Analysis

  • max time kernel
    12s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    19-07-2021 15:12

General

  • Target

    vape-all-versions_439051442.exe

  • Size

    8.9MB

  • MD5

    8de7400fa27c961d147b562df83afba5

  • SHA1

    5c7a89c25a58ea3adfb954371d740f6f59a6bb97

  • SHA256

    c1103a810f1b3a5abd360c04fe1effce6b90d88e30f283d92417ac1fcf72ca84

  • SHA512

    27738d8c2eac4d39713ea0f455718cd36f538763e888744def2bdf70da8996d86f1bab66ff708d3c1ffa210cc9c9a2cc0d7bc46c7ce4f0b747b33753621a5fa3

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vape-all-versions_439051442.exe
    "C:\Users\Admin\AppData\Local\Temp\vape-all-versions_439051442.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\is-RVUEQ.tmp\vape-all-versions_439051442.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RVUEQ.tmp\vape-all-versions_439051442.tmp" /SL5="$20110,8644647,773120,C:\Users\Admin\AppData\Local\Temp\vape-all-versions_439051442.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Program Files (x86)\Ffector saver\fmanager.exe
        "C:\Program Files (x86)\Ffector saver\fmanager.exe" vape-all-versions_439051442.exe
        3⤵
        • Executes dropped EXE
        PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Ffector saver\fmanager.exe
    MD5

    d3a9995922c9bae5c8a138702cf69697

    SHA1

    a85f6e8b1ec2f7a70f4ea39732b19f6e174d3935

    SHA256

    31d443de8a9e6df658441d71d0a15f6ea2ab979e5bf55d9caaaccd0594b46da8

    SHA512

    eaa3acefa52dcbb70eb83b157b91512d765591fa6b4be73af75b276216e8d3a0f1bc812422af2e526897be7b0bfd4a7436561f6baa4a3946875e452072c0e8d7

  • C:\Users\Admin\AppData\Local\Temp\is-RVUEQ.tmp\vape-all-versions_439051442.tmp
    MD5

    ced227b04c706dd0725fc8a6d9cc5848

    SHA1

    a0466f62fb5e8607d422126c87b0e66bbe023ac1

    SHA256

    27ca56dd67d6bacddbcdffa36f5aca9ec8d1fb526bda6c6785c216bb94849a90

    SHA512

    efad1f700541a7a1cdd37b1e9a055096faa3bd5778d6b96ea3a4af63f9e62346ac7970fbd48c58d260c557b024740ff639a36d0fae0a7cdcdeddd37950394faa

  • C:\Users\Admin\AppData\Local\Temp\is-RVUEQ.tmp\vape-all-versions_439051442.tmp
    MD5

    ced227b04c706dd0725fc8a6d9cc5848

    SHA1

    a0466f62fb5e8607d422126c87b0e66bbe023ac1

    SHA256

    27ca56dd67d6bacddbcdffa36f5aca9ec8d1fb526bda6c6785c216bb94849a90

    SHA512

    efad1f700541a7a1cdd37b1e9a055096faa3bd5778d6b96ea3a4af63f9e62346ac7970fbd48c58d260c557b024740ff639a36d0fae0a7cdcdeddd37950394faa

  • memory/2456-115-0x0000000000000000-mapping.dmp
  • memory/2456-119-0x00000000007C0000-0x000000000090A000-memory.dmp
    Filesize

    1.3MB

  • memory/3016-117-0x0000000000400000-0x00000000004CA000-memory.dmp
    Filesize

    808KB

  • memory/4032-120-0x0000000000000000-mapping.dmp