37c6b9859245e87905042a4b8b85d138ecc57027f7867e79eaccc7759c1fcc55

General

Target

VIZPLOIT/VIZSPLOIT.exe
Size

273KB
MD5

b327cefae6707c649804ba89518e9690
SHA1

0a9f7bd8b51d61288cf253a186693f38299bbfb5
SHA256

2a196a394b6f73d6e9dafe6205c6507802d50d21de2d715ff512c2c2e4b6531c
SHA512

670a1a0db9bcac41e3f0d16992a920232d22e69dbadecffc542990550557ec72f0d2100790fdda3c1645bee339f6a0ce79ae0a3fa5ef590eb882279c5dd815a8
SSDEEP

3072:MsC1JX9HSPBKYyuXu8Hzj5v5fOj/1tleVKCKxLD8O:fC/X9yPBFpu8TyxeVKdtD8

Score

9^/10

credential_access discovery persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 3 IoCs

pid	Process
4668	gWsmPty.exe
5296	VC_redistx64.exe
2672	VIZSPLOIT.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\ProgramData\\MyHiddenFolder\\VC_redistx64.exe"	VC_redistx64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VIZSPLOIT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redistx64.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
3652	VIZSPLOIT.exe
4668	gWsmPty.exe
5296	VC_redistx64.exe
5296	VC_redistx64.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	VIZSPLOIT.exe
Token: SeBackupPrivilege	4668	gWsmPty.exe
Token: SeSecurityPrivilege	4668	gWsmPty.exe
Token: SeSecurityPrivilege	4668	gWsmPty.exe
Token: SeSecurityPrivilege	4668	gWsmPty.exe
Token: SeSecurityPrivilege	4668	gWsmPty.exe
Token: SeDebugPrivilege	4668	gWsmPty.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4668	3652	VIZSPLOIT.exe	81
PID 3652 wrote to memory of 4668	3652	VIZSPLOIT.exe	81
PID 3652 wrote to memory of 5296	3652	VIZSPLOIT.exe	82
PID 3652 wrote to memory of 5296	3652	VIZSPLOIT.exe	82
PID 3652 wrote to memory of 5296	3652	VIZSPLOIT.exe	82
PID 3652 wrote to memory of 2672	3652	VIZSPLOIT.exe	83
PID 3652 wrote to memory of 2672	3652	VIZSPLOIT.exe	83
PID 2672 wrote to memory of 1576	2672	VIZSPLOIT.exe	85
PID 2672 wrote to memory of 1576	2672	VIZSPLOIT.exe	85
PID 1576 wrote to memory of 3020	1576	cmd.exe	86
PID 1576 wrote to memory of 3020	1576	cmd.exe	86
PID 2672 wrote to memory of 1380	2672	VIZSPLOIT.exe	87
PID 2672 wrote to memory of 1380	2672	VIZSPLOIT.exe	87
PID 1380 wrote to memory of 1828	1380	cmd.exe	88
PID 1380 wrote to memory of 1828	1380	cmd.exe	88
PID 2672 wrote to memory of 5624	2672	VIZSPLOIT.exe	89
PID 2672 wrote to memory of 5624	2672	VIZSPLOIT.exe	89

C:\Users\Admin\AppData\Local\Temp\VIZPLOIT\VIZSPLOIT.exe
"C:\Users\Admin\AppData\Local\Temp\VIZPLOIT\VIZSPLOIT.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Users\Admin\AppData\Roaming\gWsmPty.exe
  "C:\Users\Admin\AppData\Roaming\gWsmPty.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
  "C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5296
- C:\Users\Admin\AppData\Roaming\VIZSPLOIT.exe
  "C:\Users\Admin\AppData\Roaming\VIZSPLOIT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode con cols=85
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\system32\mode.com
      mode con cols=85
      4⤵
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mode con lines=25
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\system32\mode.com
      mode con lines=25
      4⤵
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TITLE Visploit
    3⤵
    PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

Filesize
9.9MB

MD5
3c5a28fab0ef1744fbe9313bb9038d30

SHA1
35666d73062f42cd140b4b32c271a52019b894c7

SHA256
537e022a4717d763a3b927c44d1255ac83abe8018cd4f00ad1434e5bb921ebe9

SHA512
9fcd5255d56554dfcb655ec7322356f0146a707ab72a9324defc074e327811e776f361b88f97ddcc3d443059a4bdc67a936e4a90d630723998493bf7502aa33a

Download Submit
C:\Users\Admin\AppData\Roaming\VIZSPLOIT.exe

Filesize
194KB

MD5
1f29ee3673fc717fcb8f6007c3f840cd

SHA1
5efd71aa728a1699a890e7acbff5f38402b56b4e

SHA256
5d8159897acac6a7349dad41208004e071e0ad0388142d81bb4cc72ef459a500

SHA512
c1b79a9edfbf8ef9536c28131a9a800cc911ccfb4a7504675566ce9e9bde69965fa4c7e04902f206dfa63c1bb58071809939c8ca3f8ae5adca79ee7d59cab4c3

Download Submit
C:\Users\Admin\AppData\Roaming\gWsmPty.exe

Filesize
419KB

MD5
a90b649cc651b59ee02dad3ab6be1817

SHA1
c15484cfd80387c9d07d8873747d282a28aa5587

SHA256
375fddff8aca7bfc7076751647bb9f1e5f6dd63cc3a74623c78a78a0fd4f8cc9

SHA512
1055b08e1202b85179d271fe393db4c939be855ceeee4b1dc13ad754b33e3736f23655ffe9b5314873c799b50ddf79ac537c505decebe328e2a3fd32da9e069e

Download Submit
memory/3652-1-0x0000000000770000-0x00000000007B6000-memory.dmp

Filesize
280KB

Download
memory/3652-2-0x0000000074410000-0x0000000074BC1000-memory.dmp

Filesize
7.7MB

Download
memory/3652-3-0x00000000012B0000-0x00000000012BC000-memory.dmp

Filesize
48KB

Download
memory/3652-4-0x0000000002DC0000-0x0000000002DCA000-memory.dmp

Filesize
40KB

Download
memory/3652-5-0x0000000005DE0000-0x0000000006386000-memory.dmp

Filesize
5.6MB

Download
memory/3652-40-0x0000000074410000-0x0000000074BC1000-memory.dmp

Filesize
7.7MB

Download
memory/3652-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/4668-30-0x000000001BD90000-0x000000001BDA2000-memory.dmp

Filesize
72KB

Download
memory/4668-45-0x000000001C7C0000-0x000000001C7DE000-memory.dmp

Filesize
120KB

Download
memory/4668-19-0x00007FFB30420000-0x00007FFB30EE2000-memory.dmp

Filesize
10.8MB

Download
memory/4668-31-0x000000001DFD0000-0x000000001E00C000-memory.dmp

Filesize
240KB

Download
memory/4668-18-0x0000000000D00000-0x0000000000D70000-memory.dmp

Filesize
448KB

Download
memory/4668-17-0x00007FFB30423000-0x00007FFB30425000-memory.dmp

Filesize
8KB

Download
memory/4668-44-0x000000001E010000-0x000000001E086000-memory.dmp

Filesize
472KB

Download
memory/4668-29-0x000000001E0E0000-0x000000001E1EA000-memory.dmp

Filesize
1.0MB

Download
memory/4668-46-0x000000001F4C0000-0x000000001F682000-memory.dmp

Filesize
1.8MB

Download
memory/4668-47-0x0000000020180000-0x00000000206A8000-memory.dmp

Filesize
5.2MB

Download
memory/4668-64-0x00007FFB30420000-0x00007FFB30EE2000-memory.dmp

Filesize
10.8MB

Download
memory/4668-63-0x00007FFB30423000-0x00007FFB30425000-memory.dmp

Filesize
8KB

Download
memory/5296-49-0x0000000000870000-0x0000000001822000-memory.dmp

Filesize
15.7MB

Download
memory/5296-48-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads