Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
.dll
Resource
win10v2004-20241007-en
General
-
Target
8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe
-
Size
6.3MB
-
MD5
b43c9bd4a44f5b1ea78b2e77e97dc16a
-
SHA1
3d5e32b4b26d404337d2ae3276029fc069159e67
-
SHA256
8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4
-
SHA512
ffe0b988646e39b61bf0a8244dc00eb666a631f390c2f9195c731ffcb39314283e3ddbeb1ff678d09b14bfa5a4703576e150de3e2437edc57bcd3d1dd53ef96d
-
SSDEEP
49152:oBOZB05ydBveP6LYo4/iB8nQTIDMsLMmPQyIxiyFioTd3NCWpG4Vpw:6SMMBveMYb/iE3MmPx0TddCC
Malware Config
Signatures
-
pid Process 2608 powershell.exe 2880 powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1240 set thread context of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\SvcManager\svcmgr.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 316 cmd.exe 2888 PING.EXE -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2888 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2608 powershell.exe 2880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 1240 wrote to memory of 2748 1240 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 31 PID 2748 wrote to memory of 1228 2748 vbc.exe 33 PID 2748 wrote to memory of 1228 2748 vbc.exe 33 PID 2748 wrote to memory of 1228 2748 vbc.exe 33 PID 2748 wrote to memory of 1228 2748 vbc.exe 33 PID 1228 wrote to memory of 2772 1228 cmd.exe 34 PID 1228 wrote to memory of 2772 1228 cmd.exe 34 PID 1228 wrote to memory of 2772 1228 cmd.exe 34 PID 1228 wrote to memory of 2772 1228 cmd.exe 34 PID 2772 wrote to memory of 2644 2772 net.exe 35 PID 2772 wrote to memory of 2644 2772 net.exe 35 PID 2772 wrote to memory of 2644 2772 net.exe 35 PID 2772 wrote to memory of 2644 2772 net.exe 35 PID 2748 wrote to memory of 2600 2748 vbc.exe 36 PID 2748 wrote to memory of 2600 2748 vbc.exe 36 PID 2748 wrote to memory of 2600 2748 vbc.exe 36 PID 2748 wrote to memory of 2600 2748 vbc.exe 36 PID 2600 wrote to memory of 2608 2600 cmd.exe 37 PID 2600 wrote to memory of 2608 2600 cmd.exe 37 PID 2600 wrote to memory of 2608 2600 cmd.exe 37 PID 2600 wrote to memory of 2608 2600 cmd.exe 37 PID 2748 wrote to memory of 2144 2748 vbc.exe 38 PID 2748 wrote to memory of 2144 2748 vbc.exe 38 PID 2748 wrote to memory of 2144 2748 vbc.exe 38 PID 2748 wrote to memory of 2144 2748 vbc.exe 38 PID 2144 wrote to memory of 2880 2144 cmd.exe 39 PID 2144 wrote to memory of 2880 2144 cmd.exe 39 PID 2144 wrote to memory of 2880 2144 cmd.exe 39 PID 2144 wrote to memory of 2880 2144 cmd.exe 39 PID 2748 wrote to memory of 1648 2748 vbc.exe 40 PID 2748 wrote to memory of 1648 2748 vbc.exe 40 PID 2748 wrote to memory of 1648 2748 vbc.exe 40 PID 2748 wrote to memory of 1648 2748 vbc.exe 40 PID 2748 wrote to memory of 316 2748 vbc.exe 41 PID 2748 wrote to memory of 316 2748 vbc.exe 41 PID 2748 wrote to memory of 316 2748 vbc.exe 41 PID 2748 wrote to memory of 316 2748 vbc.exe 41 PID 316 wrote to memory of 2888 316 cmd.exe 43 PID 316 wrote to memory of 2888 316 cmd.exe 43 PID 316 wrote to memory of 2888 316 cmd.exe 43 PID 316 wrote to memory of 2888 316 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe"C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net user %username%3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\net.exenet user Admin4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Set-ExecutionPolicy bypass -Force3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-ExecutionPolicy bypass -Force4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q C:\Windows\SvcManager3⤵
- System Location Discovery: System Language Discovery
PID:1648
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52965be24c44a1089721b8640c5a15fc4
SHA166d6c947e07ab96d7e7e699fad80b891c3e84f52
SHA256166d46117b8f149bb3c2942f9a297a82d7a499eb4d4fcf39e0c9ca7d1c4f89be
SHA5120bb5ae575618211991a30c0ec7d67fe7e97daa9cf9166a4c32eb1d2a8e79f6012208c96c9986c438a4de6c1fb152a70d97015542b2e338dcb53dfed80bcf85cd