968 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe vbc.exe PID 2040 wrote to memory of 1968 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe vbc.exe PID 2040 wrote to memory of 1968 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe vbc.exe PID 2040 wrote to memory of 1968 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe vbc.exe PID 2040 wrote to memory of 1968 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe vbc.exe PID 2040 wrote to memory of 1968 2040 6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe vbc.exe PID 1968 wrote to memory of 336 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 336 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 336 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 336 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1508 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1508 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1508 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1508 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1976 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1976 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1976 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1976 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1868 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1868 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1868 1968 vbc.exe cmd.exe PID 1968 wrote to memory of 1868 1968 vbc.exe cmd.exe PID 336 wrote to memory of 1040 336 cmd.exe reg.exe PID 336 wrote to memory of 1040 336 cmd.exe reg.exe PID 336 wrote to memory of 1040 336 cmd.exe reg.exe PID 336 wrote to memory of 1040 336 cmd.exe reg.exe PID 1976 wrote to memory of 1092 1976 cmd.exe reg.exe PID 1976 wrote to memory of 1092 1976 cmd.exe reg.exe PID 1976 wrote to memory of 1092 1976 cmd.exe reg.exe PID 1976 wrote to memory of 1092 1976 cmd.exe reg.exe PID 1508 wrote to memory of 924 1508 cmd.exe reg.exe PID 1508 wrote to memory of 924 1508 cmd.exe reg.exe PID 1508 wrote to memory of 924 1508 cmd.exe reg.exe PID 1508 wrote to memory of 924 1508 cmd.exe reg.exe PID 1868 wrote to memory of 1324 1868 cmd.exe reg.exe PID 1868 wrote to memory of 1324 1868 cmd.exe reg.exe PID 1868 wrote to memory of 1324 1868 cmd.exe reg.exe PID 1868 wrote to memory of 1324 1868 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe"C:\Users\Admin\AppData\Local\Temp\6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/336-69-0x0000000000000000-mapping.dmp
-
memory/924-75-0x0000000000000000-mapping.dmp
-
memory/1040-73-0x0000000000000000-mapping.dmp
-
memory/1092-74-0x0000000000000000-mapping.dmp
-
memory/1324-76-0x0000000000000000-mapping.dmp
-
memory/1508-70-0x0000000000000000-mapping.dmp
-
memory/1868-72-0x0000000000000000-mapping.dmp
-
memory/1968-59-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1968-63-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1968-62-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1968-60-0x00000000004792B0-mapping.dmp
-
memory/1968-58-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1968-56-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1968-55-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1968-77-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1976-71-0x0000000000000000-mapping.dmp
-
memory/2040-65-0x0000000074120000-0x00000000746CB000-memory.dmpFilesize
5.7MB
-
memory/2040-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB