6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
Size

322KB
MD5

60ed5a19cb1e429e27a49ac1cecc1199
SHA1

96c0e8775887e85e9ecd0137d120e70da447c00d
SHA256

6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57
SHA512

99304365ddee503eba659022dc13e56643c5d3d19a07f85ae8b61122d744b8b2e798d9fd3528ae5325c931efbfba876063af5b1d61b0093c681d8189471d3630
SSDEEP

6144:tp+HhQ7fH9gH/MaQojHY5LYwBgY3xbimcDbcDF82xrjTswnowIa:tp+HhQJiMhsHYPSigmcDbCF82RTTow

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CCFCDB54-CCDF-FFEC-CDB3-AECACD685F4F}	vbc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3780-134-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/3780-136-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/3780-137-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/3780-150-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Services Host = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\svchost.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	82

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
File created	C:\Windows\assembly\Desktop.ini	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	vbc.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3652	reg.exe
4584	reg.exe
2400	reg.exe
3556	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
Token: 1	3780	vbc.exe
Token: SeCreateTokenPrivilege	3780	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	3780	vbc.exe
Token: SeLockMemoryPrivilege	3780	vbc.exe
Token: SeIncreaseQuotaPrivilege	3780	vbc.exe
Token: SeMachineAccountPrivilege	3780	vbc.exe
Token: SeTcbPrivilege	3780	vbc.exe
Token: SeSecurityPrivilege	3780	vbc.exe
Token: SeTakeOwnershipPrivilege	3780	vbc.exe
Token: SeLoadDriverPrivilege	3780	vbc.exe
Token: SeSystemProfilePrivilege	3780	vbc.exe
Token: SeSystemtimePrivilege	3780	vbc.exe
Token: SeProfSingleProcessPrivilege	3780	vbc.exe
Token: SeIncBasePriorityPrivilege	3780	vbc.exe
Token: SeCreatePagefilePrivilege	3780	vbc.exe
Token: SeCreatePermanentPrivilege	3780	vbc.exe
Token: SeBackupPrivilege	3780	vbc.exe
Token: SeRestorePrivilege	3780	vbc.exe
Token: SeShutdownPrivilege	3780	vbc.exe
Token: SeDebugPrivilege	3780	vbc.exe
Token: SeAuditPrivilege	3780	vbc.exe
Token: SeSystemEnvironmentPrivilege	3780	vbc.exe
Token: SeChangeNotifyPrivilege	3780	vbc.exe
Token: SeRemoteShutdownPrivilege	3780	vbc.exe
Token: SeUndockPrivilege	3780	vbc.exe
Token: SeSyncAgentPrivilege	3780	vbc.exe
Token: SeEnableDelegationPrivilege	3780	vbc.exe
Token: SeManageVolumePrivilege	3780	vbc.exe
Token: SeImpersonatePrivilege	3780	vbc.exe
Token: SeCreateGlobalPrivilege	3780	vbc.exe
Token: 31	3780	vbc.exe
Token: 32	3780	vbc.exe
Token: 33	3780	vbc.exe
Token: 34	3780	vbc.exe
Token: 35	3780	vbc.exe
Token: SeDebugPrivilege	3780	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe
3780	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	82
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	82
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	82
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	82
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	82
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	82
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	82
PID 3540 wrote to memory of 3780	3540	6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe	82
PID 3780 wrote to memory of 3932	3780	vbc.exe	83
PID 3780 wrote to memory of 3932	3780	vbc.exe	83
PID 3780 wrote to memory of 3932	3780	vbc.exe	83
PID 3780 wrote to memory of 4508	3780	vbc.exe	84
PID 3780 wrote to memory of 4508	3780	vbc.exe	84
PID 3780 wrote to memory of 4508	3780	vbc.exe	84
PID 3780 wrote to memory of 2952	3780	vbc.exe	90
PID 3780 wrote to memory of 2952	3780	vbc.exe	90
PID 3780 wrote to memory of 2952	3780	vbc.exe	90
PID 3780 wrote to memory of 1092	3780	vbc.exe	87
PID 3780 wrote to memory of 1092	3780	vbc.exe	87
PID 3780 wrote to memory of 1092	3780	vbc.exe	87
PID 3932 wrote to memory of 3652	3932	cmd.exe	91
PID 3932 wrote to memory of 3652	3932	cmd.exe	91
PID 3932 wrote to memory of 3652	3932	cmd.exe	91
PID 1092 wrote to memory of 4584	1092	cmd.exe	92
PID 1092 wrote to memory of 4584	1092	cmd.exe	92
PID 1092 wrote to memory of 4584	1092	cmd.exe	92
PID 2952 wrote to memory of 2400	2952	cmd.exe	93
PID 2952 wrote to memory of 2400	2952	cmd.exe	93
PID 2952 wrote to memory of 2400	2952	cmd.exe	93
PID 4508 wrote to memory of 3556	4508	cmd.exe	94
PID 4508 wrote to memory of 3556	4508	cmd.exe	94
PID 4508 wrote to memory of 3556	4508	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe
"C:\Users\Admin\AppData\Local\Temp\6c77b7e0252c173dd07ad24502a6c3f6c4ef35369960c195b8ffbd6da44a6a57.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\svchost.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-145-0x0000000000000000-mapping.dmp

Download
memory/2400-148-0x0000000000000000-mapping.dmp

Download
memory/2952-144-0x0000000000000000-mapping.dmp

Download
memory/3540-139-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3540-132-0x00000000753C0000-0x0000000075971000-memory.dmp

Filesize
5.7MB

Download
memory/3556-149-0x0000000000000000-mapping.dmp

Download
memory/3652-146-0x0000000000000000-mapping.dmp

Download
memory/3780-133-0x0000000000000000-mapping.dmp

Download
memory/3780-134-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3780-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3780-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3780-150-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3932-142-0x0000000000000000-mapping.dmp

Download
memory/4508-143-0x0000000000000000-mapping.dmp

Download
memory/4584-147-0x0000000000000000-mapping.dmp

Download