39d5f7a4c3eae3ba9b94a03f7d67fa2c1edc01a5611c6fdca59f92a0159f54b1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a6a42f4fb3d1dd146d770515e4fb89e.exe
Size

616KB
MD5

5a6a42f4fb3d1dd146d770515e4fb89e
SHA1

bd781558f7085bd4fca6bc2770edcc0eebf14229
SHA256

39d5f7a4c3eae3ba9b94a03f7d67fa2c1edc01a5611c6fdca59f92a0159f54b1
SHA512

7ce6d24b47233314793b121f4caf90fae0401a75c5d85db279a218f59dfb98f2adfa1506dc1c25ae8e7eddd10257c51fa7d0e83b3dd7b7c47bd6be70924d2053
SSDEEP

12288:mNdxlP/0CSiWs6S/r08w9ZfsTQFsjm3aGvnHTQpTIRq:mNdxJ0PiQ9ZzeIy

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\vbc.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vbc.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\cleaner.exe = "C:\\Users\\Admin\\AppData\\Roaming\\cleaner.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Google Updater = "C:\\Users\\Admin\\AppData\\Roaming\\cleaner.exe"	vbc.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFABADAB-66DD-35DC-D4FA-BFEDDCF88D6C}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFABADAB-66DD-35DC-D4FA-BFEDDCF88D6C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\cleaner.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CFABADAB-66DD-35DC-D4FA-BFEDDCF88D6C}	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{CFABADAB-66DD-35DC-D4FA-BFEDDCF88D6C}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\cleaner.exe"	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
5024	vbc.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5024-13-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-12-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-7-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-24-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-27-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-28-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-30-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-35-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-38-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-41-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-45-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-48-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-55-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-58-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-61-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral2/memory/5024-65-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdate\\5a6a42f4fb3d1dd146d770515e4fb89e.exe"	5a6a42f4fb3d1dd146d770515e4fb89e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Roaming\\cleaner.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Updater = "C:\\Users\\Admin\\AppData\\Roaming\\cleaner.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 5024	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe	91

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4724	reg.exe
4612	reg.exe
1396	reg.exe
4596	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe
Token: 1	5024	vbc.exe
Token: SeCreateTokenPrivilege	5024	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	5024	vbc.exe
Token: SeLockMemoryPrivilege	5024	vbc.exe
Token: SeIncreaseQuotaPrivilege	5024	vbc.exe
Token: SeMachineAccountPrivilege	5024	vbc.exe
Token: SeTcbPrivilege	5024	vbc.exe
Token: SeSecurityPrivilege	5024	vbc.exe
Token: SeTakeOwnershipPrivilege	5024	vbc.exe
Token: SeLoadDriverPrivilege	5024	vbc.exe
Token: SeSystemProfilePrivilege	5024	vbc.exe
Token: SeSystemtimePrivilege	5024	vbc.exe
Token: SeProfSingleProcessPrivilege	5024	vbc.exe
Token: SeIncBasePriorityPrivilege	5024	vbc.exe
Token: SeCreatePagefilePrivilege	5024	vbc.exe
Token: SeCreatePermanentPrivilege	5024	vbc.exe
Token: SeBackupPrivilege	5024	vbc.exe
Token: SeRestorePrivilege	5024	vbc.exe
Token: SeShutdownPrivilege	5024	vbc.exe
Token: SeDebugPrivilege	5024	vbc.exe
Token: SeAuditPrivilege	5024	vbc.exe
Token: SeSystemEnvironmentPrivilege	5024	vbc.exe
Token: SeChangeNotifyPrivilege	5024	vbc.exe
Token: SeRemoteShutdownPrivilege	5024	vbc.exe
Token: SeUndockPrivilege	5024	vbc.exe
Token: SeSyncAgentPrivilege	5024	vbc.exe
Token: SeEnableDelegationPrivilege	5024	vbc.exe
Token: SeManageVolumePrivilege	5024	vbc.exe
Token: SeImpersonatePrivilege	5024	vbc.exe
Token: SeCreateGlobalPrivilege	5024	vbc.exe
Token: 31	5024	vbc.exe
Token: 32	5024	vbc.exe
Token: 33	5024	vbc.exe
Token: 34	5024	vbc.exe
Token: 35	5024	vbc.exe
Token: SeDebugPrivilege	5024	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5024	vbc.exe
5024	vbc.exe
5024	vbc.exe
5024	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 5024	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe	91
PID 1388 wrote to memory of 5024	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe	91
PID 1388 wrote to memory of 5024	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe	91
PID 1388 wrote to memory of 5024	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe	91
PID 1388 wrote to memory of 5024	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe	91
PID 1388 wrote to memory of 5024	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe	91
PID 1388 wrote to memory of 5024	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe	91
PID 1388 wrote to memory of 5024	1388	5a6a42f4fb3d1dd146d770515e4fb89e.exe	91
PID 5024 wrote to memory of 5056	5024	vbc.exe	103
PID 5024 wrote to memory of 5056	5024	vbc.exe	103
PID 5024 wrote to memory of 5056	5024	vbc.exe	103
PID 5024 wrote to memory of 2120	5024	vbc.exe	102
PID 5024 wrote to memory of 2120	5024	vbc.exe	102
PID 5024 wrote to memory of 2120	5024	vbc.exe	102
PID 5024 wrote to memory of 1440	5024	vbc.exe	101
PID 5024 wrote to memory of 1440	5024	vbc.exe	101
PID 5024 wrote to memory of 1440	5024	vbc.exe	101
PID 5024 wrote to memory of 3252	5024	vbc.exe	100
PID 5024 wrote to memory of 3252	5024	vbc.exe	100
PID 5024 wrote to memory of 3252	5024	vbc.exe	100
PID 5056 wrote to memory of 1396	5056	cmd.exe	96
PID 5056 wrote to memory of 1396	5056	cmd.exe	96
PID 5056 wrote to memory of 1396	5056	cmd.exe	96
PID 3252 wrote to memory of 4612	3252	cmd.exe	95
PID 3252 wrote to memory of 4612	3252	cmd.exe	95
PID 3252 wrote to memory of 4612	3252	cmd.exe	95
PID 2120 wrote to memory of 4596	2120	cmd.exe	97
PID 2120 wrote to memory of 4596	2120	cmd.exe	97
PID 2120 wrote to memory of 4596	2120	cmd.exe	97
PID 1440 wrote to memory of 4724	1440	cmd.exe	94
PID 1440 wrote to memory of 4724	1440	cmd.exe	94
PID 1440 wrote to memory of 4724	1440	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\5a6a42f4fb3d1dd146d770515e4fb89e.exe
"C:\Users\Admin\AppData\Local\Temp\5a6a42f4fb3d1dd146d770515e4fb89e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cleaner.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cleaner.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:4724

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\cleaner.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\cleaner.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:4612

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:1396

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\vbc.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\vbc.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
92KB

MD5
1e79db71deb6a2419f0870eef0adc3b7

SHA1
a26de6b06ebad2d06f0730afb5cf69541e00c5f0

SHA256
0a012744555aafa28f5641e08bb18500ae1921c8ba920dea14c67d49c7bea8ac

SHA512
741776f2a44ae8e54cae15ecdcb13a3554a7d6f7047002380f9acbce87e91f324aeb95d5075b3cb19fac646ab76322ee03501135e3249d325bf5aeadc41480df

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
256KB

MD5
7950d5d257cf8e826cd41441acc11052

SHA1
90d7331007dae004639f69689c7af920e18fd9f1

SHA256
27c73f3cb27a4ffaa266c9ca5dcddeed932234ca02acfacf7d642f2a2af942e2

SHA512
a3ceb78eed1e1cb0ac555eff39d86fc5ae017bfccecd18b3f77451ec1da15286c39445c264fd2c8ec09422b9ba57b1e49bb9f02744cc80e93a431f0e14eeeaf7

Download Submit
C:\Users\Admin\AppData\Roaming\cleaner.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1388-1-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/1388-2-0x0000000001600000-0x0000000001610000-memory.dmp

Filesize
64KB

Download
memory/1388-15-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/1388-0-0x0000000074F30000-0x00000000754E1000-memory.dmp

Filesize
5.7MB

Download
memory/5024-27-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-33-0x0000000076C10000-0x0000000076C8A000-memory.dmp

Filesize
488KB

Download
memory/5024-12-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-22-0x0000000076C10000-0x0000000076C8A000-memory.dmp

Filesize
488KB

Download
memory/5024-23-0x0000000077846000-0x0000000077847000-memory.dmp

Filesize
4KB

Download
memory/5024-21-0x00000000761B0000-0x00000000762A0000-memory.dmp

Filesize
960KB

Download
memory/5024-24-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-28-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-29-0x00000000761B0000-0x00000000762A0000-memory.dmp

Filesize
960KB

Download
memory/5024-30-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-7-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-35-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-38-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-41-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-45-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-48-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-55-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-58-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-61-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5024-65-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download