Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
.dll
Resource
win10v2004-20241007-en
General
-
Target
8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe
-
Size
6.3MB
-
MD5
b43c9bd4a44f5b1ea78b2e77e97dc16a
-
SHA1
3d5e32b4b26d404337d2ae3276029fc069159e67
-
SHA256
8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4
-
SHA512
ffe0b988646e39b61bf0a8244dc00eb666a631f390c2f9195c731ffcb39314283e3ddbeb1ff678d09b14bfa5a4703576e150de3e2437edc57bcd3d1dd53ef96d
-
SSDEEP
49152:oBOZB05ydBveP6LYo4/iB8nQTIDMsLMmPQyIxiyFioTd3NCWpG4Vpw:6SMMBveMYb/iE3MmPx0TddCC
Malware Config
Signatures
-
pid Process 1828 powershell.exe 728 powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3896 set thread context of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\SvcManager\svcmgr.exe vbc.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3184 cmd.exe 4544 PING.EXE -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4544 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1828 powershell.exe 1828 powershell.exe 728 powershell.exe 728 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 728 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 3896 wrote to memory of 1136 3896 8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe 99 PID 1136 wrote to memory of 4928 1136 vbc.exe 101 PID 1136 wrote to memory of 4928 1136 vbc.exe 101 PID 1136 wrote to memory of 4928 1136 vbc.exe 101 PID 4928 wrote to memory of 2892 4928 cmd.exe 102 PID 4928 wrote to memory of 2892 4928 cmd.exe 102 PID 4928 wrote to memory of 2892 4928 cmd.exe 102 PID 2892 wrote to memory of 3564 2892 net.exe 103 PID 2892 wrote to memory of 3564 2892 net.exe 103 PID 2892 wrote to memory of 3564 2892 net.exe 103 PID 1136 wrote to memory of 1436 1136 vbc.exe 104 PID 1136 wrote to memory of 1436 1136 vbc.exe 104 PID 1136 wrote to memory of 1436 1136 vbc.exe 104 PID 1436 wrote to memory of 1828 1436 cmd.exe 105 PID 1436 wrote to memory of 1828 1436 cmd.exe 105 PID 1436 wrote to memory of 1828 1436 cmd.exe 105 PID 1136 wrote to memory of 4804 1136 vbc.exe 107 PID 1136 wrote to memory of 4804 1136 vbc.exe 107 PID 1136 wrote to memory of 4804 1136 vbc.exe 107 PID 4804 wrote to memory of 728 4804 cmd.exe 108 PID 4804 wrote to memory of 728 4804 cmd.exe 108 PID 4804 wrote to memory of 728 4804 cmd.exe 108 PID 1136 wrote to memory of 3472 1136 vbc.exe 110 PID 1136 wrote to memory of 3472 1136 vbc.exe 110 PID 1136 wrote to memory of 3472 1136 vbc.exe 110 PID 1136 wrote to memory of 3184 1136 vbc.exe 111 PID 1136 wrote to memory of 3184 1136 vbc.exe 111 PID 1136 wrote to memory of 3184 1136 vbc.exe 111 PID 3184 wrote to memory of 4544 3184 cmd.exe 113 PID 3184 wrote to memory of 4544 3184 cmd.exe 113 PID 3184 wrote to memory of 4544 3184 cmd.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe"C:\Users\Admin\AppData\Local\Temp\8a2318758171d7ed4d6f1732bf8606fb7c14049b15128babf55dd61e9b7422e4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net user %username%3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\net.exenet user Admin4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin5⤵
- System Location Discovery: System Language Discovery
PID:3564
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Set-ExecutionPolicy bypass -Force3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-ExecutionPolicy bypass -Force4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-MpPreference -ExclusionPath C:\Windows\SvcManager4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q C:\Windows\SvcManager3⤵
- System Location Discovery: System Language Discovery
PID:3472
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4544
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e03d3a9e96ae6dbee071f3bbf77b4f98
SHA13b104c534a7666859ff786c1e29fd03f0dc9c100
SHA256183fe219bc796c2f6e20829319934fa116724396b22e57b66a55b6688281cf89
SHA5121b7aa7448c409502774aa7adf897b1149641afe34af5e4fe7ba0beeb0809620e63d2cb9aed4fd14c176dda64347e92d701b7eec1cb3ed78d17f3de7e79a0a0ec
-
Filesize
16KB
MD586f3315cf8c80832e417d2593259a196
SHA135794253d9281792ad2583d393e76ff81009390b
SHA256713f0b56be363372d2f685ad020c610dd04387ecdfa4c55ce3d016b7193a167e
SHA512aa504a4717164523d7ddbce1a6d024116d12a30d9a0e0736869d293ea04a6ec11b4ee35960c6277de061006058e92f44f1020904e68d8ff3119a70f2971ae010
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82