e449d85721f5e30334f3f152a534b9e28bdc17f7575d95bb5624a01f23a5762e

General

Target

3cb4b30f3a45d49dc7d088e7034ff040.exe
Size

339KB
MD5

3cb4b30f3a45d49dc7d088e7034ff040
SHA1

0d7a417c76a2639e8f2752b9378d44a205c5a169
SHA256

e449d85721f5e30334f3f152a534b9e28bdc17f7575d95bb5624a01f23a5762e
SHA512

4420b660df56a937452bf7bfb4da4d00dd411be085e0606aa0249ab2839cdfe4660235c715c42689bb7b1825fa03840c7f8ebd043bc60168f929f2cb6dd26ad5
SSDEEP

6144:sWPj0BrW1Xuvvf4cJYTsVrY4OuVNT0zaDC3MeUfOc9eLD3cVhXPOBjp+Gbe:VP4dfvvgcJLVrs8ZKfMeUP9eXLBQGbe

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{X451B4F1-TRAS-M4SE-B3LL-E5OM2175G777}	VBAddins.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{X451B4F1-TRAS-M4SE-B3LL-E5OM2175G777}\StubPath = "C:\\Windows\\SysWOW64\\en-GB\\VBAddins.exe"	VBAddins.exe

Executes dropped EXE 2 IoCs

pid	Process
2784	errdlg.exe
2772	VBAddins.exe

Loads dropped DLL 4 IoCs

pid	Process
2240	3cb4b30f3a45d49dc7d088e7034ff040.exe
2240	3cb4b30f3a45d49dc7d088e7034ff040.exe
2240	3cb4b30f3a45d49dc7d088e7034ff040.exe
2240	3cb4b30f3a45d49dc7d088e7034ff040.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\en-GB\VBAddins.exe	3cb4b30f3a45d49dc7d088e7034ff040.exe
File created	C:\Windows\SysWOW64\en-GB\259426402.tmp	3cb4b30f3a45d49dc7d088e7034ff040.exe
File created	C:\Windows\SysWOW64\en-GB\regdlib.exe	3cb4b30f3a45d49dc7d088e7034ff040.exe
File opened for modification	C:\Windows\SysWOW64\en-GB\regdlib.exe	3cb4b30f3a45d49dc7d088e7034ff040.exe
File created	C:\Windows\SysWOW64\en-GB\259426417.tmp	3cb4b30f3a45d49dc7d088e7034ff040.exe
File created	C:\Windows\SysWOW64\en-GB\services.exe	3cb4b30f3a45d49dc7d088e7034ff040.exe
File opened for modification	C:\Windows\SysWOW64\en-GB\services.exe	3cb4b30f3a45d49dc7d088e7034ff040.exe
File opened for modification	C:\Windows\SysWOW64\en-GB\setxdebug.exe	3cb4b30f3a45d49dc7d088e7034ff040.exe
File created	C:\Windows\SysWOW64\en-GB\setxdebug.exe	3cb4b30f3a45d49dc7d088e7034ff040.exe
File opened for modification	C:\Windows\SysWOW64\en-GB\VBAddins.exe	3cb4b30f3a45d49dc7d088e7034ff040.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Programs.NET Uninstaller.exe	3cb4b30f3a45d49dc7d088e7034ff040.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2772	VBAddins.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	VBAddins.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2240	3cb4b30f3a45d49dc7d088e7034ff040.exe
2240	3cb4b30f3a45d49dc7d088e7034ff040.exe
2240	3cb4b30f3a45d49dc7d088e7034ff040.exe
2240	3cb4b30f3a45d49dc7d088e7034ff040.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2784	2240	3cb4b30f3a45d49dc7d088e7034ff040.exe	28
PID 2240 wrote to memory of 2784	2240	3cb4b30f3a45d49dc7d088e7034ff040.exe	28
PID 2240 wrote to memory of 2784	2240	3cb4b30f3a45d49dc7d088e7034ff040.exe	28
PID 2240 wrote to memory of 2784	2240	3cb4b30f3a45d49dc7d088e7034ff040.exe	28
PID 2240 wrote to memory of 2772	2240	3cb4b30f3a45d49dc7d088e7034ff040.exe	29
PID 2240 wrote to memory of 2772	2240	3cb4b30f3a45d49dc7d088e7034ff040.exe	29
PID 2240 wrote to memory of 2772	2240	3cb4b30f3a45d49dc7d088e7034ff040.exe	29
PID 2240 wrote to memory of 2772	2240	3cb4b30f3a45d49dc7d088e7034ff040.exe	29

C:\Users\Admin\AppData\Local\Temp\3cb4b30f3a45d49dc7d088e7034ff040.exe
"C:\Users\Admin\AppData\Local\Temp\3cb4b30f3a45d49dc7d088e7034ff040.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\errdlg.exe
  "C:\Users\Admin\AppData\Local\Temp\errdlg.exe"
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\SysWOW64\en-GB\VBAddins.exe
  "C:\Windows\system32\en-GB\VBAddins.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\errdlg.exe

Filesize
10KB

MD5
8a276a7f5502e6276f89b6fd03666725

SHA1
f7bf6ed47344e17bc9b034d465e36c13062f8de3

SHA256
8e3cee09d82c60b675a770d9977a357dcb6715881468a756940a37baaaadbe3b

SHA512
f3e3947fb7720a7cfd8b9f75ec8b1d5b064914eaf7bd1568b4d695d84cae7d3ddcb3fb53f2ead9b2a119663c79df1974d642be50504a9022b2fb56a59a6da075

Download Submit
\Windows\SysWOW64\en-GB\VBAddins.exe

Filesize
11KB

MD5
d96b7c4d71253c37f8fdc510d0448653

SHA1
5cc8cd49c1c18123540e10a1b7be1f15cd51302e

SHA256
d7b36f1f3602e6ab61393b8944bda22d6762fbad6f6fb280c763bc114a29016a

SHA512
26ba2f57efbebdca191825279220e733f3f61075bbf55ad5c1a707bf33ee0713a0cc490afbdfef6576a0287a813d83ebdb1598ebc18427419b25244e6f42da76

Download Submit
memory/2240-18-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2772-44-0x00000000021F0000-0x0000000002230000-memory.dmp

Filesize
256KB

Download
memory/2772-47-0x00000000739E0000-0x0000000073F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-38-0x00000000739E0000-0x0000000073F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-42-0x00000000021F0000-0x0000000002230000-memory.dmp

Filesize
256KB

Download
memory/2772-40-0x00000000739E0000-0x0000000073F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-46-0x00000000021F0000-0x0000000002230000-memory.dmp

Filesize
256KB

Download
memory/2784-41-0x00000000739E0000-0x0000000073F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-43-0x0000000000980000-0x00000000009C0000-memory.dmp

Filesize
256KB

Download
memory/2784-39-0x0000000000980000-0x00000000009C0000-memory.dmp

Filesize
256KB

Download
memory/2784-37-0x00000000739E0000-0x0000000073F8B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-48-0x00000000739E0000-0x0000000073F8B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads