Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
6aa399068d8103d8e7e44c76a04a927f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6aa399068d8103d8e7e44c76a04a927f.exe
Resource
win10v2004-20231222-en
General
-
Target
6aa399068d8103d8e7e44c76a04a927f.exe
-
Size
852KB
-
MD5
6aa399068d8103d8e7e44c76a04a927f
-
SHA1
286e985bbbb1aa4568bcc4f36d2c55c80cdc7e34
-
SHA256
3d849011f1bda6edb5e9eebfb1c639fb0d5d4dc20cfc7605401e661a0ef1ebd2
-
SHA512
3606ee585d4efee337b69b259c2179e021eb79fc1f76139502c1b4d4ff3a68f6f507af583c1686701f1835747b48a042fb19ddfdda0a916e2f76e1887e4f30e3
-
SSDEEP
12288:6Ull2QkqHQOzbACXu2eq0yKcRENhm3k60doCcuesI+J2a0gwiKgfpZpjn8kNBDXo:66vNXuain63k60uro2FgwONDBBrCbM2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windupdt\\winupdate.exe" vbc.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts vbc.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 2708 winupdate.exe -
Loads dropped DLL 1 IoCs
pid Process 2664 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\ProgramData\\Sys32c.exe" 6aa399068d8103d8e7e44c76a04a927f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windupdt\\winupdate.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1684 set thread context of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vbc.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2664 vbc.exe Token: SeSecurityPrivilege 2664 vbc.exe Token: SeTakeOwnershipPrivilege 2664 vbc.exe Token: SeLoadDriverPrivilege 2664 vbc.exe Token: SeSystemProfilePrivilege 2664 vbc.exe Token: SeSystemtimePrivilege 2664 vbc.exe Token: SeProfSingleProcessPrivilege 2664 vbc.exe Token: SeIncBasePriorityPrivilege 2664 vbc.exe Token: SeCreatePagefilePrivilege 2664 vbc.exe Token: SeBackupPrivilege 2664 vbc.exe Token: SeRestorePrivilege 2664 vbc.exe Token: SeShutdownPrivilege 2664 vbc.exe Token: SeDebugPrivilege 2664 vbc.exe Token: SeSystemEnvironmentPrivilege 2664 vbc.exe Token: SeChangeNotifyPrivilege 2664 vbc.exe Token: SeRemoteShutdownPrivilege 2664 vbc.exe Token: SeUndockPrivilege 2664 vbc.exe Token: SeManageVolumePrivilege 2664 vbc.exe Token: SeImpersonatePrivilege 2664 vbc.exe Token: SeCreateGlobalPrivilege 2664 vbc.exe Token: 33 2664 vbc.exe Token: 34 2664 vbc.exe Token: 35 2664 vbc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 1684 wrote to memory of 2664 1684 6aa399068d8103d8e7e44c76a04a927f.exe 28 PID 2664 wrote to memory of 2708 2664 vbc.exe 30 PID 2664 wrote to memory of 2708 2664 vbc.exe 30 PID 2664 wrote to memory of 2708 2664 vbc.exe 30 PID 2664 wrote to memory of 2708 2664 vbc.exe 30 PID 2664 wrote to memory of 2708 2664 vbc.exe 30 PID 2664 wrote to memory of 2708 2664 vbc.exe 30 PID 2664 wrote to memory of 2708 2664 vbc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe"C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD54326c5bcbaf649fd8bc88ef80532c4a5
SHA1bbddc8b8cb109bf39b90ff19d3a37146af690f49
SHA2568e8be1be8c5159db747dcd1454addfd82644e74ddb0375f35ff52f831c429887
SHA5126ea384987b96a0d684822af4d130aad3385eda01b618172d76fa4c048340b908b73425f5d9d52ca7a10481eb553bd09ed0d8bdb24a3c6e48d5e3f6b55492e0b7
-
Filesize
186KB
MD5028ba1b5349e19e13e8aaa82c07ee968
SHA1bfabce674641a7733facbaf462e8c8628b2d5acc
SHA2562c56a9575c13e93fdb87c9d0b790ae313c61895e40627541d1ba8c5012b47959
SHA5121287d524033bdfc394460398ced6ae937f56647e5364f85ef8a3fc9ba6db9f87498f29656eb2b647583dcc295c61da1d969fe991fc7f541f784891e7dfc88078
-
Filesize
155KB
MD5fde07b7deb47f1739dd6879f3505ebc5
SHA1c5325e9d9eb9f5766061fa88ff55fee70bbd6a4f
SHA256c455c9e8977b4f912bcf7bba61d089aa444101f11ab8a2e5052ad46e637de9cb
SHA5123a50a603743e68f4d3cbcda2c4be31bdf0394fd2bce3408fee3568241f6336bd0e82911e63ebc93febd08adf11373b9c969d734f9dcd2dc41dc34881a357b3ab
-
Filesize
422KB
MD5a141a3effac6f617f8614a0586c8d406
SHA172b8dad141ab1ea1ed51ebcf2b7d834f49ed037b
SHA25650b6c15871317bfaa0376230cb537cc8fcfee7277570c34895179dabce8ac776
SHA512ef18f56ae40a4193a4d87d1ad6dd3d426dcd47c895920bd6205274601e853383a34b613c72dca1412d448ab8173892309226c4f537326f1e301e01404429036b