82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3

General

Target

82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe
Size

1.3MB
MD5

31bf01bc8823907bf30c5e69a9b49dbf
SHA1

42612c77be0a167d5125dd4c5f4efc9527e77e8b
SHA256

82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3
SHA512

830f1aa7fa742cea0b461678ada7fde6718f4a972076713655cf940af16f0f2141b268074d7291ccb8f6b912b98190630cf2215f6fa745546506efdbdfbb52f2
SSDEEP

24576:8IfRiOOA3tvjc/9BI0h1eLHXaglJdaCFPzCvJFr6tF:8I5NVE9+2glJYCF7U+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1696 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe

pid process

1672 82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1696	vbc.exe

pid	process
1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\frgot = "C:\\Users\\Admin\\AppData\\Roaming\\frgot.exe"	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe

description	pid	process	target process
PID 1672 set thread context of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f7b6cea8f846b48bf04fb9041fa9fab0000000002000000000010660000000100002000000052b5b0c8ab3d2459b2e0666bf482f10c265484093215bba9f43ca6dccccbb0d4000000000e8000000002000020000000b84bcd8aeb9e02452406cd39f391043b2fc596c1565491cc12fc7f63cc5381652000000055d1972a5da52f231e7f87277a5b088b7348280e0cc444cb0467b25489d337114000000013716dee8ea4574851a12d0a4068cee294507386cc6ed79c1e6bf50587e87898c60cdd073f85aaf1ce9fde8d6a4a9691635b2dceafd5e49fe7bf917cdef5002a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0A36E61-7303-11ED-84FB-6AB3F8C7EA51} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f7b6cea8f846b48bf04fb9041fa9fab000000000200000000001066000000010000200000007196e6795f02c6135ea657e3a5c3581e554365d42fc7f51945a19596d2d49b03000000000e80000000020000200000000cad244258488cf74e4239a586e1e7bd9010f4bf0711162bebc983021cb9224790000000c07b954508eb6d5c5447ca41284df878f6652b6523b096687d7eba315d28ea1a14b65a7302f532dacf5baed20e64b7ed352463971099b8bf81c0f86543580d2afe3bca7988c2a1572e9aa40a7b7402bce97a33dc0fa6c32c39520696b54440bced7c596bc729f2aa358d7fa936e87d98d06717740a5afe4b01404a68ebf0ae80528812793acfbc18ae0d27db119e44e0400000001c0c3a00d89e6c60488f4d7e81e787ca4c77f3615f31d270b3d82a104bbaaa00f9cccee4a97c68a3e7d065b2d01df57849fce6ff627446fae83099ba443e2e57	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103781db1007d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376834605"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

280 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

280 iexplore.exe
280 iexplore.exe
1012 IEXPLORE.EXE
1012 IEXPLORE.EXE
1012 IEXPLORE.EXE
1012 IEXPLORE.EXE

pid	process
280	iexplore.exe

pid	process
280	iexplore.exe
280	iexplore.exe
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exevbc.exeiexplore.exe

description	pid	process	target process
PID 1672 wrote to memory of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe
PID 1672 wrote to memory of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe
PID 1672 wrote to memory of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe
PID 1672 wrote to memory of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe
PID 1672 wrote to memory of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe
PID 1672 wrote to memory of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe
PID 1672 wrote to memory of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe
PID 1672 wrote to memory of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe
PID 1672 wrote to memory of 1696	1672	82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe	vbc.exe
PID 1696 wrote to memory of 280	1696	vbc.exe	iexplore.exe
PID 1696 wrote to memory of 280	1696	vbc.exe	iexplore.exe
PID 1696 wrote to memory of 280	1696	vbc.exe	iexplore.exe
PID 1696 wrote to memory of 280	1696	vbc.exe	iexplore.exe
PID 280 wrote to memory of 1012	280	iexplore.exe	IEXPLORE.EXE
PID 280 wrote to memory of 1012	280	iexplore.exe	IEXPLORE.EXE
PID 280 wrote to memory of 1012	280	iexplore.exe	IEXPLORE.EXE
PID 280 wrote to memory of 1012	280	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe
"C:\Users\Admin\AppData\Local\Temp\82ef9e9640e1d6dd8e77c30bbcf58536492faa9851744d602f8f354231cbdfa3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
C:\Users\Admin\AppData\Local\Temp\\plugtemp\vbc.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=vbc.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:280

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:280 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X03NXUXX.txt
Filesize
535B

MD5
523152f361f181ff1985f1101dc2d99e

SHA1
36a11af471b266f404831f3b10aad48e14c032b1

SHA256
ad1da3d74b51b120eea274b352c50aa03ea153a7d37a91077e2567336c8463fe

SHA512
b0198f5d65d1994c0986220c0f820f7f36393ca708a9c8045eef887375d1c238ad07aedb1834ad49e176e4a5dc489be179ee693f28dce73d20064e941be3ddf1

Download Submit
\Users\Admin\AppData\Local\Temp\plugtemp\vbc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1672-55-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-57-0x0000000000106000-0x0000000000117000-memory.dmp

Filesize
68KB

Download
memory/1672-69-0x0000000000106000-0x0000000000117000-memory.dmp

Filesize
68KB

Download
memory/1672-67-0x0000000074740000-0x0000000074CEB000-memory.dmp

Filesize
5.7MB

Download
memory/1672-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1696-64-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/1696-65-0x000000000040FC86-mapping.dmp

Download
memory/1696-63-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/1696-70-0x0000000000402000-0x000000000040FE00-memory.dmp

Filesize
55KB

Download
memory/1696-61-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/1696-71-0x0000000000402000-0x000000000040FE00-memory.dmp

Filesize
55KB

Download
memory/1696-59-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/1696-58-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads