990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48

Analysis

max time kernel
150s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe
Size

304KB
MD5

09d48a33e0e06906e5d2491e9ade278f
SHA1

dacc469daf0fb9f12c9f2f1e37a82df76be45fb8
SHA256

990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48
SHA512

b13d85779d805f77c4f71844db9525b65ed865b91b0bb11ba94ea52cb2f76578eda2df6245af8ece8a9c6c559cca096fb7a581b54f757ceabb087ed48549c01d
SSDEEP

6144:ePFLTSg57PY2EaRp7zyCftZejPNeqeeEvLwdSH5nABQh:ePFL+a7PdzRp7zyCTesVjCB

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\taskhosts.exe = "C:\\Users\\Admin\\AppData\\Roaming\\taskhosts.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\windows live = "C:\\Users\\Admin\\AppData\\Roaming\\taskhosts.exe"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{FFEBCE9D-CE42-DEEB-BDDF-9BB529D82D2D}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\taskhosts.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFEBCE9D-CE42-DEEB-BDDF-9BB529D82D2D}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFEBCE9D-CE42-DEEB-BDDF-9BB529D82D2D}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\taskhosts.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{FFEBCE9D-CE42-DEEB-BDDF-9BB529D82D2D}	vbc.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1820-142-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/1820-145-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/1820-146-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/1820-158-0x0000000000400000-0x000000000047B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows live = "C:\\Users\\Admin\\AppData\\Roaming\\taskhosts.exe"	vbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\windows live = "C:\\Users\\Admin\\AppData\\Roaming\\taskhosts.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 1820	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	85

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	vbc.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3644	reg.exe
4700	reg.exe
2428	reg.exe
5108	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	1820	vbc.exe
Token: SeCreateTokenPrivilege	1820	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	1820	vbc.exe
Token: SeLockMemoryPrivilege	1820	vbc.exe
Token: SeIncreaseQuotaPrivilege	1820	vbc.exe
Token: SeMachineAccountPrivilege	1820	vbc.exe
Token: SeTcbPrivilege	1820	vbc.exe
Token: SeSecurityPrivilege	1820	vbc.exe
Token: SeTakeOwnershipPrivilege	1820	vbc.exe
Token: SeLoadDriverPrivilege	1820	vbc.exe
Token: SeSystemProfilePrivilege	1820	vbc.exe
Token: SeSystemtimePrivilege	1820	vbc.exe
Token: SeProfSingleProcessPrivilege	1820	vbc.exe
Token: SeIncBasePriorityPrivilege	1820	vbc.exe
Token: SeCreatePagefilePrivilege	1820	vbc.exe
Token: SeCreatePermanentPrivilege	1820	vbc.exe
Token: SeBackupPrivilege	1820	vbc.exe
Token: SeRestorePrivilege	1820	vbc.exe
Token: SeShutdownPrivilege	1820	vbc.exe
Token: SeDebugPrivilege	1820	vbc.exe
Token: SeAuditPrivilege	1820	vbc.exe
Token: SeSystemEnvironmentPrivilege	1820	vbc.exe
Token: SeChangeNotifyPrivilege	1820	vbc.exe
Token: SeRemoteShutdownPrivilege	1820	vbc.exe
Token: SeUndockPrivilege	1820	vbc.exe
Token: SeSyncAgentPrivilege	1820	vbc.exe
Token: SeEnableDelegationPrivilege	1820	vbc.exe
Token: SeManageVolumePrivilege	1820	vbc.exe
Token: SeImpersonatePrivilege	1820	vbc.exe
Token: SeCreateGlobalPrivilege	1820	vbc.exe
Token: 31	1820	vbc.exe
Token: 32	1820	vbc.exe
Token: 33	1820	vbc.exe
Token: 34	1820	vbc.exe
Token: 35	1820	vbc.exe
Token: SeDebugPrivilege	1820	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1820	vbc.exe
1820	vbc.exe
1820	vbc.exe
1820	vbc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3748	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	82
PID 1672 wrote to memory of 3748	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	82
PID 1672 wrote to memory of 3748	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	82
PID 3748 wrote to memory of 3400	3748	csc.exe	84
PID 3748 wrote to memory of 3400	3748	csc.exe	84
PID 3748 wrote to memory of 3400	3748	csc.exe	84
PID 1672 wrote to memory of 1820	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	85
PID 1672 wrote to memory of 1820	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	85
PID 1672 wrote to memory of 1820	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	85
PID 1672 wrote to memory of 1820	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	85
PID 1672 wrote to memory of 1820	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	85
PID 1672 wrote to memory of 1820	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	85
PID 1672 wrote to memory of 1820	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	85
PID 1672 wrote to memory of 1820	1672	990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe	85
PID 1820 wrote to memory of 2768	1820	vbc.exe	88
PID 1820 wrote to memory of 2768	1820	vbc.exe	88
PID 1820 wrote to memory of 2768	1820	vbc.exe	88
PID 1820 wrote to memory of 1252	1820	vbc.exe	89
PID 1820 wrote to memory of 1252	1820	vbc.exe	89
PID 1820 wrote to memory of 1252	1820	vbc.exe	89
PID 1820 wrote to memory of 3580	1820	vbc.exe	95
PID 1820 wrote to memory of 3580	1820	vbc.exe	95
PID 1820 wrote to memory of 3580	1820	vbc.exe	95
PID 1820 wrote to memory of 2072	1820	vbc.exe	91
PID 1820 wrote to memory of 2072	1820	vbc.exe	91
PID 1820 wrote to memory of 2072	1820	vbc.exe	91
PID 2768 wrote to memory of 3644	2768	cmd.exe	96
PID 2768 wrote to memory of 3644	2768	cmd.exe	96
PID 2768 wrote to memory of 3644	2768	cmd.exe	96
PID 3580 wrote to memory of 4700	3580	cmd.exe	97
PID 3580 wrote to memory of 4700	3580	cmd.exe	97
PID 3580 wrote to memory of 4700	3580	cmd.exe	97
PID 1252 wrote to memory of 2428	1252	cmd.exe	98
PID 1252 wrote to memory of 2428	1252	cmd.exe	98
PID 1252 wrote to memory of 2428	1252	cmd.exe	98
PID 2072 wrote to memory of 5108	2072	cmd.exe	99
PID 2072 wrote to memory of 5108	2072	cmd.exe	99
PID 2072 wrote to memory of 5108	2072	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe
"C:\Users\Admin\AppData\Local\Temp\990101a369f71b8ae608012a85420bfee85c556d4664a02515566f3d1fbb4e48.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-zeddjl_.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3970.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC396F.tmp"
    3⤵
    PID:3400
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskhosts.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskhosts.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\taskhosts.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\taskhosts.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-zeddjl_.dll

Filesize
9KB

MD5
289700bff810596df2d3e26d78f540e1

SHA1
33a686e4173c9791a17be5fa4f861845f0d30c5c

SHA256
3b586b6488082f20e9875a4c06458d5fb636c09522b705277bad5dc54cb8c883

SHA512
a017b2f8c8e5a7ff1ca395d0721676bf8b22df575375a0c6be5948e9409f7778edb7fe156fbfc74847e7c94a18bb20bab5ad912cd832ac6256238db3a2a49901

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3970.tmp

Filesize
1KB

MD5
ff59a29c8fe27598ff25f21f4840a375

SHA1
bef60c6da2827405b64d6d3534fa6e920af48c98

SHA256
6bd7ec89ce5c9120c02ddc2c95139cf7daa8657ab1548b78bc9fd1f4625bbf2d

SHA512
b72e583841a0e187af8eca35a4604a946c712d6a2d895fafe3f5d5196e643bb4e37ee652afd59b885b6ab2d5e5127f229602a0ff082b5310d7f7308e5e3dd985

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-zeddjl_.0.cs

Filesize
7KB

MD5
c79c02b8be614ba0ad11b9a2deac9067

SHA1
5338181abf8d8436df240ec8bfe8699ed40eac83

SHA256
aeb41fe4117e42c32d7c61fe9caa02f2ec937418a3ffb6ee64b5a8309e0d7b78

SHA512
4b0efe655b237185454a41c79c1b5cd9b8e80cfa36f7abb8a5d63629f400bb73d58f196584ec5421a8b2e6608b9c00d44514ada9651bcf19aea8ba4cce5b4a4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-zeddjl_.cmdline

Filesize
187B

MD5
fcf213dac473a8da26ffd4e2635542f3

SHA1
f9a4c45e189dd976b91c3c0a4d89f58239f5b4b5

SHA256
950b47288cd246bb4ff90f21c5c7d381f5ecb28b4b852a73c4747cd4b1298db9

SHA512
a2dc59c33f28d9f319a70eb2b67c0839848fbd4cb4751d7095cb5d17da5563aa5ebea328d392af8f44ba87aaf86920d522b0f665f2c62b52de44e4fee49f5392

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC396F.tmp

Filesize
652B

MD5
c10d5c41d222a9ba3d30b17fad7439b0

SHA1
67747064e5f87bb4525186f78616e757e317d5f5

SHA256
4273d088de959ef0214b0897429e6a05aa5a8d5b8231dd3aa2cb229e397e2f91

SHA512
b2499be087243154d63e4b39e1347f093f0b811bb4841594a625fd98445b9a1e9e806dd81c6a9871e86861dec3485f2f245ba4ef6c8d58aac4516eea46590270

Download Submit
memory/1672-132-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/1672-134-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/1672-144-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/1820-142-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1820-158-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1820-145-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1820-146-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads