1e924f2169c1f24cdaccb5f8a5e63cd07bf189514b8a9846e9cf8cc9bec9c50b

General

Target

d132f0ddbfb5c89aecdfb4db1abf9551.exe
Size

73KB
MD5

d132f0ddbfb5c89aecdfb4db1abf9551
SHA1

d602756bb7f53d18a8c4a083039e306cccb8327c
SHA256

1e924f2169c1f24cdaccb5f8a5e63cd07bf189514b8a9846e9cf8cc9bec9c50b
SHA512

2dad38dd1e4cbaf6d8eb6e9c778fc3221b13adae1bd27aec60ec74c82c9a4062c370e3bfe1e2bc7d8cba61232529bb115c300658685a62d0865a9a454f2709b5
SSDEEP

1536:Ag5YYNU8+3HHop4P9qBH2kaXR6QF7eWUu4ZaZP6nJ4a34rsVu:AiU86odQHh64y4P6J4rMu

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	vbc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	vbc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:NVIDIA driver monitor"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"	vbc.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4036 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

nvsvc32.exe

pid process

5104 nvsvc32.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4036	netsh.exe

pid	process
5104	nvsvc32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe"	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d132f0ddbfb5c89aecdfb4db1abf9551.exevbc.exe

description	pid	process	target process
PID 1124 set thread context of 1772	1124	d132f0ddbfb5c89aecdfb4db1abf9551.exe	vbc.exe
PID 1772 set thread context of 1564	1772	vbc.exe	vbc.exe

Drops file in Windows directory 5 IoCs

Processes:

vbc.exe

description	ioc	process
File created	C:\Windows\nvsvc32.exb	vbc.exe
File opened for modification	C:\Windows\nvsvc32.exb	vbc.exe
File opened for modification	C:\Windows\nvsvc32.exe	vbc.exe
File created	C:\Windows\nvsvc32.exe	vbc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	vbc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

d132f0ddbfb5c89aecdfb4db1abf9551.exevbc.exevbc.exe

description	pid	process	target process
PID 1124 wrote to memory of 1772	1124	d132f0ddbfb5c89aecdfb4db1abf9551.exe	vbc.exe
PID 1124 wrote to memory of 1772	1124	d132f0ddbfb5c89aecdfb4db1abf9551.exe	vbc.exe
PID 1124 wrote to memory of 1772	1124	d132f0ddbfb5c89aecdfb4db1abf9551.exe	vbc.exe
PID 1124 wrote to memory of 1772	1124	d132f0ddbfb5c89aecdfb4db1abf9551.exe	vbc.exe
PID 1124 wrote to memory of 1772	1124	d132f0ddbfb5c89aecdfb4db1abf9551.exe	vbc.exe
PID 1124 wrote to memory of 1772	1124	d132f0ddbfb5c89aecdfb4db1abf9551.exe	vbc.exe
PID 1124 wrote to memory of 1772	1124	d132f0ddbfb5c89aecdfb4db1abf9551.exe	vbc.exe
PID 1124 wrote to memory of 1772	1124	d132f0ddbfb5c89aecdfb4db1abf9551.exe	vbc.exe
PID 1772 wrote to memory of 1564	1772	vbc.exe	vbc.exe
PID 1772 wrote to memory of 1564	1772	vbc.exe	vbc.exe
PID 1772 wrote to memory of 1564	1772	vbc.exe	vbc.exe
PID 1772 wrote to memory of 1564	1772	vbc.exe	vbc.exe
PID 1772 wrote to memory of 1564	1772	vbc.exe	vbc.exe
PID 1564 wrote to memory of 4036	1564	vbc.exe	netsh.exe
PID 1564 wrote to memory of 4036	1564	vbc.exe	netsh.exe
PID 1564 wrote to memory of 4036	1564	vbc.exe	netsh.exe
PID 1564 wrote to memory of 5104	1564	vbc.exe	nvsvc32.exe
PID 1564 wrote to memory of 5104	1564	vbc.exe	nvsvc32.exe
PID 1564 wrote to memory of 5104	1564	vbc.exe	nvsvc32.exe

C:\Users\Admin\AppData\Local\Temp\d132f0ddbfb5c89aecdfb4db1abf9551.exe
"C:\Users\Admin\AppData\Local\Temp\d132f0ddbfb5c89aecdfb4db1abf9551.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram 1.exe 1 ENABLE
4⤵
- Modifies Windows Firewall
PID:4036

C:\Windows\nvsvc32.exe
"C:\Windows\nvsvc32.exe"
4⤵
- Executes dropped EXE
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

Disable or Modify System Firewall

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\nvsvc32.exe
Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
memory/1124-1-0x0000000000D00000-0x0000000000D10000-memory.dmp

Filesize
64KB

Download
memory/1124-2-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/1124-0-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/1124-9-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/1564-13-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1564-26-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1564-25-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1564-8-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1564-11-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1564-14-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1772-7-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-10-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1772-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1772-3-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads