Analysis
-
max time kernel
117s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 02:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
procesosCUI7254178000020150023000.exe
Resource
win7-20241010-en
windows7-x64
30 signatures
150 seconds
Behavioral task
behavioral2
Sample
procesosCUI7254178000020150023000.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
29 signatures
150 seconds
General
-
Target
procesosCUI7254178000020150023000.exe
-
Size
908KB
-
MD5
e93703d8357807ba8be42ce5bd71d99b
-
SHA1
f557b727748f4aa01265b2bc8e46b6201b5f3b7c
-
SHA256
fa083a970c90e1e17f4aa83ccd7f0bf52b5e0f35eaf4eeda73abdc115d9b55b9
-
SHA512
b8ad5c57586b70a769d1f9562148de63a3c5835d6a35d3302f33d4d20619254ae5ae6a1703fb26aaa574d96ba15b053359fe0b17059577256a86ebeb53a9b5af
-
SSDEEP
24576:Fg/fK9XbMAWE9XEhG7q9efZyHS7en+gIlh:q4Mj4088HS7e+gIlh
Malware Config
Signatures
-
Contains code to disable Windows Defender 5 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/3040-15-0x0000000000400000-0x000000000045C000-memory.dmp disable_win_def behavioral1/memory/3040-19-0x0000000000400000-0x000000000045C000-memory.dmp disable_win_def behavioral1/memory/3040-17-0x0000000000400000-0x000000000045C000-memory.dmp disable_win_def behavioral1/memory/3040-12-0x0000000000400000-0x000000000045C000-memory.dmp disable_win_def behavioral1/memory/3040-11-0x0000000000400000-0x000000000045C000-memory.dmp disable_win_def -
Processes:
Vespre.exeprocesosCUI7254178000020150023000.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Vespre.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" procesosCUI7254178000020150023000.exe -
Modifies security service 2 TTPs 4 IoCs
Processes:
procesosCUI7254178000020150023000.exeVespre.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" procesosCUI7254178000020150023000.exe -
Quasar family
-
Quasar payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3040-15-0x0000000000400000-0x000000000045C000-memory.dmp family_quasar behavioral1/memory/3040-19-0x0000000000400000-0x000000000045C000-memory.dmp family_quasar behavioral1/memory/3040-17-0x0000000000400000-0x000000000045C000-memory.dmp family_quasar behavioral1/memory/3040-12-0x0000000000400000-0x000000000045C000-memory.dmp family_quasar behavioral1/memory/3040-11-0x0000000000400000-0x000000000045C000-memory.dmp family_quasar -
Processes:
procesosCUI7254178000020150023000.exeVespre.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" procesosCUI7254178000020150023000.exe -
Processes:
Vespre.exeprocesosCUI7254178000020150023000.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1" procesosCUI7254178000020150023000.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Vespre.exeVespre.exepid Process 2112 Vespre.exe 1076 Vespre.exe -
Loads dropped DLL 1 IoCs
Processes:
procesosCUI7254178000020150023000.exepid Process 3040 procesosCUI7254178000020150023000.exe -
Processes:
procesosCUI7254178000020150023000.exeVespre.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "1" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1" Vespre.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features procesosCUI7254178000020150023000.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
procesosCUI7254178000020150023000.exeVespre.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iceTelemetryLogtte = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\procesosCUI7254178000020150023000.exe\"" procesosCUI7254178000020150023000.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iceTelemetryLogtte = "\"C:\\Users\\Admin\\AppData\\Roaming\\GPret\\Vespre.exe\"" Vespre.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iceTelemetryLogtte = "\"C:\\Users\\Admin\\AppData\\Roaming\\GPret\\Vespre.exe\"" Vespre.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iceTelemetryLogtte = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\procesosCUI7254178000020150023000.exe\"" procesosCUI7254178000020150023000.exe -
Processes:
Vespre.exeprocesosCUI7254178000020150023000.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Vespre.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" procesosCUI7254178000020150023000.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Modifies Security services 2 TTPs 16 IoCs
Modifies the startup behavior of a security service.
Processes:
procesosCUI7254178000020150023000.exeVespre.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdFilter\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdBoot\Start = "4" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdBoot\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdNisDrv\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdFilter\Start = "4" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdNisSvc\Start = "4" Vespre.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdNisDrv\Start = "4" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WdNisSvc\Start = "4" procesosCUI7254178000020150023000.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
procesosCUI7254178000020150023000.exeVespre.exedescription pid Process procid_target PID 2488 set thread context of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 2112 set thread context of 1076 2112 Vespre.exe 44 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
vssadmin.exepowershell.exevssadmin.exepowershell.exeVespre.exeschtasks.exeschtasks.exeprocesosCUI7254178000020150023000.exeprocesosCUI7254178000020150023000.exeschtasks.exeschtasks.exeVespre.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vespre.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language procesosCUI7254178000020150023000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language procesosCUI7254178000020150023000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vespre.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 2164 vssadmin.exe 2436 vssadmin.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid Process 2060 schtasks.exe 1964 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
taskmgr.exepowershell.exepowershell.exepid Process 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2680 powershell.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2304 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid Process 2888 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
taskmgr.exeprocesosCUI7254178000020150023000.exevssvc.exepowershell.exeVespre.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2888 taskmgr.exe Token: SeDebugPrivilege 3040 procesosCUI7254178000020150023000.exe Token: SeBackupPrivilege 572 vssvc.exe Token: SeRestorePrivilege 572 vssvc.exe Token: SeAuditPrivilege 572 vssvc.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 1076 Vespre.exe Token: SeDebugPrivilege 2304 powershell.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
Processes:
taskmgr.exepid Process 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
taskmgr.exepid Process 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe 2888 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Vespre.exepid Process 1076 Vespre.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
procesosCUI7254178000020150023000.exeprocesosCUI7254178000020150023000.exeVespre.exeVespre.exedescription pid Process procid_target PID 2488 wrote to memory of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 2488 wrote to memory of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 2488 wrote to memory of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 2488 wrote to memory of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 2488 wrote to memory of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 2488 wrote to memory of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 2488 wrote to memory of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 2488 wrote to memory of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 2488 wrote to memory of 3040 2488 procesosCUI7254178000020150023000.exe 32 PID 3040 wrote to memory of 1964 3040 procesosCUI7254178000020150023000.exe 34 PID 3040 wrote to memory of 1964 3040 procesosCUI7254178000020150023000.exe 34 PID 3040 wrote to memory of 1964 3040 procesosCUI7254178000020150023000.exe 34 PID 3040 wrote to memory of 1964 3040 procesosCUI7254178000020150023000.exe 34 PID 3040 wrote to memory of 1656 3040 procesosCUI7254178000020150023000.exe 36 PID 3040 wrote to memory of 1656 3040 procesosCUI7254178000020150023000.exe 36 PID 3040 wrote to memory of 1656 3040 procesosCUI7254178000020150023000.exe 36 PID 3040 wrote to memory of 1656 3040 procesosCUI7254178000020150023000.exe 36 PID 3040 wrote to memory of 2164 3040 procesosCUI7254178000020150023000.exe 38 PID 3040 wrote to memory of 2164 3040 procesosCUI7254178000020150023000.exe 38 PID 3040 wrote to memory of 2164 3040 procesosCUI7254178000020150023000.exe 38 PID 3040 wrote to memory of 2164 3040 procesosCUI7254178000020150023000.exe 38 PID 3040 wrote to memory of 2680 3040 procesosCUI7254178000020150023000.exe 41 PID 3040 wrote to memory of 2680 3040 procesosCUI7254178000020150023000.exe 41 PID 3040 wrote to memory of 2680 3040 procesosCUI7254178000020150023000.exe 41 PID 3040 wrote to memory of 2680 3040 procesosCUI7254178000020150023000.exe 41 PID 3040 wrote to memory of 2112 3040 procesosCUI7254178000020150023000.exe 43 PID 3040 wrote to memory of 2112 3040 procesosCUI7254178000020150023000.exe 43 PID 3040 wrote to memory of 2112 3040 procesosCUI7254178000020150023000.exe 43 PID 3040 wrote to memory of 2112 3040 procesosCUI7254178000020150023000.exe 43 PID 2112 wrote to memory of 1076 2112 Vespre.exe 44 PID 2112 wrote to memory of 1076 2112 Vespre.exe 44 PID 2112 wrote to memory of 1076 2112 Vespre.exe 44 PID 2112 wrote to memory of 1076 2112 Vespre.exe 44 PID 2112 wrote to memory of 1076 2112 Vespre.exe 44 PID 2112 wrote to memory of 1076 2112 Vespre.exe 44 PID 2112 wrote to memory of 1076 2112 Vespre.exe 44 PID 2112 wrote to memory of 1076 2112 Vespre.exe 44 PID 2112 wrote to memory of 1076 2112 Vespre.exe 44 PID 1076 wrote to memory of 2060 1076 Vespre.exe 45 PID 1076 wrote to memory of 2060 1076 Vespre.exe 45 PID 1076 wrote to memory of 2060 1076 Vespre.exe 45 PID 1076 wrote to memory of 2060 1076 Vespre.exe 45 PID 1076 wrote to memory of 2264 1076 Vespre.exe 47 PID 1076 wrote to memory of 2264 1076 Vespre.exe 47 PID 1076 wrote to memory of 2264 1076 Vespre.exe 47 PID 1076 wrote to memory of 2264 1076 Vespre.exe 47 PID 1076 wrote to memory of 2436 1076 Vespre.exe 49 PID 1076 wrote to memory of 2436 1076 Vespre.exe 49 PID 1076 wrote to memory of 2436 1076 Vespre.exe 49 PID 1076 wrote to memory of 2436 1076 Vespre.exe 49 PID 1076 wrote to memory of 2304 1076 Vespre.exe 51 PID 1076 wrote to memory of 2304 1076 Vespre.exe 51 PID 1076 wrote to memory of 2304 1076 Vespre.exe 51 PID 1076 wrote to memory of 2304 1076 Vespre.exe 51 -
System policy modification 1 TTPs 6 IoCs
Processes:
procesosCUI7254178000020150023000.exeVespre.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" procesosCUI7254178000020150023000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Vespre.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Vespre.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\procesosCUI7254178000020150023000.exe"C:\Users\Admin\AppData\Local\Temp\procesosCUI7254178000020150023000.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\procesosCUI7254178000020150023000.exe"C:\Users\Admin\AppData\Local\Temp\procesosCUI7254178000020150023000.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Security services
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3040 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Local\Temp\procesosCUI7254178000020150023000.exe" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1964
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "iceTelemetryLogtte" /f3⤵
- System Location Discovery: System Language Discovery
PID:1656
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin" delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Security services
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1076 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "\Microsoft\Windows\System\Dev34\Files\iceTelemetryLogtte" /SC MINUTE /MO 3 /RL HIGHEST /tr "C:\Users\Admin\AppData\Roaming\GPret\Vespre.exe" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2060
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "iceTelemetryLogtte" /f5⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\vssadmin.exe"vssadmin" delete shadows /all /quiet5⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2436
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:572
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
5Disable or Modify Tools
4Indicator Removal
2File Deletion
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84B
MD50670ea91a3ff99e765de101bacc1ce56
SHA13b83e99ae94105ffe78aab1b4e2dab1187b4b0f7
SHA2567dc01c0f1c1d2aa56555d951562ebc455718d3ca7c8e25bd59d42ad5b46b2f2b
SHA5124063b047638fd8cf8927bd360e2426416a6f154a986ad9f6b2c2d6278f7aab41f96c0c9e32c042d3d32fc6779d204012890f76e389681f6f63985b4f93a6d84d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I2NE5WH7G5ND4JRTCXDT.temp
Filesize7KB
MD5c2117a08626426f38747106aa4ac9f27
SHA1cc351a1d1d27b9f9aeec4a79d4e0dac5ed43bc97
SHA256abb10f88193c404b76ce46c273c7b55962358662776049bae3a65232bf026c37
SHA5125d1b283d0a2b397754e4e50b118f3d63e1d622851a053da0b4eaa8a00ebea79132973979a7e7fc9d62958d06117f8340876059b2ed03c41ed4fa1eae0a6d6042
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5be863b51cdc1a6188dcb6c8c4a40324b
SHA13e8c5526e51e5c319746bf535fcb3095d9044129
SHA256986ca04e959761690bd9f465b426d77ad4c8d4e1f2190b9ed26890fd6e8024af
SHA512b6666e0de4c34b2642920bf54cc0ca4b9bf64fd60ddab79af7a459d03ed956878908c61499102560028ee667ce9df60e63cea14f4ae015d2ff0718af11b271ed
-
Filesize
908KB
MD5e93703d8357807ba8be42ce5bd71d99b
SHA1f557b727748f4aa01265b2bc8e46b6201b5f3b7c
SHA256fa083a970c90e1e17f4aa83ccd7f0bf52b5e0f35eaf4eeda73abdc115d9b55b9
SHA512b8ad5c57586b70a769d1f9562148de63a3c5835d6a35d3302f33d4d20619254ae5ae6a1703fb26aaa574d96ba15b053359fe0b17059577256a86ebeb53a9b5af