ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f

Analysis

max time kernel
153s
max time network
75s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe
Size

204KB
MD5

fa59a259e3eb6337b88a3250c816eeae
SHA1

a260669ffd8009753192f571139c7a821bd67ea5
SHA256

ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f
SHA512

8c6f9cbc7dc612292b63f3d0915e217680611f61727e4dfe83747541b69933b43601bb585091e75ed6b1b16ca894bb42134941fd97043b43dae314b9ca5469ec
SSDEEP

6144:uHg62qkGoCBSwkt2PX21ExT5HhukX/2JfPL9:+nOGkwxf2gfP

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winp.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winp.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2032-61-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2032-63-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2032-64-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2032-68-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2032-69-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2032-78-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2032-83-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe
1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe
1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe = "C:\\Users\\Admin\\AppData\\Roaming\\xJrqeeGOaDWCZrErpjCy\\xJrqeeGOaDWCZrErpjCy\\0.0.0.0\\ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe"	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1772 set thread context of 2032	1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe	28

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
1540	reg.exe
1520	reg.exe
280	reg.exe
1416	reg.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: 1	2032	vbc.exe
Token: SeCreateTokenPrivilege	2032	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2032	vbc.exe
Token: SeLockMemoryPrivilege	2032	vbc.exe
Token: SeIncreaseQuotaPrivilege	2032	vbc.exe
Token: SeMachineAccountPrivilege	2032	vbc.exe
Token: SeTcbPrivilege	2032	vbc.exe
Token: SeSecurityPrivilege	2032	vbc.exe
Token: SeTakeOwnershipPrivilege	2032	vbc.exe
Token: SeLoadDriverPrivilege	2032	vbc.exe
Token: SeSystemProfilePrivilege	2032	vbc.exe
Token: SeSystemtimePrivilege	2032	vbc.exe
Token: SeProfSingleProcessPrivilege	2032	vbc.exe
Token: SeIncBasePriorityPrivilege	2032	vbc.exe
Token: SeCreatePagefilePrivilege	2032	vbc.exe
Token: SeCreatePermanentPrivilege	2032	vbc.exe
Token: SeBackupPrivilege	2032	vbc.exe
Token: SeRestorePrivilege	2032	vbc.exe
Token: SeShutdownPrivilege	2032	vbc.exe
Token: SeDebugPrivilege	2032	vbc.exe
Token: SeAuditPrivilege	2032	vbc.exe
Token: SeSystemEnvironmentPrivilege	2032	vbc.exe
Token: SeChangeNotifyPrivilege	2032	vbc.exe
Token: SeRemoteShutdownPrivilege	2032	vbc.exe
Token: SeUndockPrivilege	2032	vbc.exe
Token: SeSyncAgentPrivilege	2032	vbc.exe
Token: SeEnableDelegationPrivilege	2032	vbc.exe
Token: SeManageVolumePrivilege	2032	vbc.exe
Token: SeImpersonatePrivilege	2032	vbc.exe
Token: SeCreateGlobalPrivilege	2032	vbc.exe
Token: 31	2032	vbc.exe
Token: 32	2032	vbc.exe
Token: 33	2032	vbc.exe
Token: 34	2032	vbc.exe
Token: 35	2032	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2032	vbc.exe
2032	vbc.exe
2032	vbc.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2032	1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe	28
PID 1772 wrote to memory of 2032	1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe	28
PID 1772 wrote to memory of 2032	1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe	28
PID 1772 wrote to memory of 2032	1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe	28
PID 1772 wrote to memory of 2032	1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe	28
PID 1772 wrote to memory of 2032	1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe	28
PID 1772 wrote to memory of 2032	1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe	28
PID 1772 wrote to memory of 2032	1772	ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe	28
PID 2032 wrote to memory of 1908	2032	vbc.exe	29
PID 2032 wrote to memory of 1908	2032	vbc.exe	29
PID 2032 wrote to memory of 1908	2032	vbc.exe	29
PID 2032 wrote to memory of 1908	2032	vbc.exe	29
PID 2032 wrote to memory of 676	2032	vbc.exe	35
PID 2032 wrote to memory of 676	2032	vbc.exe	35
PID 2032 wrote to memory of 676	2032	vbc.exe	35
PID 2032 wrote to memory of 676	2032	vbc.exe	35
PID 2032 wrote to memory of 1748	2032	vbc.exe	34
PID 2032 wrote to memory of 1748	2032	vbc.exe	34
PID 2032 wrote to memory of 1748	2032	vbc.exe	34
PID 2032 wrote to memory of 1748	2032	vbc.exe	34
PID 2032 wrote to memory of 1808	2032	vbc.exe	33
PID 2032 wrote to memory of 1808	2032	vbc.exe	33
PID 2032 wrote to memory of 1808	2032	vbc.exe	33
PID 2032 wrote to memory of 1808	2032	vbc.exe	33
PID 1748 wrote to memory of 1416	1748	cmd.exe	37
PID 1748 wrote to memory of 1416	1748	cmd.exe	37
PID 1748 wrote to memory of 1416	1748	cmd.exe	37
PID 1748 wrote to memory of 1416	1748	cmd.exe	37
PID 1908 wrote to memory of 1520	1908	cmd.exe	39
PID 1908 wrote to memory of 1520	1908	cmd.exe	39
PID 1908 wrote to memory of 1520	1908	cmd.exe	39
PID 1908 wrote to memory of 1520	1908	cmd.exe	39
PID 1808 wrote to memory of 1540	1808	cmd.exe	38
PID 1808 wrote to memory of 1540	1808	cmd.exe	38
PID 1808 wrote to memory of 1540	1808	cmd.exe	38
PID 1808 wrote to memory of 1540	1808	cmd.exe	38
PID 676 wrote to memory of 280	676	cmd.exe	40
PID 676 wrote to memory of 280	676	cmd.exe	40
PID 676 wrote to memory of 280	676	cmd.exe	40
PID 676 wrote to memory of 280	676	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe
"C:\Users\Admin\AppData\Local\Temp\ffb96fdd94721e0eae014e3762dc75510ca0bba187ee5ddbe14f321bce7aa60f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winp.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winp.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winp.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winp.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\kernel32.dll

Filesize
18KB

MD5
51146df205b18e6eca74f5ffcb47eb15

SHA1
0ed623620ee8bc3714574dbaeddf43969315a675

SHA256
5249d995c02e581e0cce9dc2b54924978ca0de7d169770cb14d42efd5ba0d011

SHA512
2f7f7de728b4b7c924888bd62018f737f2b867fe7ffbbe6223cdb7a531b1897388e2f75b79c22c137fd3c771d19658fd6c769b60e0d6fb6b564a20f2fff3c8ad

Download Submit
\Users\Admin\AppData\Local\Temp\kernel32.dll

Filesize
18KB

MD5
51146df205b18e6eca74f5ffcb47eb15

SHA1
0ed623620ee8bc3714574dbaeddf43969315a675

SHA256
5249d995c02e581e0cce9dc2b54924978ca0de7d169770cb14d42efd5ba0d011

SHA512
2f7f7de728b4b7c924888bd62018f737f2b867fe7ffbbe6223cdb7a531b1897388e2f75b79c22c137fd3c771d19658fd6c769b60e0d6fb6b564a20f2fff3c8ad

Download Submit
\Users\Admin\AppData\Local\Temp\kernel32.dll

Filesize
18KB

MD5
51146df205b18e6eca74f5ffcb47eb15

SHA1
0ed623620ee8bc3714574dbaeddf43969315a675

SHA256
5249d995c02e581e0cce9dc2b54924978ca0de7d169770cb14d42efd5ba0d011

SHA512
2f7f7de728b4b7c924888bd62018f737f2b867fe7ffbbe6223cdb7a531b1897388e2f75b79c22c137fd3c771d19658fd6c769b60e0d6fb6b564a20f2fff3c8ad

Download Submit
memory/1772-67-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1772-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/1772-56-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-64-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-69-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-78-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-63-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-61-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-60-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-68-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-83-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads