1b7e8879bb5c9351148eb6c5e4d7de3becc8195ddd21d772e701683a6684f89f

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
Size

97KB
MD5

3fe58d8cca2567d7107f8d6fe0ef87b0
SHA1

dc36fa4b6d25a5d01028933fd94b0f0ed423b1b3
SHA256

1b7e8879bb5c9351148eb6c5e4d7de3becc8195ddd21d772e701683a6684f89f
SHA512

57e81d8619eb1b0a122b9b4e00760386bf63e25bb2ac0ffca441bf97a9bfde3df3b2758b15f9dac35476572e8a5f77c36b8cfe26a5af3c143935174e4f395bf3
SSDEEP

1536:oPQc0IiI+7vAIIzuQ8Tr15WUkTdIOzq0ZDsnJvx/JWTRDDxTxp:CQc01zAf6QGkBIO20ZKvbMRDt

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winvsp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	winvsp.exe

Executes dropped EXE 6 IoCs

pid	Process
2928	winvsp.exe
1272	winvsp.exe
3256	winvsp.exe
2996	wmcsp.exe
3448	winvsp.exe
1996	svcvsp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winvsp = "c:\\windows\\system32\\winvsp.exe"	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winvsp = "c:\\windows\\system32\\winvsp.exe"	winvsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vspmem = "c:\\windows\\system32\\vspmem.exe"	winvsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcvsp = "c:\\windows\\system32\\svcvsp.exe"	winvsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vspmem = "c:\\windows\\system32\\vspmem.exe"	winvsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmcsp = "c:\\windows\\system32\\wmcsp.exe"	winvsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vspmem = "c:\\windows\\system32\\vspmem.exe"	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmcsp = "c:\\windows\\system32\\wmcsp.exe"	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcvsp = "c:\\windows\\system32\\svcvsp.exe"	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmcsp = "c:\\windows\\system32\\wmcsp.exe"	winvsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcvsp = "c:\\windows\\system32\\svcvsp.exe"	winvsp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winvsp = "c:\\windows\\system32\\winvsp.exe"	winvsp.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\RCX7267.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX728B.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	C:\Windows\system32\svcvsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7FD9.tmp	winvsp.exe
File opened for modification	C:\Windows\system32\winvsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7FB3.tmp	winvsp.exe
File opened for modification	\??\c:\windows\system32\vspconsole.exe	winvsp.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\winvsp.exe.log	winvsp.exe
File created	\??\c:\windows\system32\vspconsole.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File created	\??\c:\windows\system32\vspmng.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX7FB2.tmp	winvsp.exe
File opened for modification	\??\c:\windows\system32\wmcsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7FC6.tmp	winvsp.exe
File created	\??\c:\windows\system32\winvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\vspmem.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\svcvsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\vspconsole.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\dvm.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7FD8.tmp	winvsp.exe
File opened for modification	\??\c:\windows\system32\winvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX7279.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX729C.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\wmcsp.exe	winvsp.exe
File opened for modification	C:\Windows\system32\dvm.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\vspconsole.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\winvsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7233.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\vspmem.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\vspmng.exe	winvsp.exe
File opened for modification	C:\Windows\system32\vspmng.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7FA2.tmp	winvsp.exe
File created	\??\c:\windows\system32\wmcsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7FD7.tmp	winvsp.exe
File created	\??\c:\windows\system32\wmcsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File created	\??\c:\windows\system32\svcvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\winvsp.exe	winvsp.exe
File opened for modification	C:\Windows\system32\vspconsole.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\vspmem.exe	winvsp.exe
File created	\??\c:\windows\system32\dvm.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\dvm.exe	winvsp.exe
File created	\??\c:\windows\system32\vspmem.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX7255.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX727A.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	C:\Windows\system32\vspmem.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7F81.tmp	winvsp.exe
File opened for modification	\??\c:\windows\system32\vspmng.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7256.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\svcvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\dvm.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	C:\Windows\system32\wmcsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7FC5.tmp	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX728A.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX7FC4.tmp	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7FDA.tmp	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7245.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX7278.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\vspmng.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX7213.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\svcvsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\system32\RCX7244.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\wmcsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX729D.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\system32\RCX7E96.tmp	winvsp.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\vspmng.exe	winvsp.exe
File opened for modification	\??\c:\program files\RCX7319.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\vspmem.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\RCX732E.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File created	\??\c:\program files\vspmng.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\wmcsp.exe	winvsp.exe
File opened for modification	\??\c:\program files\RCX8038.tmp	winvsp.exe
File created	\??\c:\program files\vspmem.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\wmcsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\svcvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\vspmng.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\winvsp.exe	winvsp.exe
File opened for modification	\??\c:\program files\RCX804A.tmp	winvsp.exe
File opened for modification	\??\c:\program files\RCX731A.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File created	\??\c:\program files\vspconsole.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\vspmng.exe	winvsp.exe
File opened for modification	\??\c:\program files\RCX8039.tmp	winvsp.exe
File opened for modification	\??\c:\program files\RCX731B.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\dvm.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\winvsp.exe	winvsp.exe
File opened for modification	\??\c:\program files\svcvsp.exe	winvsp.exe
File created	\??\c:\program files\svcvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\dvm.exe	winvsp.exe
File opened for modification	\??\c:\program files\RCX804C.tmp	winvsp.exe
File opened for modification	\??\c:\program files\wmcsp.exe	winvsp.exe
File opened for modification	\??\c:\program files\RCX803A.tmp	winvsp.exe
File opened for modification	\??\c:\program files\vspconsole.exe	winvsp.exe
File opened for modification	\??\c:\program files\RCX8037.tmp	winvsp.exe
File opened for modification	\??\c:\program files\vspmem.exe	winvsp.exe
File created	\??\c:\program files\winvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\winvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File created	\??\c:\program files\wmcsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\RCX732D.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\vspmem.exe	winvsp.exe
File opened for modification	\??\c:\program files\dvm.exe	winvsp.exe
File opened for modification	\??\c:\program files\RCX804B.tmp	winvsp.exe
File opened for modification	\??\c:\program files\RCX732C.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\vspconsole.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File created	\??\c:\program files\dvm.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\RCX732F.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\program files\svcvsp.exe	winvsp.exe
File opened for modification	\??\c:\program files\vspconsole.exe	winvsp.exe

Drops file in Windows directory 56 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\svcvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\winvsp.exe	winvsp.exe
File created	\??\c:\windows\vspmem.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\wmcsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\winvsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\RCX7FFD.tmp	winvsp.exe
File opened for modification	\??\c:\windows\RCX8011.tmp	winvsp.exe
File opened for modification	\??\c:\windows\RCX72C1.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX72D3.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\wmcsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\RCX7FEA.tmp	winvsp.exe
File opened for modification	\??\c:\windows\RCX7307.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\svcvsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\vspmem.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\vspmem.exe	winvsp.exe
File opened for modification	\??\c:\windows\RCX8012.tmp	winvsp.exe
File opened for modification	\??\c:\windows\RCX8023.tmp	winvsp.exe
File opened for modification	\??\c:\windows\RCX72AF.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX72B1.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX72D5.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\wmcsp.exe	winvsp.exe
File created	\??\c:\windows\dvm.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX7FFF.tmp	winvsp.exe
File opened for modification	\??\c:\windows\RCX729E.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\vspconsole.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\dvm.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX800F.tmp	winvsp.exe
File opened for modification	\??\c:\windows\vspconsole.exe	winvsp.exe
File opened for modification	\??\c:\windows\RCX7FEB.tmp	winvsp.exe
File opened for modification	\??\c:\windows\RCX8026.tmp	winvsp.exe
File opened for modification	\??\c:\windows\winvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX72C2.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\vspmng.exe	winvsp.exe
File opened for modification	\??\c:\windows\RCX8024.tmp	winvsp.exe
File created	\??\c:\windows\vspmng.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\vspmem.exe	winvsp.exe
File opened for modification	\??\c:\windows\vspconsole.exe	winvsp.exe
File opened for modification	\??\c:\windows\vspmng.exe	winvsp.exe
File opened for modification	\??\c:\windows\RCX8025.tmp	winvsp.exe
File created	\??\c:\windows\winvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File created	\??\c:\windows\vspconsole.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX7317.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX7318.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\vspmng.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX7FFC.tmp	winvsp.exe
File opened for modification	\??\c:\windows\RCX7FFE.tmp	winvsp.exe
File opened for modification	\??\c:\windows\svcvsp.exe	winvsp.exe
File opened for modification	\??\c:\windows\RCX8010.tmp	winvsp.exe
File opened for modification	\??\c:\windows\RCX72B0.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File created	\??\c:\windows\svcvsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX72D4.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\dvm.exe	winvsp.exe
File opened for modification	\??\c:\windows\dvm.exe	winvsp.exe
File created	\??\c:\windows\wmcsp.exe	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX72E5.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
File opened for modification	\??\c:\windows\RCX72E6.tmp	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	winvsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	winvsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	winvsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	winvsp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	winvsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winvsp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = "2"	winvsp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	winvsp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2996	wmcsp.exe
2996	wmcsp.exe
1996	svcvsp.exe
1996	svcvsp.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2928	winvsp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	wmcsp.exe
Token: SeDebugPrivilege	1996	svcvsp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 4880	4892	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe	85
PID 4892 wrote to memory of 4880	4892	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe	85
PID 4892 wrote to memory of 2928	4892	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe	86
PID 4892 wrote to memory of 2928	4892	3fe58d8cca2567d7107f8d6fe0ef87b0N.exe	86
PID 1272 wrote to memory of 3256	1272	winvsp.exe	89
PID 1272 wrote to memory of 3256	1272	winvsp.exe	89
PID 1272 wrote to memory of 2996	1272	winvsp.exe	90
PID 1272 wrote to memory of 2996	1272	winvsp.exe	90
PID 2928 wrote to memory of 3448	2928	winvsp.exe	93
PID 2928 wrote to memory of 3448	2928	winvsp.exe	93
PID 2928 wrote to memory of 1996	2928	winvsp.exe	94
PID 2928 wrote to memory of 1996	2928	winvsp.exe	94

C:\Users\Admin\AppData\Local\Temp\3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
"C:\Users\Admin\AppData\Local\Temp\3fe58d8cca2567d7107f8d6fe0ef87b0N.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\3fe58d8cca2567d7107f8d6fe0ef87b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\3fe58d8cca2567d7107f8d6fe0ef87b0N.exe" rg
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Adds Run key to start application
  PID:4880
- C:\programdata\winvsp.exe
  "C:\programdata\winvsp.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\programdata\winvsp.exe
    "C:\programdata\winvsp.exe" rg
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3448
- - C:\Users\Admin\Documents\svcvsp.exe
    "C:\Users\Admin\Documents\svcvsp.exe" wm 2928
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996

C:\programdata\winvsp.exe
"C:\programdata\winvsp.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1272
- C:\programdata\winvsp.exe
  "C:\programdata\winvsp.exe" rg
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3256
- C:\windows\system32\wmcsp.exe
  "C:\windows\system32\wmcsp.exe" ws 1272 winvsp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi

Filesize
29B

MD5
07d4c0c3bd4031c325814063946ddfd9

SHA1
12c200bb85943ef2d3e602f8c6ee890c0d01aea5

SHA256
4b49d4c40e59c8f82ae9a1bc6ed8c83b3df58167c4d2786650ef6323464ddf0a

SHA512
16f6f6819208fbe09ffa51592f2da284b602c45b421eadd823c0214efe9273b656bd81d37cb4dd537e8a76b0ef63f7a86d971b370f0eb020bf8d11d811fa3c0e

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\RCXBEEE.tmp

Filesize
97KB

MD5
c721a9a6d35ee56779e8665b52fc78f5

SHA1
ed17afc518caf8767a0d9f12c3c4d4ebc2d1efff

SHA256
e392059660090f64f25d3d6355fe76ce84caf3bcd9454e8e83b2f12d7ecd0b37

SHA512
24f3748eec00f3424731e71d8087ac2a7a11d323e80a1bb39e5e319b654474e0b2d3c005d18514b0836cf097e3eda50205663fa8c1c1afb3148f127c45dabe24

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\RCXC7FE.tmp

Filesize
98KB

MD5
92211052d4af7274836bfdb686b542bc

SHA1
344225507e1c04c8e8247eb93f31264640a710b7

SHA256
9b8e87b085c72e8f9f5c0defcd5f71743be796133b7dcf2b05f6e2902e7ddf4f

SHA512
c792747bc3b64d35d7b3a43dadedc6c4defb1c4cfc1c176fc45297584643c37b984f6de40202017f69cd7a40c04ec75600b884dd30150e1cb118532ee8da95a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\3fe58d8cca2567d7107f8d6fe0ef87b0N.exe.log

Filesize
115B

MD5
5f2253957958934a8b81921678832b72

SHA1
d9b030f94a9f3323fdcdb391192960d840b89723

SHA256
ab70783e426113082348a647ea0de73875931662f82b9f2ea4f3a44e5fac1000

SHA512
28310f23b744a03f81707d7fb77a9f5fce621bcfc56108b9ff76bbdb4ebc6014380715fef68c8b3c486c9aa4bfc1e66928caa7294bea4d263a18ab8557a96460

Download Submit
C:\Windows\System32\RCX7255.tmp

Filesize
96KB

MD5
d444fba1a78ff8a92d82b7e5f77ad398

SHA1
1e124ebaef81aef959db26f52ae1fa4222743cc5

SHA256
20076e3d852e3725fdccadcc60b57dbb7d5af65314bc5117d457e9d8622ee69c

SHA512
ad7fe2df1b024eedb2a9c847a9485c787f0119a185a59ea115ce287e7ab1d5b16580a9b52c5b0ececa31c3ed3473ae71e5f4aa9940faf9693efce9d7a348faa4

Download Submit
C:\Windows\System32\RCX7256.tmp

Filesize
97KB

MD5
6c6bd459e2ee72de2be769ce7c6c5106

SHA1
c32a5b4e9dc474a1239169bce699f545534aed85

SHA256
599ee121887328287c1806513ea9404211d7fe0efaf23096333647f09099b528

SHA512
7151f72c7f57daf253cbb46365e2941da23d05b12efbce510d01153547034e88999f11dd396016f69f98307d9b96e5923840b85558b601cb869c5f845569844e

Download Submit
C:\Windows\System32\winvsp.exe

Filesize
97KB

MD5
3fe58d8cca2567d7107f8d6fe0ef87b0

SHA1
dc36fa4b6d25a5d01028933fd94b0f0ed423b1b3

SHA256
1b7e8879bb5c9351148eb6c5e4d7de3becc8195ddd21d772e701683a6684f89f

SHA512
57e81d8619eb1b0a122b9b4e00760386bf63e25bb2ac0ffca441bf97a9bfde3df3b2758b15f9dac35476572e8a5f77c36b8cfe26a5af3c143935174e4f395bf3

Download Submit
memory/1272-713-0x000000001BF50000-0x000000001BF58000-memory.dmp

Filesize
32KB

Download
memory/1272-712-0x000000001C670000-0x000000001C6D2000-memory.dmp

Filesize
392KB

Download
memory/2928-1127-0x000000001ED40000-0x000000001F04E000-memory.dmp

Filesize
3.1MB

Download
memory/2928-1568-0x0000000021670000-0x00000000216B9000-memory.dmp

Filesize
292KB

Download
memory/2928-1637-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/2928-1607-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/2928-428-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/2928-1569-0x0000000021630000-0x000000002166E000-memory.dmp

Filesize
248KB

Download
memory/2928-431-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/2928-430-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/2928-427-0x000000001BA40000-0x000000001BA58000-memory.dmp

Filesize
96KB

Download
memory/2928-432-0x000000001CD10000-0x000000001CDAC000-memory.dmp

Filesize
624KB

Download
memory/4892-429-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/4892-7-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/4892-0-0x00007FFA21765000-0x00007FFA21766000-memory.dmp

Filesize
4KB

Download
memory/4892-3-0x000000001C410000-0x000000001C430000-memory.dmp

Filesize
128KB

Download
memory/4892-2-0x000000001BF40000-0x000000001C40E000-memory.dmp

Filesize
4.8MB

Download
memory/4892-1-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/4892-302-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/4892-413-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/4892-412-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download
memory/4892-415-0x00007FFA214B0000-0x00007FFA21E51000-memory.dmp

Filesize
9.6MB

Download