a1ea988c9b8bb71be31da72660d3ec18babe7b8aed1101d03ab62c0c037a6c87

General

Target

04c6edff9076cefcc036da59a349bf6f.exe
Size

242KB
MD5

04c6edff9076cefcc036da59a349bf6f
SHA1

a68cf988973fb17bb6e05803563dc4308735a611
SHA256

a1ea988c9b8bb71be31da72660d3ec18babe7b8aed1101d03ab62c0c037a6c87
SHA512

040376b7ade6f4a94d4c1d1e000a032367df90475bcc95a698370acc7cfff5b86d3c758932ee25ac7642f9b1cf25116d964aff9171f79e54922b625d0a6e7960
SSDEEP

6144:bYpSnN1sLYGShjWWrUNKnUiyPZ+QQieWB6CFlH4/F5uQiOB:bYpSN1Eni2iyZ+SPFq9AQiOB

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

04c6edff9076cefcc036da59a349bf6f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	04c6edff9076cefcc036da59a349bf6f.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

04c6edff9076cefcc036da59a349bf6f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	04c6edff9076cefcc036da59a349bf6f.exe

Executes dropped EXE 1 IoCs

Processes:

vvvebx.exe

pid process

1472 vvvebx.exe

pid	process
1472	vvvebx.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2656-0-0x0000000000400000-0x0000000000497000-memory.dmp	upx
behavioral2/memory/2656-1-0x0000000000400000-0x0000000000497000-memory.dmp	upx
behavioral2/memory/2656-2-0x0000000000400000-0x0000000000497000-memory.dmp	upx
C:\Users\Admin\vvvebx.exe	upx
behavioral2/memory/1472-14-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

04c6edff9076cefcc036da59a349bf6f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "C:\\Users\\Admin\\vvvebx.exe \\u"	04c6edff9076cefcc036da59a349bf6f.exe

Drops file in System32 directory 3 IoCs

Processes:

04c6edff9076cefcc036da59a349bf6f.exevvvebx.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	04c6edff9076cefcc036da59a349bf6f.exe
File created	C:\Windows\SysWOW64\secupdat.dat	04c6edff9076cefcc036da59a349bf6f.exe
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	vvvebx.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vvvebx.exe

description pid process target process

PID 1472 set thread context of 4464 1472 vvvebx.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1472 set thread context of 4464	1472	vvvebx.exe	svchost.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3892	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
3760	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
2016	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
2088	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
1420	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
3532	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
3704	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
4516	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
3504	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
4656	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
3080	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
1236	2656	WerFault.exe	04c6edff9076cefcc036da59a349bf6f.exe
1240	4464	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04c6edff9076cefcc036da59a349bf6f.exevvvebx.exe

description	pid	process	target process
PID 2656 wrote to memory of 1472	2656	04c6edff9076cefcc036da59a349bf6f.exe	vvvebx.exe
PID 2656 wrote to memory of 1472	2656	04c6edff9076cefcc036da59a349bf6f.exe	vvvebx.exe
PID 2656 wrote to memory of 1472	2656	04c6edff9076cefcc036da59a349bf6f.exe	vvvebx.exe
PID 2656 wrote to memory of 432	2656	04c6edff9076cefcc036da59a349bf6f.exe	cmd.exe
PID 2656 wrote to memory of 432	2656	04c6edff9076cefcc036da59a349bf6f.exe	cmd.exe
PID 2656 wrote to memory of 432	2656	04c6edff9076cefcc036da59a349bf6f.exe	cmd.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe
PID 1472 wrote to memory of 4464	1472	vvvebx.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\04c6edff9076cefcc036da59a349bf6f.exe
"C:\Users\Admin\AppData\Local\Temp\04c6edff9076cefcc036da59a349bf6f.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 576
2⤵
- Program crash
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 592
2⤵
- Program crash
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 600
2⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 624
2⤵
- Program crash
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 660
2⤵
- Program crash
PID:1420

C:\Users\Admin\vvvebx.exe
\u
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 196
4⤵
- Program crash
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 988
2⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1084
2⤵
- Program crash
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1332
2⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1368
2⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1368
2⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1408
2⤵
- Program crash
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0611.bat" "
2⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 152
2⤵
- Program crash
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2656 -ip 2656
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2656 -ip 2656
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2656 -ip 2656
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2656 -ip 2656
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2656 -ip 2656
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2656 -ip 2656
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2656 -ip 2656
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2656 -ip 2656
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2656 -ip 2656
1⤵
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2656 -ip 2656
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2656 -ip 2656
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2656 -ip 2656
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4464 -ip 4464
1⤵
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0611.bat
Filesize
103B

MD5
9cba6e45ae8ca1c18d44385dc6576f1a

SHA1
aef15effb6a4002c14dc9c39e40f16befae1cf39

SHA256
1ce070d97234a2cbc86173691944fae7e3889025483ce70dd839d27209fbd6be

SHA512
4c9895a743ea0eba0d5fb4e738721246aacde72befe6581bbd2281fa6a6856eca28e788e0ac74b6b3bff2ad6ca591ecda020dc4263f6f324ee55a38edede5601

Download Submit
C:\Users\Admin\vvvebx.exe
Filesize
20KB

MD5
aa1ae29b65b47d5d21cd2a0fdadb4dc1

SHA1
a62409fb17f40ae7e43bec05daa89c08c50a744d

SHA256
dd4d67eedb592dc144af40a8f529f6f8470e78dce9c474056451dc2aa069a69b

SHA512
27a83a83bdcc9b21e9e54948d9829820ed7f5801f8b48cdd08d8f638b3d914d2fb7442a455bfea26967025c9682a792ff6624600a04305bd539bc84ec93dae0e

Download Submit
C:\Windows\SysWOW64\secupdat.dat
Filesize
70KB

MD5
385d72644b16a26bdf2681015dd6faf9

SHA1
6fb47623bce4623f5b66041fd11c0cbe8cc13e64

SHA256
ad09d7cc3d40cc4aba78a1979b879d753fa7bf91235a798bd2c979f91effde34

SHA512
954c54969cf3de29dbca52b7f864ee74907207a8bc5f234d12d0d2d393ff2c59518b80fedce1ee7963e603d303f0513d098dc47fa7151e57de16bf81bdec9037

Download Submit
memory/1472-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1472-25-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1472-19-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2656-18-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2656-9-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2656-0-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2656-3-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2656-2-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2656-1-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4464-21-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/4464-32-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/4464-33-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download
memory/4464-31-0x0000000009900000-0x0000000009915000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads