6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57

General

Target

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
Size

322KB
MD5

60ed5a19cb1e429e27a49ac1cecc1199
SHA1

96c0e8775887e85e9ecd0137d120e70da447c00d
SHA256

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57
SHA512

99304365ddee503eba659022dc13e56643c5d3d19a07f85ae8b61122d744b8b2e798d9fd3528ae5325c931efbfba876063af5b1d61b0093c681d8189471d3630
SSDEEP

6144:tp+HhQ7fH9gH/MaQojHY5LYwBgY3xbimcDbcDF82xrjTswnowIa:tp+HhQJiMhsHYPSigmcDbCF82RTTow

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}	vbc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3780-134-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/3780-136-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/3780-137-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/3780-150-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

description	pid	process	target process
PID 3540 set thread context of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe

Drops file in Windows directory 4 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exevbc.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
File created	C:\Windows\assembly\Desktop.ini	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	vbc.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

3652 reg.exe
4584 reg.exe
2400 reg.exe
3556 reg.exe

pid	process
3652	reg.exe
4584	reg.exe
2400	reg.exe
3556	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

pid	process
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
Token: 1	3780	vbc.exe
Token: SeCreateTokenPrivilege	3780	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3780	vbc.exe
Token: SeLockMemoryPrivilege	3780	vbc.exe
Token: SeIncreaseQuotaPrivilege	3780	vbc.exe
Token: SeMachineAccountPrivilege	3780	vbc.exe
Token: SeTcbPrivilege	3780	vbc.exe
Token: SeSecurityPrivilege	3780	vbc.exe
Token: SeTakeOwnershipPrivilege	3780	vbc.exe
Token: SeLoadDriverPrivilege	3780	vbc.exe
Token: SeSystemProfilePrivilege	3780	vbc.exe
Token: SeSystemtimePrivilege	3780	vbc.exe
Token: SeProfSingleProcessPrivilege	3780	vbc.exe
Token: SeIncBasePriorityPrivilege	3780	vbc.exe
Token: SeCreatePagefilePrivilege	3780	vbc.exe
Token: SeCreatePermanentPrivilege	3780	vbc.exe
Token: SeBackupPrivilege	3780	vbc.exe
Token: SeRestorePrivilege	3780	vbc.exe
Token: SeShutdownPrivilege	3780	vbc.exe
Token: SeDebugPrivilege	3780	vbc.exe
Token: SeAuditPrivilege	3780	vbc.exe
Token: SeSystemEnvironmentPrivilege	3780	vbc.exe
Token: SeChangeNotifyPrivilege	3780	vbc.exe
Token: SeRemoteShutdownPrivilege	3780	vbc.exe
Token: SeUndockPrivilege	3780	vbc.exe
Token: SeSyncAgentPrivilege	3780	vbc.exe
Token: SeEnableDelegationPrivilege	3780	vbc.exe
Token: SeManageVolumePrivilege	3780	vbc.exe
Token: SeImpersonatePrivilege	3780	vbc.exe
Token: SeCreateGlobalPrivilege	3780	vbc.exe
Token: 31	3780	vbc.exe
Token: 32	3780	vbc.exe
Token: 33	3780	vbc.exe
Token: 34	3780	vbc.exe
Token: 35	3780	vbc.exe
Token: SeDebugPrivilege	3780	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vbc.exe

pid process

3780 vbc.exe
3780 vbc.exe
3780 vbc.exe
3780 vbc.exe

pid	process
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exevbc.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	vbc.exe
PID 3780 wrote to memory of 3932	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 3932	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 3932	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 4508	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 4508	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 4508	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 2952	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 2952	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 2952	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 1092	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 1092	3780	vbc.exe	cmd.exe
PID 3780 wrote to memory of 1092	3780	vbc.exe	cmd.exe
PID 3932 wrote to memory of 3652	3932	cmd.exe	reg.exe
PID 3932 wrote to memory of 3652	3932	cmd.exe	reg.exe
PID 3932 wrote to memory of 3652	3932	cmd.exe	reg.exe
PID 1092 wrote to memory of 4584	1092	cmd.exe	reg.exe
PID 1092 wrote to memory of 4584	1092	cmd.exe	reg.exe
PID 1092 wrote to memory of 4584	1092	cmd.exe	reg.exe
PID 2952 wrote to memory of 2400	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 2400	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 2400	2952	cmd.exe	reg.exe
PID 4508 wrote to memory of 3556	4508	cmd.exe	reg.exe
PID 4508 wrote to memory of 3556	4508	cmd.exe	reg.exe
PID 4508 wrote to memory of 3556	4508	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
"C:\Users\Admin\AppData\Local\Temp\6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:3652

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:3556

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4584

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-145-0x0000000000000000-mapping.dmp

Download
memory/2400-148-0x0000000000000000-mapping.dmp

Download
memory/2952-144-0x0000000000000000-mapping.dmp

Download
memory/3540-139-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3540-132-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3556-149-0x0000000000000000-mapping.dmp

Download
memory/3652-146-0x0000000000000000-mapping.dmp

Download
memory/3780-133-0x0000000000000000-mapping.dmp

Download
memory/3780-134-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3780-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3780-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3780-150-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3932-142-0x0000000000000000-mapping.dmp

Download
memory/4508-143-0x0000000000000000-mapping.dmp

Download
memory/4584-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads