49aeb7c801aaf180053f374a7a988c6e490e01ec1cae2ae75c6703abc2e26261

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 13:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a5eab58bb4310fc23b03af65aa66afa.exe
Size

776KB
MD5

7a5eab58bb4310fc23b03af65aa66afa
SHA1

6591767a8a063d7d499f588a12d4d7bfb9c02763
SHA256

49aeb7c801aaf180053f374a7a988c6e490e01ec1cae2ae75c6703abc2e26261
SHA512

8d9ef975da2e6573fe7df9ab8cf24aec7937b19b930087074d7bcc20749729a7f541e253d1321c703b686ca8a2300ff4321d8d062ee211b2f727a9b8bf150f64
SSDEEP

24576:goc2lxDl/El+YFFtumDDHlRvoJdSn+qvwLKBGDOlbbREj:g4l8RFT7lutqvSal9Ej

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2652	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3096 set thread context of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2652	vbc.exe
Token: SeCreateTokenPrivilege	2652	vbc.exe
Token: SeAssignPrimaryTokenPrivilege	2652	vbc.exe
Token: SeLockMemoryPrivilege	2652	vbc.exe
Token: SeIncreaseQuotaPrivilege	2652	vbc.exe
Token: SeMachineAccountPrivilege	2652	vbc.exe
Token: SeTcbPrivilege	2652	vbc.exe
Token: SeSecurityPrivilege	2652	vbc.exe
Token: SeTakeOwnershipPrivilege	2652	vbc.exe
Token: SeLoadDriverPrivilege	2652	vbc.exe
Token: SeSystemProfilePrivilege	2652	vbc.exe
Token: SeSystemtimePrivilege	2652	vbc.exe
Token: SeProfSingleProcessPrivilege	2652	vbc.exe
Token: SeIncBasePriorityPrivilege	2652	vbc.exe
Token: SeCreatePagefilePrivilege	2652	vbc.exe
Token: SeCreatePermanentPrivilege	2652	vbc.exe
Token: SeBackupPrivilege	2652	vbc.exe
Token: SeRestorePrivilege	2652	vbc.exe
Token: SeShutdownPrivilege	2652	vbc.exe
Token: SeDebugPrivilege	2652	vbc.exe
Token: SeAuditPrivilege	2652	vbc.exe
Token: SeSystemEnvironmentPrivilege	2652	vbc.exe
Token: SeChangeNotifyPrivilege	2652	vbc.exe
Token: SeRemoteShutdownPrivilege	2652	vbc.exe
Token: SeUndockPrivilege	2652	vbc.exe
Token: SeSyncAgentPrivilege	2652	vbc.exe
Token: SeEnableDelegationPrivilege	2652	vbc.exe
Token: SeManageVolumePrivilege	2652	vbc.exe
Token: SeImpersonatePrivilege	2652	vbc.exe
Token: SeCreateGlobalPrivilege	2652	vbc.exe
Token: 31	2652	vbc.exe
Token: 32	2652	vbc.exe
Token: 33	2652	vbc.exe
Token: 34	2652	vbc.exe
Token: 35	2652	vbc.exe
Token: SeDebugPrivilege	2652	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2652	vbc.exe
2652	vbc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88
PID 3096 wrote to memory of 2652	3096	7a5eab58bb4310fc23b03af65aa66afa.exe	88

C:\Users\Admin\AppData\Local\Temp\7a5eab58bb4310fc23b03af65aa66afa.exe
"C:\Users\Admin\AppData\Local\Temp\7a5eab58bb4310fc23b03af65aa66afa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\uncryp7ed.exe

Filesize
1.1MB

MD5
f08fe6920d8b7466965c0e7c64de710e

SHA1
eccd193cdebf54085ca7c559c2799f488b514238

SHA256
331ba6b1e342d503af3e298928a9482267399f184e15df9e6da6d07b8d80aaac

SHA512
1bde9271dadac0d20e02234de3f2a49758e1da196401f3cbddb45cb75ca59fab2902ed5017872f87ebd9955d069f8f0d4d06a6b399fe4beace4085f714aa35ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/2652-19-0x0000000074DD0000-0x0000000074E4A000-memory.dmp

Filesize
488KB

Download
memory/2652-5-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2652-10-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2652-18-0x00000000763C0000-0x00000000764B0000-memory.dmp

Filesize
960KB

Download
memory/2652-20-0x0000000076EF6000-0x0000000076EF7000-memory.dmp

Filesize
4KB

Download
memory/2652-21-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2652-27-0x00000000763C0000-0x00000000764B0000-memory.dmp

Filesize
960KB

Download
memory/3096-2-0x0000000001860000-0x0000000001870000-memory.dmp

Filesize
64KB

Download
memory/3096-12-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3096-1-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3096-0-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download