0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8

General

Target

0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8_JC.exe
Size

364KB
MD5

1ebb5662a4db4d0de84de9baa6646010
SHA1

bd841ace9bde9a84951136d225d00669d6a1bb63
SHA256

0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8
SHA512

de5c474b23783f7b787df76724dd1ced35e204ad2edeea530063322774e919f5536761853cab6ab191f436e6453ada3c9b83ded380589aa411dfefdec8908afe
SSDEEP

6144:BnPdudwDs05IazU7f7ftdBuksY7j/PaeggCWrh4jCV771IsUlsbIBJsgMGfk5j/w:BnPdw05Qf7fHBu27jSQMm77aBlJslGGo

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Control Panel\International\Geo\Nation	vbyxm.exe

Executes dropped EXE 2 IoCs

pid	Process
2284	vbyxm.exe
2620	vbyxm.exe

Loads dropped DLL 3 IoCs

pid	Process
2808	0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8_JC.exe
2284	vbyxm.exe
2660	colorcpl.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 2620	2284	vbyxm.exe	29
PID 2620 set thread context of 1228	2620	vbyxm.exe	8
PID 2620 set thread context of 2660	2620	vbyxm.exe	33
PID 2660 set thread context of 1228	2660	colorcpl.exe	8

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3185155662-718608226-894467740-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2620	vbyxm.exe
2620	vbyxm.exe
2620	vbyxm.exe
2620	vbyxm.exe
2620	vbyxm.exe
2620	vbyxm.exe
2620	vbyxm.exe
2620	vbyxm.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1228	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2284	vbyxm.exe
2620	vbyxm.exe
1228	Explorer.EXE
1228	Explorer.EXE
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe
2660	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	vbyxm.exe
Token: SeDebugPrivilege	2660	colorcpl.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2284	2808	0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8_JC.exe	28
PID 2808 wrote to memory of 2284	2808	0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8_JC.exe	28
PID 2808 wrote to memory of 2284	2808	0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8_JC.exe	28
PID 2808 wrote to memory of 2284	2808	0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8_JC.exe	28
PID 2284 wrote to memory of 2620	2284	vbyxm.exe	29
PID 2284 wrote to memory of 2620	2284	vbyxm.exe	29
PID 2284 wrote to memory of 2620	2284	vbyxm.exe	29
PID 2284 wrote to memory of 2620	2284	vbyxm.exe	29
PID 2284 wrote to memory of 2620	2284	vbyxm.exe	29
PID 1228 wrote to memory of 2660	1228	Explorer.EXE	33
PID 1228 wrote to memory of 2660	1228	Explorer.EXE	33
PID 1228 wrote to memory of 2660	1228	Explorer.EXE	33
PID 1228 wrote to memory of 2660	1228	Explorer.EXE	33
PID 2660 wrote to memory of 1292	2660	colorcpl.exe	36
PID 2660 wrote to memory of 1292	2660	colorcpl.exe	36
PID 2660 wrote to memory of 1292	2660	colorcpl.exe	36
PID 2660 wrote to memory of 1292	2660	colorcpl.exe	36
PID 2660 wrote to memory of 1292	2660	colorcpl.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\0c67ccd6b722d25bbe932693afe8d0895555d12442699122c8810d2d6610e2a8_JC.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\vbyxm.exe
    "C:\Users\Admin\AppData\Local\Temp\vbyxm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\vbyxm.exe
      "C:\Users\Admin\AppData\Local\Temp\vbyxm.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2620
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bvptj.zip

Filesize
553KB

MD5
5e2d04cb2fae4e811ca35675c472f5fc

SHA1
6e2359f8e81f1a1122d1fb50b064878f2aaefc68

SHA256
dd46a298ab90ca9ba8a1f633f20abe2dcb805596b5aa68dcb84cce99e3a56be1

SHA512
53c8701768ee4a43a6b2095af00aa5f2c53445021a91d3567d02cf8157c7b7c4e629c5c70bb24697d365a7c41c791af0c68b511ab3cf5f356d9d929618421d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\qboqmxso.dv

Filesize
250KB

MD5
b0424f525aa17cf11cce5c3c7f3d6d75

SHA1
4b71be412105fc7538dae5c8da6d8df18d317130

SHA256
1347d09c9c606856c26f553c27bc245f75c4928db31864e1f9390d16da656722

SHA512
9e34c216e7c22d8f71bf7c88d70ab114fd7b8fd2fb88a4aecdb03baca363f9262908b968776b8230cc76cac126f7829655a612b5a990bc1317fc58c8a5a17c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbyxm.exe

Filesize
175KB

MD5
8f0e8cee28f31350d3fe6b312b800813

SHA1
426db9ea11953fa825972827e0d4dd17872bbcc3

SHA256
c6949cba7800c96fad244bc6dd6e8b11b82182b5b43c9b8c1be09b227f76b5dc

SHA512
b716eca144265c3f07b9ae00a345a970156b0a7a8ef341100d639e8182949247e5e84f85a529864bc8ec2061f1a66bdab43765d303fe81ef32729b9a167932e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbyxm.exe

Filesize
175KB

MD5
8f0e8cee28f31350d3fe6b312b800813

SHA1
426db9ea11953fa825972827e0d4dd17872bbcc3

SHA256
c6949cba7800c96fad244bc6dd6e8b11b82182b5b43c9b8c1be09b227f76b5dc

SHA512
b716eca144265c3f07b9ae00a345a970156b0a7a8ef341100d639e8182949247e5e84f85a529864bc8ec2061f1a66bdab43765d303fe81ef32729b9a167932e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbyxm.exe

Filesize
175KB

MD5
8f0e8cee28f31350d3fe6b312b800813

SHA1
426db9ea11953fa825972827e0d4dd17872bbcc3

SHA256
c6949cba7800c96fad244bc6dd6e8b11b82182b5b43c9b8c1be09b227f76b5dc

SHA512
b716eca144265c3f07b9ae00a345a970156b0a7a8ef341100d639e8182949247e5e84f85a529864bc8ec2061f1a66bdab43765d303fe81ef32729b9a167932e7

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.0MB

MD5
f1e5f58f9eb43ecec773acbdb410b888

SHA1
f1b8076b0bbde696694bbc0ab259a77893839464

SHA256
a15fd84ee61b54c92bb099dfb78226548f43d550c67fb6adf4cce3d064ab1c14

SHA512
0aff96430dd99bb227285fefc258014c301f85216c84e40f45702d26cdd7e77261a41fd3811d686f5fb2ee363cc651a014e8ffa339384004cece645a36486456

Download Submit
\Users\Admin\AppData\Local\Temp\vbyxm.exe

Filesize
175KB

MD5
8f0e8cee28f31350d3fe6b312b800813

SHA1
426db9ea11953fa825972827e0d4dd17872bbcc3

SHA256
c6949cba7800c96fad244bc6dd6e8b11b82182b5b43c9b8c1be09b227f76b5dc

SHA512
b716eca144265c3f07b9ae00a345a970156b0a7a8ef341100d639e8182949247e5e84f85a529864bc8ec2061f1a66bdab43765d303fe81ef32729b9a167932e7

Download Submit
\Users\Admin\AppData\Local\Temp\vbyxm.exe

Filesize
175KB

MD5
8f0e8cee28f31350d3fe6b312b800813

SHA1
426db9ea11953fa825972827e0d4dd17872bbcc3

SHA256
c6949cba7800c96fad244bc6dd6e8b11b82182b5b43c9b8c1be09b227f76b5dc

SHA512
b716eca144265c3f07b9ae00a345a970156b0a7a8ef341100d639e8182949247e5e84f85a529864bc8ec2061f1a66bdab43765d303fe81ef32729b9a167932e7

Download Submit
memory/1228-27-0x0000000007350000-0x000000000746A000-memory.dmp

Filesize
1.1MB

Download
memory/1228-29-0x0000000007350000-0x000000000746A000-memory.dmp

Filesize
1.1MB

Download
memory/1228-26-0x0000000007350000-0x000000000746A000-memory.dmp

Filesize
1.1MB

Download
memory/2284-6-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/2620-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-17-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2620-15-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-20-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-21-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2620-14-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/2620-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2620-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2660-19-0x00000000000E0000-0x0000000000116000-memory.dmp

Filesize
216KB

Download
memory/2660-25-0x00000000000E0000-0x0000000000116000-memory.dmp

Filesize
216KB

Download
memory/2660-24-0x0000000001E50000-0x0000000001EF2000-memory.dmp

Filesize
648KB

Download
memory/2660-28-0x0000000001E50000-0x0000000001EF2000-memory.dmp

Filesize
648KB

Download
memory/2660-23-0x00000000000E0000-0x0000000000116000-memory.dmp

Filesize
216KB

Download
memory/2660-22-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/2660-18-0x00000000000E0000-0x0000000000116000-memory.dmp

Filesize
216KB

Download
memory/2660-70-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing