Analysis
-
max time kernel
64s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 01:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
692e59936ec86af59b779fcaa3196fdc.exe
Resource
win7-20231215-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
692e59936ec86af59b779fcaa3196fdc.exe
Resource
win10v2004-20231222-en
9 signatures
150 seconds
General
-
Target
692e59936ec86af59b779fcaa3196fdc.exe
-
Size
982KB
-
MD5
692e59936ec86af59b779fcaa3196fdc
-
SHA1
f1bc1a37d83db1823aafecc2c845baae0bc1f758
-
SHA256
67516c379552392727f0857f3c8c01d6f2d4bf24e8d2e6190a842b752893c5d0
-
SHA512
f463579d1e3a0352b747034f33b02aa2ea10b43473050512a3c004226a6f95afcc3068d760fce2fdffd8dd1b5f8219f839b455a80a07d9eed03ffef5a5443d41
-
SSDEEP
24576:9fmH83w6BY1oVjEySR6A9sXocCFvp1a8GmXnj:9e8g6B3VKv9IS9nRV
Score
10/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\drt = "C:\\Users\\Admin\\AppData\\Roaming\\drt.exe" 692e59936ec86af59b779fcaa3196fdc.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\drt = "C:\\Users\\Admin\\AppData\\Roaming\\drt.exe" 692e59936ec86af59b779fcaa3196fdc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2036 set thread context of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2824 set thread context of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2036 692e59936ec86af59b779fcaa3196fdc.exe 2824 692e59936ec86af59b779fcaa3196fdc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2036 692e59936ec86af59b779fcaa3196fdc.exe Token: SeDebugPrivilege 2824 692e59936ec86af59b779fcaa3196fdc.exe Token: SeIncreaseQuotaPrivilege 2720 vbc.exe Token: SeSecurityPrivilege 2720 vbc.exe Token: SeTakeOwnershipPrivilege 2720 vbc.exe Token: SeLoadDriverPrivilege 2720 vbc.exe Token: SeSystemProfilePrivilege 2720 vbc.exe Token: SeSystemtimePrivilege 2720 vbc.exe Token: SeProfSingleProcessPrivilege 2720 vbc.exe Token: SeIncBasePriorityPrivilege 2720 vbc.exe Token: SeCreatePagefilePrivilege 2720 vbc.exe Token: SeBackupPrivilege 2720 vbc.exe Token: SeRestorePrivilege 2720 vbc.exe Token: SeShutdownPrivilege 2720 vbc.exe Token: SeDebugPrivilege 2720 vbc.exe Token: SeSystemEnvironmentPrivilege 2720 vbc.exe Token: SeChangeNotifyPrivilege 2720 vbc.exe Token: SeRemoteShutdownPrivilege 2720 vbc.exe Token: SeUndockPrivilege 2720 vbc.exe Token: SeManageVolumePrivilege 2720 vbc.exe Token: SeImpersonatePrivilege 2720 vbc.exe Token: SeCreateGlobalPrivilege 2720 vbc.exe Token: 33 2720 vbc.exe Token: 34 2720 vbc.exe Token: 35 2720 vbc.exe Token: SeIncreaseQuotaPrivilege 2684 vbc.exe Token: SeSecurityPrivilege 2684 vbc.exe Token: SeTakeOwnershipPrivilege 2684 vbc.exe Token: SeLoadDriverPrivilege 2684 vbc.exe Token: SeSystemProfilePrivilege 2684 vbc.exe Token: SeSystemtimePrivilege 2684 vbc.exe Token: SeProfSingleProcessPrivilege 2684 vbc.exe Token: SeIncBasePriorityPrivilege 2684 vbc.exe Token: SeCreatePagefilePrivilege 2684 vbc.exe Token: SeBackupPrivilege 2684 vbc.exe Token: SeRestorePrivilege 2684 vbc.exe Token: SeShutdownPrivilege 2684 vbc.exe Token: SeDebugPrivilege 2684 vbc.exe Token: SeSystemEnvironmentPrivilege 2684 vbc.exe Token: SeChangeNotifyPrivilege 2684 vbc.exe Token: SeRemoteShutdownPrivilege 2684 vbc.exe Token: SeUndockPrivilege 2684 vbc.exe Token: SeManageVolumePrivilege 2684 vbc.exe Token: SeImpersonatePrivilege 2684 vbc.exe Token: SeCreateGlobalPrivilege 2684 vbc.exe Token: 33 2684 vbc.exe Token: 34 2684 vbc.exe Token: 35 2684 vbc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2720 2036 692e59936ec86af59b779fcaa3196fdc.exe 28 PID 2036 wrote to memory of 2824 2036 692e59936ec86af59b779fcaa3196fdc.exe 29 PID 2036 wrote to memory of 2824 2036 692e59936ec86af59b779fcaa3196fdc.exe 29 PID 2036 wrote to memory of 2824 2036 692e59936ec86af59b779fcaa3196fdc.exe 29 PID 2036 wrote to memory of 2824 2036 692e59936ec86af59b779fcaa3196fdc.exe 29 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30 PID 2824 wrote to memory of 2684 2824 692e59936ec86af59b779fcaa3196fdc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\692e59936ec86af59b779fcaa3196fdc.exe"C:\Users\Admin\AppData\Local\Temp\692e59936ec86af59b779fcaa3196fdc.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\692e59936ec86af59b779fcaa3196fdc.exe"C:\Users\Admin\AppData\Local\Temp\692e59936ec86af59b779fcaa3196fdc.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-