63c5c29439b07bc09e7d9a6a3b6f42c2417fdc88989dc174267b1c113a8f4555

Analysis

max time kernel
133s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 02:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17a75def7ef3feaa684b3dc96d869f6f.exe
Size

922KB
MD5

17a75def7ef3feaa684b3dc96d869f6f
SHA1

801bee6bf062a0787e9bf1cad5f1f6a9e5e00935
SHA256

63c5c29439b07bc09e7d9a6a3b6f42c2417fdc88989dc174267b1c113a8f4555
SHA512

92eecfa74a91ee5709d732c1ff729c4ccdc940fd39fc87ae21899b341e597a9db5f18821f81711c9482b884fa6c44573014437e5e442217cb673a4e0c4b06da9
SSDEEP

24576:UICJkh0Xdtv7GAIUaUIDwEilGwzRZhCa7wB/yd:QJkOXdtNaUewE0GwzRB7w2

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1896	dw20.exe
Token: SeBackupPrivilege	1896	dw20.exe
Token: SeBackupPrivilege	1896	dw20.exe
Token: SeBackupPrivilege	1896	dw20.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82
PID 1796 wrote to memory of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82
PID 1796 wrote to memory of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82
PID 1796 wrote to memory of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82
PID 1796 wrote to memory of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82
PID 1796 wrote to memory of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82
PID 1796 wrote to memory of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82
PID 1796 wrote to memory of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82
PID 1796 wrote to memory of 532	1796	17a75def7ef3feaa684b3dc96d869f6f.exe	82
PID 532 wrote to memory of 1896	532	vbc.exe	83
PID 532 wrote to memory of 1896	532	vbc.exe	83
PID 532 wrote to memory of 1896	532	vbc.exe	83

C:\Users\Admin\AppData\Local\Temp\17a75def7ef3feaa684b3dc96d869f6f.exe
"C:\Users\Admin\AppData\Local\Temp\17a75def7ef3feaa684b3dc96d869f6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 776
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/532-7-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/532-5-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/532-8-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/532-15-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1796-0-0x0000000075172000-0x0000000075173000-memory.dmp

Filesize
4KB

Download
memory/1796-1-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1796-2-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1796-6-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads