57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470

General

Target

57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe
Size

90KB
MD5

a422ccb7278ddf149d064c32e229ef0a
SHA1

e8bda017353460b535eaf2fb9d5a31400471a552
SHA256

57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470
SHA512

f8410dd9470b1ab9e0415a83026c52d91f06fc6a94b1632cc1566c939769eb2bea96068fc01227e654077de32376855dafd74e568aa14f770883be8a7b56c715
SSDEEP

1536:VrNmxa47ML43F0j2uv+8rUGR49cSSSSSPSSSSyM7tba/VFdSSSSSSSSSSSSSaeUU:VwEcMk10jxv+8QGR/SSSSSPSSSSyMZOA

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\22119 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\mstiukfqw.bat"	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\system32\\svchost.exe"	57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	vbc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 796	2040	57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe	28

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\mstiukfqw.bat	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\vbc.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
796	vbc.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
796	vbc.exe
796	vbc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 796	2040	57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe	28
PID 2040 wrote to memory of 796	2040	57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe	28
PID 2040 wrote to memory of 796	2040	57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe	28
PID 2040 wrote to memory of 796	2040	57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe	28
PID 2040 wrote to memory of 796	2040	57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe	28
PID 2040 wrote to memory of 796	2040	57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe	28
PID 2040 wrote to memory of 796	2040	57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe	28
PID 796 wrote to memory of 760	796	vbc.exe	29
PID 796 wrote to memory of 760	796	vbc.exe	29
PID 796 wrote to memory of 760	796	vbc.exe	29
PID 796 wrote to memory of 760	796	vbc.exe	29

C:\Users\Admin\AppData\Local\Temp\57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe
"C:\Users\Admin\AppData\Local\Temp\57cc0a186a804d2acf1957406f8c738642b63a9178e9ac0c227c12331794a470.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\syswow64\svchost.exe
    C:\Windows\syswow64\svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-67-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/760-66-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/760-65-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/796-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/796-59-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/796-62-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2040-54-0x0000000000C50000-0x0000000000C6C000-memory.dmp

Filesize
112KB

Download
memory/2040-58-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/2040-57-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2040-56-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2040-55-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads