842cba670e093370d71c7bb2fb12673d3ca02b0aa7989162786619c1c3a5a2b8

Analysis

max time kernel
154s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f72e8ab4ab94dfa73cf817a6963fbbf.exe
Size

47KB
MD5

7f72e8ab4ab94dfa73cf817a6963fbbf
SHA1

a147d7cd5c0b924ff4728d6ae58c52c9b3852896
SHA256

842cba670e093370d71c7bb2fb12673d3ca02b0aa7989162786619c1c3a5a2b8
SHA512

bf3a4b044d788db58458de8aba827a049f0369db4b8c82f767b19c09a3b10fd5e3431e604b2af947de5723a43aa6c7909515c08ddbf26b8caeee51a3795b5f11
SSDEEP

768:eR/17lS9ukVk+x3K7/qDwLlU95NpRxRch/xTf7UkEQNKw+MlBAToi8pMSp:eR/17kD3MOwJU95HRch/xTf7UkEtxoBP

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe
3440	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\vtUlIcaX.dll,#1"	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vtUlIcaX.dll	7f72e8ab4ab94dfa73cf817a6963fbbf.exe
File created	C:\Windows\SysWOW64\vtUlIcaX.dll	7f72e8ab4ab94dfa73cf817a6963fbbf.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\vtUlIcaX.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe
1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe
3440	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 632	1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe	3
PID 1772 wrote to memory of 3440	1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe	92
PID 1772 wrote to memory of 3440	1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe	92
PID 1772 wrote to memory of 3440	1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe	92
PID 1772 wrote to memory of 4620	1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe	93
PID 1772 wrote to memory of 4620	1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe	93
PID 1772 wrote to memory of 4620	1772	7f72e8ab4ab94dfa73cf817a6963fbbf.exe	93

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\7f72e8ab4ab94dfa73cf817a6963fbbf.exe
"C:\Users\Admin\AppData\Local\Temp\7f72e8ab4ab94dfa73cf817a6963fbbf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\system32\vtUlIcaX.dll,a
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wvUnKBtt.bat "C:\Users\Admin\AppData\Local\Temp\7f72e8ab4ab94dfa73cf817a6963fbbf.exe"
  2⤵
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wvUnKBtt.bat

Filesize
63B

MD5
a5b1e9ad1d35a468b66c119e1fa03d5e

SHA1
beec521ff5af2053a51edb9067e00cfad0b4a435

SHA256
c14fb98781e63391420707ba9d0576e5f1bf18e48cb15420181d4bc3c96aa0fb

SHA512
c23e40899d3b73b637fbd1bae136e134b5b8c51ef515255488ef392f16611337a9fa793fbff6ca82370b6451314fbc59aa97e7a1698aef1cfc84c2459d8a3a39

Download Submit
C:\Windows\SysWOW64\vtUlIcaX.dll

Filesize
34KB

MD5
a32b24155469310785d65eba417baacd

SHA1
c34343dc2ffab5d4719eac4b67134b49fa3a5f9f

SHA256
9cb690b300f9c8c75a72be4ae26fee9cab58b64663b2261e3feb1d1d1d560525

SHA512
2492214c57b928b16e74526f85d315b2af8072c2cfe1233ab449b820b7fcf785de3bf62c8cbedbf34e617ce4c8b26f57ebc23ca03fab50d98ad6c38e0b63e623

Download Submit
memory/1772-2-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1772-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1772-8-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1772-9-0x0000000002400000-0x0000000002405000-memory.dmp

Filesize
20KB

Download
memory/1772-10-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/1772-15-0x00000000006C0000-0x00000000006C5000-memory.dmp

Filesize
20KB

Download
memory/1772-16-0x0000000002400000-0x0000000002405000-memory.dmp

Filesize
20KB

Download
memory/1772-1-0x00000000006C0000-0x00000000006C5000-memory.dmp

Filesize
20KB

Download
memory/3440-25-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3440-26-0x0000000000C70000-0x0000000000C75000-memory.dmp

Filesize
20KB

Download
memory/3440-27-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/3440-28-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download