510fc8c2112e2bc544fb29a72191eabcc68d3a5a7468d35d7694493bc8593a79

Resubmissions

19-02-2024 20:13

240219-yzvvaacc51 4

19-02-2024 20:12

240219-yy1n5sch35 6

Analysis

max time kernel
64s
max time network
70s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 20:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

VC_redist.x86.exe
Size

13.2MB
MD5

9882a328c8414274555845fa6b542d1e
SHA1

ab4a97610b127d68c45311deabfbcd8aa7066f4b
SHA256

510fc8c2112e2bc544fb29a72191eabcc68d3a5a7468d35d7694493bc8593a79
SHA512

c08d1aa7e6e6215a0cee2793592b65668066c8c984b26675d2b8c09bc7fee21411cb3c0a905eaee7a48e7a47535fa777de21eeb07c78bca7bf3d7bb17192acf2
SSDEEP

196608:oRjgvJ2flpQcIIS/Rj7BWl+aV8t8z72BxBwBgO42BE6+2DQlMp1sHW5ZDmCCM0Xr:IgRIlptVYmfr7yBG/4pXMHsHW76CsGE

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in Windows directory 1 IoCs

Processes:

wuapp.exe

description ioc process

File opened for modification C:\Windows\WindowsUpdate.log wuapp.exe
Executes dropped EXE 1 IoCs

Processes:

VC_redist.x86.exe

pid process

1968 VC_redist.x86.exe
Loads dropped DLL 2 IoCs

Processes:

VC_redist.x86.exeVC_redist.x86.exe

pid process

1836 VC_redist.x86.exe
1968 VC_redist.x86.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	wuapp.exe

pid	process
1968	VC_redist.x86.exe

pid	process
1836	VC_redist.x86.exe
1968	VC_redist.x86.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

VC_redist.x86.exe

description	pid	process	target process
PID 1836 wrote to memory of 1968	1836	VC_redist.x86.exe	VC_redist.x86.exe
PID 1836 wrote to memory of 1968	1836	VC_redist.x86.exe	VC_redist.x86.exe
PID 1836 wrote to memory of 1968	1836	VC_redist.x86.exe	VC_redist.x86.exe
PID 1836 wrote to memory of 1968	1836	VC_redist.x86.exe	VC_redist.x86.exe
PID 1836 wrote to memory of 1968	1836	VC_redist.x86.exe	VC_redist.x86.exe
PID 1836 wrote to memory of 1968	1836	VC_redist.x86.exe	VC_redist.x86.exe
PID 1836 wrote to memory of 1968	1836	VC_redist.x86.exe	VC_redist.x86.exe

C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe
C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe shutdown -i
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\Temp\{21BC7AE5-0FEA-4B19-ADB4-9C9A06F30487}\.cr\VC_redist.x86.exe
"C:\Windows\Temp\{21BC7AE5-0FEA-4B19-ADB4-9C9A06F30487}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 shutdown -i
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968

C:\Windows\system32\wuapp.exe
"C:\Windows\system32\wuapp.exe" startmenu
1⤵
- Drops file in Windows directory
PID:2856

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2916

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{21BC7AE5-0FEA-4B19-ADB4-9C9A06F30487}\.cr\VC_redist.x86.exe

Filesize
226KB

MD5
752cafbd7a1919cdf39fd6f1bcf22e71

SHA1
33f5d73e01dbc853271c36182f52d9d49e0eed27

SHA256
8f8b8da9852df7ea0223ed5345fec40836ed820a266f71c569e5374037ed0278

SHA512
667754e8b7bc12920ebc23d2207fc7e0728a5ed020764a2bd395b6633751eef8ce370f78005ca0dd101b1922d2e46cf52e5dde82dac6db18be37f367ba3e38b8

Download Submit
C:\Windows\Temp\{21BC7AE5-0FEA-4B19-ADB4-9C9A06F30487}\.cr\VC_redist.x86.exe

Filesize
200KB

MD5
b42da783521b1553617032b6e061657a

SHA1
3e183ae98462df36e17163ff66b929b102a9c71a

SHA256
aed7036da57129269f7c206a14af376292da1880688d99f4fed007569eeea9d3

SHA512
4c8c726b8745279a990e2383a6eb5839c84b64a2b89dab59cb0666bac16239b0bf77b059f9ef40bdf533c63a33ecf8c3c6a0da901044f18af622cd2c35a80c45

Download Submit
C:\Windows\Temp\{A04B773F-C588-49B2-AA79-0CCAAB218602}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\Windows\Temp\{21BC7AE5-0FEA-4B19-ADB4-9C9A06F30487}\.cr\VC_redist.x86.exe

Filesize
576KB

MD5
ca35fa07985600f3bc2a299774643826

SHA1
e5efcc3dca5357f747a0158771e4034bf9a1050e

SHA256
873d6b56f98c6991538b19b9be2249c12f204395b79810c5d114296a456fe402

SHA512
2b53f7a11723c529ffe25ea772ca365fc6db1bae37e122af76a4473efcfa05d76ec5429a140206634464eb05c200f3388fd4d7db76c446c72adf6ed47cf10ebe

Download Submit
\Windows\Temp\{A04B773F-C588-49B2-AA79-0CCAAB218602}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/1748-83-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1980-82-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download