d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e

Analysis

max time kernel
148s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Size

234KB
MD5

183046f592877106cc353e1b9ee1d354
SHA1

bdb0f3001c1cbd686a4fe25d55d77a76703a03c1
SHA256

d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e
SHA512

6d8e410f1016fb8319a6046b38dd6eef66944cdb1a05a23b11ed131d3829e89172032c0e3045bc21097d0bf7119bbcabad6e65dbb4181ff64229002491ed79e7
SSDEEP

1536:DPQc0IiI+7vAIIzuQ8Tr15WUkTdIOzq0ZDFtnJvx/lJRaCAd1uhNR:rQc01zAf6QGkBIO20ZRfvH

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vspconsole.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	vspconsole.exe

Executes dropped EXE 6 IoCs

pid	Process
4072	vspconsole.exe
4080	vspconsole.exe
4476	vspconsole.exe
4912	svcvsp.exe
3852	vspconsole.exe
5092	wmcsp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winvsp = "c:\\windows\\system32\\winvsp.exe"	vspconsole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vspmem = "c:\\windows\\system32\\vspmem.exe"	vspconsole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcvsp = "c:\\windows\\system32\\svcvsp.exe"	vspconsole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vspmem = "c:\\windows\\system32\\vspmem.exe"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmcsp = "c:\\windows\\system32\\wmcsp.exe"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winvsp = "c:\\windows\\system32\\winvsp.exe"	vspconsole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vspmem = "c:\\windows\\system32\\vspmem.exe"	vspconsole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcvsp = "c:\\windows\\system32\\svcvsp.exe"	vspconsole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winvsp = "c:\\windows\\system32\\winvsp.exe"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcvsp = "c:\\windows\\system32\\svcvsp.exe"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmcsp = "c:\\windows\\system32\\wmcsp.exe"	vspconsole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmcsp = "c:\\windows\\system32\\wmcsp.exe"	vspconsole.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\RCX9718.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX9730.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX9791.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX865A.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX85E4.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\winvsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\vspmem.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\winvsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX9629.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX972E.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX972F.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX857F.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX85C3.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX8606.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX8649.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\vspconsole.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\vspmng.exe	vspconsole.exe
File opened for modification	C:\Windows\system32\winvsp.exe	vspconsole.exe
File opened for modification	C:\Windows\system32\svcvsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX96F6.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX856E.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\system32\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\svcvsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX92FA.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX971A.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX855C.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX95EA.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX9760.tmp	vspconsole.exe
File created	\??\c:\windows\system32\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\wmcsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX971B.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX972D.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\dvm.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX85C2.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\system32\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX85D4.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\wmcsp.exe	vspconsole.exe
File opened for modification	C:\Windows\system32\vspmem.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX921E.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\vspmem.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX85A0.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\system32\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX8638.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	C:\Windows\system32\dvm.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX971D.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\vspmng.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX85F5.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\svcvsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX8616.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX8639.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	C:\Windows\system32\vspconsole.exe	vspconsole.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\vspconsole.exe.log	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX95D9.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX855D.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX865B.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	C:\Windows\system32\vspmng.exe	vspconsole.exe
File opened for modification	\??\c:\windows\system32\RCX963A.tmp	vspconsole.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\RCX8866.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX8869.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9073.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX9087.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\svcvsp.exe	vspconsole.exe
File opened for modification	\??\c:\program files\vspmng.exe	vspconsole.exe
File opened for modification	\??\c:\program files\RCX887B.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9061.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX909A.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\winvsp.exe	vspconsole.exe
File created	\??\c:\program files\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX8867.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\vspmem.exe	vspconsole.exe
File opened for modification	\??\c:\program files\svcvsp.exe	vspconsole.exe
File opened for modification	\??\c:\program files\RCX98A0.tmp	vspconsole.exe
File created	\??\c:\program files\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX986D.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX9880.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX887A.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX888E.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9075.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX9076.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\vspconsole.exe	vspconsole.exe
File opened for modification	\??\c:\program files\RCX986F.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\dvm.exe	vspconsole.exe
File created	\??\c:\program files\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\program files\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX88A0.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX909B.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX8855.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX888C.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9060.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX986E.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX98B3.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX98D7.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX88A1.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\dvm.exe	vspconsole.exe
File opened for modification	\??\c:\program files\RCX98A1.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX98C5.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX889F.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\vspmem.exe	vspconsole.exe
File opened for modification	\??\c:\program files\RCX98B5.tmp	vspconsole.exe
File created	\??\c:\program files\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX888D.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX905F.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\vspconsole.exe	vspconsole.exe
File opened for modification	\??\c:\program files\RCX98C6.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9088.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\vspmng.exe	vspconsole.exe
File created	\??\c:\program files\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX8868.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX8879.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\program files\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9099.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX986C.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX98B2.tmp	vspconsole.exe
File opened for modification	\??\c:\program files\RCX9072.tmp	vspconsole.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\vspconsole.exe	vspconsole.exe
File opened for modification	\??\c:\windows\wmcsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\dvm.exe	vspconsole.exe
File created	\??\c:\windows\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX904B.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX905E.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX97A7.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX9847.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX866C.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX86C6.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8842.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8852.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\winvsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX86B4.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspmem.exe	vspconsole.exe
File opened for modification	\??\c:\windows\RCX97B8.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX9848.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8691.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8840.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\svcvsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\RCX866B.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8854.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspmng.exe	vspconsole.exe
File opened for modification	\??\c:\windows\RCX86C8.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX904A.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\vspmem.exe	vspconsole.exe
File opened for modification	\??\c:\windows\svcvsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\RCX86A2.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX867E.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX86B5.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspconsole.exe	vspconsole.exe
File opened for modification	\??\c:\windows\RCX903A.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\vspmng.exe	vspconsole.exe
File opened for modification	\??\c:\windows\wmcsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\dvm.exe	vspconsole.exe
File opened for modification	\??\c:\windows\RCX904C.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX8690.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX86A1.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8841.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\winvsp.exe	vspconsole.exe
File created	\??\c:\windows\svcvsp.exe	vspconsole.exe
File opened for modification	\??\c:\windows\vspconsole.exe	vspconsole.exe
File opened for modification	\??\c:\windows\RCX9849.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX867F.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX905D.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX97A4.tmp	vspconsole.exe
File created	\??\c:\windows\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX97B7.tmp	vspconsole.exe
File created	\??\c:\windows\vspconsole.exe	vspconsole.exe
File created	\??\c:\windows\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX9792.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX984A.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX985C.tmp	vspconsole.exe
File opened for modification	\??\c:\windows\RCX86A3.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	vspconsole.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	vspconsole.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	vspconsole.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vspconsole.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = "2"	vspconsole.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	vspconsole.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	vspconsole.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	vspconsole.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4912	svcvsp.exe
4912	svcvsp.exe
5092	wmcsp.exe
5092	wmcsp.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4072	vspconsole.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	svcvsp.exe
Token: SeDebugPrivilege	5092	wmcsp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2876	1544	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	84
PID 1544 wrote to memory of 2876	1544	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	84
PID 1544 wrote to memory of 4072	1544	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	85
PID 1544 wrote to memory of 4072	1544	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	85
PID 4080 wrote to memory of 4476	4080	vspconsole.exe	89
PID 4080 wrote to memory of 4476	4080	vspconsole.exe	89
PID 4080 wrote to memory of 4912	4080	vspconsole.exe	90
PID 4080 wrote to memory of 4912	4080	vspconsole.exe	90
PID 4072 wrote to memory of 3852	4072	vspconsole.exe	93
PID 4072 wrote to memory of 3852	4072	vspconsole.exe	93
PID 4072 wrote to memory of 5092	4072	vspconsole.exe	94
PID 4072 wrote to memory of 5092	4072	vspconsole.exe	94

C:\Users\Admin\AppData\Local\Temp\d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
"C:\Users\Admin\AppData\Local\Temp\d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe" rg
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Adds Run key to start application
  PID:2876
- C:\windows\vspconsole.exe
  "C:\windows\vspconsole.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\windows\vspconsole.exe
    "C:\windows\vspconsole.exe" rg
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3852
- - C:\programdata\wmcsp.exe
    "C:\programdata\wmcsp.exe" wm 4072
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5092

C:\windows\vspconsole.exe
"C:\windows\vspconsole.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4080
- C:\windows\vspconsole.exe
  "C:\windows\vspconsole.exe" rg
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4476
- C:\windows\svcvsp.exe
  "C:\windows\svcvsp.exe" ws 4080 winvsp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\RCXCED6.tmp

Filesize
234KB

MD5
d85a75a6a123cb313bd4bf013c80447b

SHA1
cc2615c51fc16c6da94692d430d6a45809f164d1

SHA256
57dc79eb271bb7d23e90dd914f29c15565a879033741713d580faedef04de31f

SHA512
9b90fad8d3a7d38145b4b0fe0596a776807b58e76da3b938b61ab8ca3b64f086895feebbf66c5c88b41cae135a380efbc879b33ab582ffb3dc76c762f62dd2ca

Download Submit
C:\RCX99CA.tmp

Filesize
233KB

MD5
555d14422aee35a3f64e534fef428d45

SHA1
077d797ae8f8147e5c705874f70d2285a72af978

SHA256
0b717be1c3ec6581db450cf6a592c685aaaf3844d8b9ccad94fe5da466d8290b

SHA512
4fc557dde59d4ce507bef8902e8b706724f1b1ef3bd04633430798da26039b5fdea2fdbde0c7100a0ed2195603d135b503203fa26bfc183c1c40b8a97a3cad15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe.log

Filesize
115B

MD5
5f2253957958934a8b81921678832b72

SHA1
d9b030f94a9f3323fdcdb391192960d840b89723

SHA256
ab70783e426113082348a647ea0de73875931662f82b9f2ea4f3a44e5fac1000

SHA512
28310f23b744a03f81707d7fb77a9f5fce621bcfc56108b9ff76bbdb4ebc6014380715fef68c8b3c486c9aa4bfc1e66928caa7294bea4d263a18ab8557a96460

Download Submit
C:\Windows\System32\RCX85A1.tmp

Filesize
233KB

MD5
244569fd6100ba4f1281eacd07b9c901

SHA1
4e11cf30ae7f785db0958bcaf0299e363fb4394f

SHA256
0999259a208c782ae96d692cc841dfd3c1697f2bc0603d0ea6ff8cc5d11c6fe5

SHA512
3ba46d83a0a0c302ad4e533f84738d3f07457c73f4eb224d1454f13c6aa5cbe25438233ac5652c2da8c171f51f6bcdab89f1721398e8dab28d20682fd03059db

Download Submit
C:\Windows\System32\RCX85B2.tmp

Filesize
234KB

MD5
c7493a0bc7fb4b47e46cd9bc7cf79741

SHA1
0077de692ab09914f5c3ea58278d3dc145f59f6f

SHA256
d48ad1de7882ee2b6c055c14a17a190f4d45371f67e970808ce421aa1b64262a

SHA512
7e3fbddf8cd0cf5d6615f7d5b71b033b8476224dfd02bc042e4b97f9743cf7a64c31dc96ac63b03b731a5fba5a820f6e1b7dc645d58ad07990ad665f0a159c1f

Download Submit
C:\Windows\System32\winvsp.exe

Filesize
234KB

MD5
183046f592877106cc353e1b9ee1d354

SHA1
bdb0f3001c1cbd686a4fe25d55d77a76703a03c1

SHA256
d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e

SHA512
6d8e410f1016fb8319a6046b38dd6eef66944cdb1a05a23b11ed131d3829e89172032c0e3045bc21097d0bf7119bbcabad6e65dbb4181ff64229002491ed79e7

Download Submit
\??\c:\windows\system32\svcvsp.exe

Filesize
128KB

MD5
6d496981f26243e4388b126b77efc22e

SHA1
0965df53c465d739f95799cee1cf57a27068e1b6

SHA256
1a181f66aaf01d7ed1a6da7e8cd0972c418156d6672c054eec0e2ad2aa50f2d2

SHA512
cd77187a8a93da849fe6074dae6a0570cb17552fe8f11b9f0097e052ae5d42a8f736c9f40f58d49113bc642b5eb6efcb9f47e00c491603d323203a1bfe9cca39

Download Submit
memory/1544-2-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/1544-0-0x00007FF8448E5000-0x00007FF8448E6000-memory.dmp

Filesize
4KB

Download
memory/1544-192-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/1544-364-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/1544-622-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/1544-623-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/1544-3-0x000000001B300000-0x000000001B320000-memory.dmp

Filesize
128KB

Download
memory/1544-637-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/1544-1-0x000000001B810000-0x000000001BCDE000-memory.dmp

Filesize
4.8MB

Download
memory/2876-625-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/2876-1886-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/4072-639-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/4072-642-0x000000001C340000-0x000000001C3DC000-memory.dmp

Filesize
624KB

Download
memory/4072-640-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/4072-641-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/4072-638-0x0000000000A80000-0x0000000000A98000-memory.dmp

Filesize
96KB

Download
memory/4072-1928-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/4072-1969-0x00007FF844630000-0x00007FF844FD1000-memory.dmp

Filesize
9.6MB

Download
memory/4080-1131-0x000000001C1E0000-0x000000001C242000-memory.dmp

Filesize
392KB

Download
memory/4080-1132-0x000000001AF90000-0x000000001AF98000-memory.dmp

Filesize
32KB

Download