8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74

General

Target

8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe
Size

1.4MB
MD5

88ff858fbf8ce54b768251482847d93f
SHA1

f8584a80e775b2405012d2b1e11a0329b62ae726
SHA256

8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74
SHA512

fef48aa401736f57d681500413b8d7ae2905504e43cdf55d98213ef0cdf870660e5e54e1b4a2fca2472ba75a812b017896301c1678ef7f4c49fb06a6bd0dfc6d
SSDEEP

24576:bdzclqN0oM7izRiDK8JKCT4EgDVVwIaoYyGSaci34gZ3:J5NcizRitK64EgDVVwIXYvSri3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4828	vbc.exe
1224	lampada.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	vbc.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1576 set thread context of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4188	4828	WerFault.exe	79

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 1576 wrote to memory of 4828	1576	8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe	79
PID 4828 wrote to memory of 1224	4828	vbc.exe	80
PID 4828 wrote to memory of 1224	4828	vbc.exe	80
PID 4828 wrote to memory of 1224	4828	vbc.exe	80

C:\Users\Admin\AppData\Local\Temp\8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe
"C:\Users\Admin\AppData\Local\Temp\8ce5f15cb9493099cbad51f79f7a559bc4af34723f7a078fce01e73ba967ed74.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\lampada.exe
    "C:\Users\Admin\AppData\Local\Temp\lampada.exe"
    3⤵
    - Executes dropped EXE
    PID:1224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 856
    3⤵
    - Program crash
    PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4828 -ip 4828
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lampada.exe

Filesize
842KB

MD5
2e74069ae0496d2ce69e6564a8e517f6

SHA1
b1e42e7d30b73c82d643d4c855a4efe443e6533c

SHA256
9243b704cf770e28fff1bb93f86df4bea94ca21faedaa8a5185469ee5d16920b

SHA512
e03efa86db8344fee02804d6d9ff3192869b5b53288d65299aede8e5715dd4b40c4618586638ed954a70f51d9b9535a81766e32df6f8125f80acd73dc55837c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lampada.exe

Filesize
842KB

MD5
2e74069ae0496d2ce69e6564a8e517f6

SHA1
b1e42e7d30b73c82d643d4c855a4efe443e6533c

SHA256
9243b704cf770e28fff1bb93f86df4bea94ca21faedaa8a5185469ee5d16920b

SHA512
e03efa86db8344fee02804d6d9ff3192869b5b53288d65299aede8e5715dd4b40c4618586638ed954a70f51d9b9535a81766e32df6f8125f80acd73dc55837c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1224-140-0x0000000000000000-mapping.dmp

Download
memory/1576-133-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1576-143-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4828-134-0x0000000000000000-mapping.dmp

Download
memory/4828-135-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4828-138-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4828-139-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing