fa0698c6c51ff98d404bda2d90397aba8a03488cbe55fb62f1f02db7c63150b8

General

Target

VitalInstaller.exe
Size

23.6MB
MD5

e21bfcc2a8f2a46655bb7192858c7160
SHA1

33c9e1f6977d040bad6ec7ff52e2042a9e1ad976
SHA256

fa0698c6c51ff98d404bda2d90397aba8a03488cbe55fb62f1f02db7c63150b8
SHA512

c87e19708188b8dea23a6b073e8b2faa1deed78ec7d07fff844615dc89997e4d4d30cee4c2c8ea6c2fb1327e27badfe4846dc7e146238cb43879ff09c433a2e9

Score

8^/10

discovery

Executes dropped EXE 1 IoCs

pid	Process
3920	VitalInstaller.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Steinberg\VstPlugins\Vital.dll	VitalInstaller.tmp
File created	C:\Program Files\Common Files\VST3\is-P8CVO.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\stub\is-B58QA.tmp	VitalInstaller.tmp
File opened for modification	C:\Program Files\Vital\unins000.dat	VitalInstaller.tmp
File created	C:\Program Files\Vital\is-VDL3E.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\unins000.msg	VitalInstaller.tmp
File opened for modification	C:\Program Files\Vital\Vital.exe	VitalInstaller.tmp
File opened for modification	C:\Program Files\Vital\stub\vc_redist.x64.exe	VitalInstaller.tmp
File created	C:\Program Files\Vital\unins000.dat	VitalInstaller.tmp
File created	C:\Program Files\Vital\is-VAGF9.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\is-KGJLA.tmp	VitalInstaller.tmp
File created	C:\Program Files\Steinberg\VstPlugins\is-GI2H4.tmp	VitalInstaller.tmp

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\DefaultIcon	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\DefaultIcon\ = "C:\\Program Files\\Vital\\vital_icon.ico,0"	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell\open	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell\open\command\ = "\"C:\\Program Files\\Vital\\Vital.exe\" \"%1\""	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vital\ = "Vital"	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\ = "Program Vital"	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell\open\command	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vital	VitalInstaller.tmp

Suspicious behavior: EnumeratesProcesses 24 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	taskmgr.exe
Token: SeSystemProfilePrivilege	1104	taskmgr.exe
Token: SeCreateGlobalPrivilege	1104	taskmgr.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Suspicious use of SendNotifyMessage 33 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 3920	1160	VitalInstaller.exe	75
PID 1160 wrote to memory of 3920	1160	VitalInstaller.exe	75
PID 1160 wrote to memory of 3920	1160	VitalInstaller.exe	75

C:\Users\Admin\AppData\Local\Temp\VitalInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\VitalInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\is-4LA5C.tmp\VitalInstaller.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4LA5C.tmp\VitalInstaller.tmp" /SL5="$30070,23804395,1039360,C:\Users\Admin\AppData\Local\Temp\VitalInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3920