Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
6aa399068d8103d8e7e44c76a04a927f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6aa399068d8103d8e7e44c76a04a927f.exe
Resource
win10v2004-20231222-en
General
-
Target
6aa399068d8103d8e7e44c76a04a927f.exe
-
Size
852KB
-
MD5
6aa399068d8103d8e7e44c76a04a927f
-
SHA1
286e985bbbb1aa4568bcc4f36d2c55c80cdc7e34
-
SHA256
3d849011f1bda6edb5e9eebfb1c639fb0d5d4dc20cfc7605401e661a0ef1ebd2
-
SHA512
3606ee585d4efee337b69b259c2179e021eb79fc1f76139502c1b4d4ff3a68f6f507af583c1686701f1835747b48a042fb19ddfdda0a916e2f76e1887e4f30e3
-
SSDEEP
12288:6Ull2QkqHQOzbACXu2eq0yKcRENhm3k60doCcuesI+J2a0gwiKgfpZpjn8kNBDXo:66vNXuain63k60uro2FgwONDBBrCbM2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windupdt\\winupdate.exe" vbc.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts vbc.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 1552 winupdate.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefaultSystem = "C:\\ProgramData\\Sys32c.exe" 6aa399068d8103d8e7e44c76a04a927f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windupdt\\winupdate.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2776 set thread context of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier vbc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier vbc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4520 vbc.exe Token: SeSecurityPrivilege 4520 vbc.exe Token: SeTakeOwnershipPrivilege 4520 vbc.exe Token: SeLoadDriverPrivilege 4520 vbc.exe Token: SeSystemProfilePrivilege 4520 vbc.exe Token: SeSystemtimePrivilege 4520 vbc.exe Token: SeProfSingleProcessPrivilege 4520 vbc.exe Token: SeIncBasePriorityPrivilege 4520 vbc.exe Token: SeCreatePagefilePrivilege 4520 vbc.exe Token: SeBackupPrivilege 4520 vbc.exe Token: SeRestorePrivilege 4520 vbc.exe Token: SeShutdownPrivilege 4520 vbc.exe Token: SeDebugPrivilege 4520 vbc.exe Token: SeSystemEnvironmentPrivilege 4520 vbc.exe Token: SeChangeNotifyPrivilege 4520 vbc.exe Token: SeRemoteShutdownPrivilege 4520 vbc.exe Token: SeUndockPrivilege 4520 vbc.exe Token: SeManageVolumePrivilege 4520 vbc.exe Token: SeImpersonatePrivilege 4520 vbc.exe Token: SeCreateGlobalPrivilege 4520 vbc.exe Token: 33 4520 vbc.exe Token: 34 4520 vbc.exe Token: 35 4520 vbc.exe Token: 36 4520 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 2776 wrote to memory of 4520 2776 6aa399068d8103d8e7e44c76a04a927f.exe 36 PID 4520 wrote to memory of 1552 4520 vbc.exe 60 PID 4520 wrote to memory of 1552 4520 vbc.exe 60 PID 4520 wrote to memory of 1552 4520 vbc.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe"C:\Users\Admin\AppData\Local\Temp\6aa399068d8103d8e7e44c76a04a927f.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
PID:1552
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD566e265ca827a401294e0064082a71e29
SHA1d2dee7d9b7415b89f866d557aee69c7e74cc15a7
SHA2568de30cb4c4be2b0f508ad074be04fdca829e7530f062319cc35da16dcb581f54
SHA5123107dd5f5604f5fcbab46e6cc72e77a4d0565ecca06ba234022022c037604c40c918d233442b028716694cafa3a755c4f0bc2960ecc49810e9eb9bcdeb1aa891
-
Filesize
477KB
MD58e39fd2e9d75384394c5d6a8b36fe59a
SHA1ca665be11d79e27916e1672a3ecab3ae868da50a
SHA256abed5d6051f25910572df226c0c9aa26a26993507edc554f0c93b51af0e8310a
SHA512a90e19d14fd945f67645aed436bfe46fad9e37dbc6d9d13b2d55041209cbdf378ead883cec767570704a452165a60093007e506822f6c8c0bd1e4ed5c02b8f88
-
Filesize
524KB
MD53a3ba4b6373bde1843d01d10e1b6ee64
SHA1d9aa125d1b58ccb3d0fec336629e860f8e028a8a
SHA256968809fd7feeecdfcf8bf29a88ccc55c3f95d15aca6b7a2afbdbeaf757152600
SHA5121d5fc30e00f36a308467ed74f4e3d6e8463278b82c93076e2ad8131d66adac50ea57da2f93b53abcf5f5b81fa5ef427e9137589d870bab15282f6c796f11477e