58cf8edb5059d3f4cf1617cd2922040742eed21268d52d235a520cef62077770

Analysis

max time kernel
299s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VGK.bat
Size

1KB
MD5

789cbe2305b93d75c2e693352497976c
SHA1

18a204dec4f87108279a22c5e3aa48ce4aa71ba5
SHA256

58cf8edb5059d3f4cf1617cd2922040742eed21268d52d235a520cef62077770
SHA512

ac88cf59fdbba7143285d0cfe5676526f579a9f2278ee211e96b57220b0a59535ae48c2dd428d19505c801ee057645a1c2d9d1c387724ef44dfcfa30fd72be65

Score

4^/10

Malware Config

Signatures

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2952	sc.exe
2908	sc.exe
5096	sc.exe
2224	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
448	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	taskmgr.exe
Token: SeSystemProfilePrivilege	448	taskmgr.exe
Token: SeCreateGlobalPrivilege	448	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe
448	taskmgr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 4168	784	cmd.exe	84
PID 784 wrote to memory of 4168	784	cmd.exe	84
PID 4168 wrote to memory of 5100	4168	cmd.exe	85
PID 4168 wrote to memory of 5100	4168	cmd.exe	85
PID 784 wrote to memory of 2908	784	cmd.exe	107
PID 784 wrote to memory of 2908	784	cmd.exe	107
PID 784 wrote to memory of 5096	784	cmd.exe	108
PID 784 wrote to memory of 5096	784	cmd.exe	108
PID 784 wrote to memory of 2224	784	cmd.exe	109
PID 784 wrote to memory of 2224	784	cmd.exe	109
PID 784 wrote to memory of 2952	784	cmd.exe	110
PID 784 wrote to memory of 2952	784	cmd.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VGK.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\VGK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\system32\findstr.exe
    findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\VGK.bat"
    3⤵
    PID:5100
- C:\Windows\system32\sc.exe
  sc query vgc
  2⤵
  - Launches sc.exe
  PID:2908
- C:\Windows\system32\sc.exe
  sc query vgk
  2⤵
  - Launches sc.exe
  PID:5096
- C:\Windows\system32\sc.exe
  sc config vgk start= system
  2⤵
  - Launches sc.exe
  PID:2224
- C:\Windows\system32\sc.exe
  sc config vgc start= demand
  2⤵
  - Launches sc.exe
  PID:2952

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/448-0-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download
memory/448-2-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download
memory/448-1-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download
memory/448-12-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download
memory/448-11-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download
memory/448-10-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download
memory/448-9-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download
memory/448-8-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download
memory/448-7-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download
memory/448-6-0x0000022DF2DB0000-0x0000022DF2DB1000-memory.dmp

Filesize
4KB

Download