Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
d132f0ddbfb5c89aecdfb4db1abf9551.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d132f0ddbfb5c89aecdfb4db1abf9551.exe
Resource
win10v2004-20240226-en
General
-
Target
d132f0ddbfb5c89aecdfb4db1abf9551.exe
-
Size
73KB
-
MD5
d132f0ddbfb5c89aecdfb4db1abf9551
-
SHA1
d602756bb7f53d18a8c4a083039e306cccb8327c
-
SHA256
1e924f2169c1f24cdaccb5f8a5e63cd07bf189514b8a9846e9cf8cc9bec9c50b
-
SHA512
2dad38dd1e4cbaf6d8eb6e9c778fc3221b13adae1bd27aec60ec74c82c9a4062c370e3bfe1e2bc7d8cba61232529bb115c300658685a62d0865a9a454f2709b5
-
SSDEEP
1536:Ag5YYNU8+3HHop4P9qBH2kaXR6QF7eWUu4ZaZP6nJ4a34rsVu:AiU86odQHh64y4P6J4rMu
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 5 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List vbc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile vbc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications vbc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:NVIDIA driver monitor" vbc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\nvsvc32.exe:*:Enabled:NVIDIA driver monitor" vbc.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4036 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
nvsvc32.exepid process 5104 nvsvc32.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d132f0ddbfb5c89aecdfb4db1abf9551.exevbc.exedescription pid process target process PID 1124 set thread context of 1772 1124 d132f0ddbfb5c89aecdfb4db1abf9551.exe vbc.exe PID 1772 set thread context of 1564 1772 vbc.exe vbc.exe -
Drops file in Windows directory 5 IoCs
Processes:
vbc.exedescription ioc process File created C:\Windows\nvsvc32.exb vbc.exe File opened for modification C:\Windows\nvsvc32.exb vbc.exe File opened for modification C:\Windows\nvsvc32.exe vbc.exe File created C:\Windows\nvsvc32.exe vbc.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe vbc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
d132f0ddbfb5c89aecdfb4db1abf9551.exevbc.exevbc.exedescription pid process target process PID 1124 wrote to memory of 1772 1124 d132f0ddbfb5c89aecdfb4db1abf9551.exe vbc.exe PID 1124 wrote to memory of 1772 1124 d132f0ddbfb5c89aecdfb4db1abf9551.exe vbc.exe PID 1124 wrote to memory of 1772 1124 d132f0ddbfb5c89aecdfb4db1abf9551.exe vbc.exe PID 1124 wrote to memory of 1772 1124 d132f0ddbfb5c89aecdfb4db1abf9551.exe vbc.exe PID 1124 wrote to memory of 1772 1124 d132f0ddbfb5c89aecdfb4db1abf9551.exe vbc.exe PID 1124 wrote to memory of 1772 1124 d132f0ddbfb5c89aecdfb4db1abf9551.exe vbc.exe PID 1124 wrote to memory of 1772 1124 d132f0ddbfb5c89aecdfb4db1abf9551.exe vbc.exe PID 1124 wrote to memory of 1772 1124 d132f0ddbfb5c89aecdfb4db1abf9551.exe vbc.exe PID 1772 wrote to memory of 1564 1772 vbc.exe vbc.exe PID 1772 wrote to memory of 1564 1772 vbc.exe vbc.exe PID 1772 wrote to memory of 1564 1772 vbc.exe vbc.exe PID 1772 wrote to memory of 1564 1772 vbc.exe vbc.exe PID 1772 wrote to memory of 1564 1772 vbc.exe vbc.exe PID 1564 wrote to memory of 4036 1564 vbc.exe netsh.exe PID 1564 wrote to memory of 4036 1564 vbc.exe netsh.exe PID 1564 wrote to memory of 4036 1564 vbc.exe netsh.exe PID 1564 wrote to memory of 5104 1564 vbc.exe nvsvc32.exe PID 1564 wrote to memory of 5104 1564 vbc.exe nvsvc32.exe PID 1564 wrote to memory of 5104 1564 vbc.exe nvsvc32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d132f0ddbfb5c89aecdfb4db1abf9551.exe"C:\Users\Admin\AppData\Local\Temp\d132f0ddbfb5c89aecdfb4db1abf9551.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram 1.exe 1 ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\nvsvc32.exe"C:\Windows\nvsvc32.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\nvsvc32.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/1124-1-0x0000000000D00000-0x0000000000D10000-memory.dmpFilesize
64KB
-
memory/1124-2-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/1124-0-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/1124-9-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/1564-13-0x0000000000400000-0x00000000006F5000-memory.dmpFilesize
3.0MB
-
memory/1564-26-0x0000000000400000-0x00000000006F4000-memory.dmpFilesize
3.0MB
-
memory/1564-25-0x0000000000400000-0x00000000006F5000-memory.dmpFilesize
3.0MB
-
memory/1564-8-0x0000000000400000-0x00000000006F5000-memory.dmpFilesize
3.0MB
-
memory/1564-11-0x0000000000400000-0x00000000006F5000-memory.dmpFilesize
3.0MB
-
memory/1564-14-0x0000000000400000-0x00000000006F5000-memory.dmpFilesize
3.0MB
-
memory/1772-7-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1772-12-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1772-10-0x0000000000420000-0x00000000004E9000-memory.dmpFilesize
804KB
-
memory/1772-5-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1772-3-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB