7b2e8f1f975843abd3b5b62cf87738f04582242bc11ef234f6a747b5ccc5fefc

Analysis

max time kernel
124s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 02:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7911efb1757b257596ebc285dd6f6b75.exe
Size

42KB
MD5

7911efb1757b257596ebc285dd6f6b75
SHA1

c1989a663882effc6ff3edf40ab2cb6d15824bbb
SHA256

7b2e8f1f975843abd3b5b62cf87738f04582242bc11ef234f6a747b5ccc5fefc
SHA512

f34b565ce178c77672f1a5f38a5e8942a257616c28df2328ccea5186811d399a1e29674eae72dc7a72c160d21456f78de58622936219f43ff0f3acf696800f9d
SSDEEP

768:rA0c836Sur6BB6Y7vruEdkCGGFLR0tb15horL3MxRvrgmM5GVk:rpCb+Bp7zNaCXLCt15hokTPU2k

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3668	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\7911efb1757b257596ebc285dd6f6b75.exe"	7911efb1757b257596ebc285dd6f6b75.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4768 set thread context of 3668	4768	7911efb1757b257596ebc285dd6f6b75.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4608	3668	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4768	7911efb1757b257596ebc285dd6f6b75.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	7911efb1757b257596ebc285dd6f6b75.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 3668	4768	7911efb1757b257596ebc285dd6f6b75.exe	92
PID 4768 wrote to memory of 3668	4768	7911efb1757b257596ebc285dd6f6b75.exe	92
PID 4768 wrote to memory of 3668	4768	7911efb1757b257596ebc285dd6f6b75.exe	92
PID 4768 wrote to memory of 3668	4768	7911efb1757b257596ebc285dd6f6b75.exe	92
PID 4768 wrote to memory of 3668	4768	7911efb1757b257596ebc285dd6f6b75.exe	92
PID 4768 wrote to memory of 3668	4768	7911efb1757b257596ebc285dd6f6b75.exe	92
PID 4768 wrote to memory of 3668	4768	7911efb1757b257596ebc285dd6f6b75.exe	92

C:\Users\Admin\AppData\Local\Temp\7911efb1757b257596ebc285dd6f6b75.exe
"C:\Users\Admin\AppData\Local\Temp\7911efb1757b257596ebc285dd6f6b75.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 492
    3⤵
    - Program crash
    PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3668 -ip 3668
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
349KB

MD5
9ed70b80b99d19caf952b67caecf9ad8

SHA1
b090410d42c3843f26e629dea40ee91dde8d2750

SHA256
7b155d218273da22b523f6a04121e6779db3043bdde8db3cd4411a19ee6b3389

SHA512
0cb7e343600e5286cf8788b799180c712a23522961a5a0fd9bab6764c005ddf2a5417e89f13ce81263d13b701fad37eb322a0bb56103295bd0aabbb87cc75ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
223KB

MD5
658d6ad8e27ed8629270074ca9f21cc0

SHA1
42290037eb7a05524041b06e7460703ba9839a4e

SHA256
3b05b7e3f3d4626094f269cf7f70ca4404a61049fda43854053f668763b4b9f9

SHA512
b591bc355e0053ee9146879ed6065ffa6ad95010a103b59234a498a9ef6a847db09d6c897756cc93e937e9aedaa5e4189f35904b4db20a1a0e3312b8d1e49f20

Download Submit
memory/3668-12-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3668-7-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3668-14-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/4768-0-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-2-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/4768-1-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-13-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download