d270c8a2103434ec8902b1d192f8907c2a36389e7657fca3dec2cfd5bbeaa917

General

Target

IMG__12724.exe
Size

704KB
MD5

a309f8839dd6e219d8cd485cc399e3a2
SHA1

f77aca108b45144c7ae32d76dd1a032a6e6353fd
SHA256

d270c8a2103434ec8902b1d192f8907c2a36389e7657fca3dec2cfd5bbeaa917
SHA512

1d155f98962cf1401c821d3514ca19fde9caaf1afdf120c7fffd1743f76d2a6bb02c48d1fb4934e6943092f230318b411cb824b0097728d4afc008c65ab22931
SSDEEP

12288:Dd2iNzBRy3VetjsTkniznIIIoiL227v1HJw8IPesy:Dd1PjNcIoo20HJw8qO

Score

8^/10

execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2244	2224	IMG__12724.exe	33
PID 2244 set thread context of 1352	2244	vbc.exe	20
PID 2244 set thread context of 2600	2244	vbc.exe	34
PID 2600 set thread context of 1352	2600	sethc.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2768	powershell.exe
2244	vbc.exe
2244	vbc.exe
2244	vbc.exe
2244	vbc.exe
2244	vbc.exe
2244	vbc.exe
2244	vbc.exe
2244	vbc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe
2600	sethc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2244	vbc.exe
1352	Explorer.EXE
1352	Explorer.EXE
2600	sethc.exe
2600	sethc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2768	2224	IMG__12724.exe	29
PID 2224 wrote to memory of 2768	2224	IMG__12724.exe	29
PID 2224 wrote to memory of 2768	2224	IMG__12724.exe	29
PID 2224 wrote to memory of 2768	2224	IMG__12724.exe	29
PID 2224 wrote to memory of 2780	2224	IMG__12724.exe	30
PID 2224 wrote to memory of 2780	2224	IMG__12724.exe	30
PID 2224 wrote to memory of 2780	2224	IMG__12724.exe	30
PID 2224 wrote to memory of 2780	2224	IMG__12724.exe	30
PID 2224 wrote to memory of 2244	2224	IMG__12724.exe	33
PID 2224 wrote to memory of 2244	2224	IMG__12724.exe	33
PID 2224 wrote to memory of 2244	2224	IMG__12724.exe	33
PID 2224 wrote to memory of 2244	2224	IMG__12724.exe	33
PID 2224 wrote to memory of 2244	2224	IMG__12724.exe	33
PID 2224 wrote to memory of 2244	2224	IMG__12724.exe	33
PID 2224 wrote to memory of 2244	2224	IMG__12724.exe	33
PID 1352 wrote to memory of 2600	1352	Explorer.EXE	34
PID 1352 wrote to memory of 2600	1352	Explorer.EXE	34
PID 1352 wrote to memory of 2600	1352	Explorer.EXE	34
PID 1352 wrote to memory of 2600	1352	Explorer.EXE	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\IMG__12724.exe
  "C:\Users\Admin\AppData\Local\Temp\IMG__12724.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bJqSWs.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bJqSWs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9859.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2244
- C:\Windows\SysWOW64\sethc.exe
  "C:\Windows\SysWOW64\sethc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

Scripting

Persistence

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Event Triggered Execution

1

T1546

Accessibility Features

1

T1546.008

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9859.tmp

Filesize
1KB

MD5
e61a886e4b9745a69ff32a8948c98f16

SHA1
f5b40756095efda62b0ba87e0c7314c8165b05a2

SHA256
7ebf4194ae1f2d9321597387365f267f66a8ba1b55a83ff04b4a0043fac8ba7e

SHA512
801e724568ad663b03dfbc5a02e6bedb5ae4dea01da861403d98e4a8dc24a7e00322c9f234790536c4095233512e44956da56a5e226ced491a64914f92fd4af2

Download Submit
memory/1352-24-0x00000000036C0000-0x00000000037C0000-memory.dmp

Filesize
1024KB

Download
memory/1352-21-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/2224-19-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-1-0x0000000000BA0000-0x0000000000C56000-memory.dmp

Filesize
728KB

Download
memory/2224-2-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-3-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2224-4-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2224-5-0x0000000005270000-0x00000000052FA000-memory.dmp

Filesize
552KB

Download
memory/2224-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/2244-17-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2600-22-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download
memory/2600-23-0x00000000000C0000-0x00000000000FF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads