Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 02:33
Static task
static1
Behavioral task
behavioral1
Sample
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
f27bcaa1644a3d59b1dbfb38c5aa0d6c
-
SHA1
d19334e7313a329b264b1236c579136e7e4ea1b0
-
SHA256
4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2
-
SHA512
47096764fcb520594421fe10382739769c0b363fdb3922af52ab18fc6d77db5226bdf8358ff28c4a53f0ed4f87626c8593afa35fabafa083cbdb84a8dbaeccab
-
SSDEEP
12288:zUZsL8GPNmld8eiGb8f+F54+e6kT6D6BTqU8PfiVp+Xc9gw9z3UKhrhOniBkbdnL:gK3KF+wkP8UYs9NzkTmrRbaS0Vrdvr
Malware Config
Extracted
darkcomet
Guest16
ultrafucker.no-ip.org:1604
DC_MUTEX-XKL4MDM
-
InstallPath
MSDCSC\svchost.exe
-
gencode
wBVkapugtdJz
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
svchost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\svchost.exe" vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\svchost.exe,C:\\Windows\\system32\\MSDCSC\\wBVkapugtdJz\\svchost.exe" vbc.exe -
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid Process 2380 attrib.exe 584 attrib.exe 268 attrib.exe 580 attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid Process 1200 svchost.exe 2356 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
vbc.exevbc.exepid Process 2528 vbc.exe 1184 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\wBVkapugtdJz\\svchost.exe" vbc.exe -
Drops file in System32 directory 7 IoCs
Processes:
vbc.exevbc.exedescription ioc Process File created C:\Windows\SysWOW64\MSDCSC\wBVkapugtdJz\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\wBVkapugtdJz\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ vbc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\wBVkapugtdJz\ vbc.exe File created C:\Windows\SysWOW64\MSDCSC\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\svchost.exe vbc.exe File created C:\Windows\SysWOW64\MSDCSC\svchost.exe vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exedescription pid Process procid_target PID 2916 set thread context of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2580 set thread context of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 -
Drops file in Windows directory 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exedescription ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exepid Process 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exevbc.exedescription pid Process Token: SeDebugPrivilege 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe Token: SeDebugPrivilege 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2528 vbc.exe Token: SeSecurityPrivilege 2528 vbc.exe Token: SeTakeOwnershipPrivilege 2528 vbc.exe Token: SeLoadDriverPrivilege 2528 vbc.exe Token: SeSystemProfilePrivilege 2528 vbc.exe Token: SeSystemtimePrivilege 2528 vbc.exe Token: SeProfSingleProcessPrivilege 2528 vbc.exe Token: SeIncBasePriorityPrivilege 2528 vbc.exe Token: SeCreatePagefilePrivilege 2528 vbc.exe Token: SeBackupPrivilege 2528 vbc.exe Token: SeRestorePrivilege 2528 vbc.exe Token: SeShutdownPrivilege 2528 vbc.exe Token: SeDebugPrivilege 2528 vbc.exe Token: SeSystemEnvironmentPrivilege 2528 vbc.exe Token: SeChangeNotifyPrivilege 2528 vbc.exe Token: SeRemoteShutdownPrivilege 2528 vbc.exe Token: SeUndockPrivilege 2528 vbc.exe Token: SeManageVolumePrivilege 2528 vbc.exe Token: SeImpersonatePrivilege 2528 vbc.exe Token: SeCreateGlobalPrivilege 2528 vbc.exe Token: 33 2528 vbc.exe Token: 34 2528 vbc.exe Token: 35 2528 vbc.exe Token: SeIncreaseQuotaPrivilege 1184 vbc.exe Token: SeSecurityPrivilege 1184 vbc.exe Token: SeTakeOwnershipPrivilege 1184 vbc.exe Token: SeLoadDriverPrivilege 1184 vbc.exe Token: SeSystemProfilePrivilege 1184 vbc.exe Token: SeSystemtimePrivilege 1184 vbc.exe Token: SeProfSingleProcessPrivilege 1184 vbc.exe Token: SeIncBasePriorityPrivilege 1184 vbc.exe Token: SeCreatePagefilePrivilege 1184 vbc.exe Token: SeBackupPrivilege 1184 vbc.exe Token: SeRestorePrivilege 1184 vbc.exe Token: SeShutdownPrivilege 1184 vbc.exe Token: SeDebugPrivilege 1184 vbc.exe Token: SeSystemEnvironmentPrivilege 1184 vbc.exe Token: SeChangeNotifyPrivilege 1184 vbc.exe Token: SeRemoteShutdownPrivilege 1184 vbc.exe Token: SeUndockPrivilege 1184 vbc.exe Token: SeManageVolumePrivilege 1184 vbc.exe Token: SeImpersonatePrivilege 1184 vbc.exe Token: SeCreateGlobalPrivilege 1184 vbc.exe Token: 33 1184 vbc.exe Token: 34 1184 vbc.exe Token: 35 1184 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exevbc.exedescription pid Process procid_target PID 2916 wrote to memory of 2580 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2580 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2580 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 28 PID 2916 wrote to memory of 2580 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 28 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2916 wrote to memory of 1184 2916 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 29 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2580 wrote to memory of 2528 2580 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2600 2528 vbc.exe 31 PID 2528 wrote to memory of 2600 2528 vbc.exe 31 PID 2528 wrote to memory of 2600 2528 vbc.exe 31 PID 2528 wrote to memory of 2600 2528 vbc.exe 31 PID 1184 wrote to memory of 2672 1184 vbc.exe 32 PID 1184 wrote to memory of 2672 1184 vbc.exe 32 PID 1184 wrote to memory of 2672 1184 vbc.exe 32 PID 1184 wrote to memory of 2672 1184 vbc.exe 32 PID 2528 wrote to memory of 2560 2528 vbc.exe 33 PID 2528 wrote to memory of 2560 2528 vbc.exe 33 PID 2528 wrote to memory of 2560 2528 vbc.exe 33 PID 2528 wrote to memory of 2560 2528 vbc.exe 33 PID 1184 wrote to memory of 2424 1184 vbc.exe 37 PID 1184 wrote to memory of 2424 1184 vbc.exe 37 PID 1184 wrote to memory of 2424 1184 vbc.exe 37 PID 1184 wrote to memory of 2424 1184 vbc.exe 37 PID 2528 wrote to memory of 2896 2528 vbc.exe 36 PID 2528 wrote to memory of 2896 2528 vbc.exe 36 PID 2528 wrote to memory of 2896 2528 vbc.exe 36 PID 2528 wrote to memory of 2896 2528 vbc.exe 36 PID 1184 wrote to memory of 2572 1184 vbc.exe 39 PID 1184 wrote to memory of 2572 1184 vbc.exe 39 PID 1184 wrote to memory of 2572 1184 vbc.exe 39 PID 1184 wrote to memory of 2572 1184 vbc.exe 39 PID 2528 wrote to memory of 2896 2528 vbc.exe 36 PID 1184 wrote to memory of 2572 1184 vbc.exe 39 PID 2528 wrote to memory of 2896 2528 vbc.exe 36 PID 1184 wrote to memory of 2572 1184 vbc.exe 39 PID 1184 wrote to memory of 2572 1184 vbc.exe 39 PID 2528 wrote to memory of 2896 2528 vbc.exe 36 -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid Process 580 attrib.exe 2380 attrib.exe 584 attrib.exe 268 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵PID:2600
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:580
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵PID:2560
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:584
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:2896
-
-
C:\Windows\SysWOW64\MSDCSC\svchost.exe"C:\Windows\system32\MSDCSC\svchost.exe"4⤵
- Executes dropped EXE
PID:1200
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵PID:2672
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵PID:2424
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:268
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:2572
-
-
C:\Windows\SysWOW64\MSDCSC\wBVkapugtdJz\svchost.exe"C:\Windows\system32\MSDCSC\wBVkapugtdJz\svchost.exe"3⤵
- Executes dropped EXE
PID:2356
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98