96d4253f2a5f87da558797243cf65ebbc3f53fd0a5773e689f90dcf7f5db1abb

General

Target

vape-all-versions_439051442.exe
Size

8.9MB
MD5

8de7400fa27c961d147b562df83afba5
SHA1

5c7a89c25a58ea3adfb954371d740f6f59a6bb97
SHA256

c1103a810f1b3a5abd360c04fe1effce6b90d88e30f283d92417ac1fcf72ca84
SHA512

27738d8c2eac4d39713ea0f455718cd36f538763e888744def2bdf70da8996d86f1bab66ff708d3c1ffa210cc9c9a2cc0d7bc46c7ce4f0b747b33753621a5fa3

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

vape-all-versions_439051442.tmpfmanager.exe

pid process

2456 vape-all-versions_439051442.tmp
4032 fmanager.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2456	vape-all-versions_439051442.tmp
4032	fmanager.exe

Drops file in Program Files directory 17 IoCs

Processes:

vape-all-versions_439051442.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ffector saver\fsaver3.chm	vape-all-versions_439051442.tmp
File opened for modification	C:\Program Files (x86)\Ffector saver\fproc.dll	vape-all-versions_439051442.tmp
File opened for modification	C:\Program Files (x86)\Ffector saver\unins000.dat	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\is-6304G.tmp	vape-all-versions_439051442.tmp
File opened for modification	C:\Program Files (x86)\Ffector saver\7z.dll	vape-all-versions_439051442.tmp
File opened for modification	C:\Program Files (x86)\Ffector saver\libeay32.dll	vape-all-versions_439051442.tmp
File opened for modification	C:\Program Files (x86)\Ffector saver\ssleay32.dll	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\is-FUN8I.tmp	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\is-8EOUB.tmp	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\is-IQ35D.tmp	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\locale\en\is-1CS50.tmp	vape-all-versions_439051442.tmp
File opened for modification	C:\Program Files (x86)\Ffector saver\fmanager.exe	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\unins000.dat	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\is-24352.tmp	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\is-JGT57.tmp	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\is-SPCL5.tmp	vape-all-versions_439051442.tmp
File created	C:\Program Files (x86)\Ffector saver\is-GOVCH.tmp	vape-all-versions_439051442.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vape-all-versions_439051442.tmp

pid process

2456 vape-all-versions_439051442.tmp
2456 vape-all-versions_439051442.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vape-all-versions_439051442.tmp

pid process

2456 vape-all-versions_439051442.tmp

pid	process
2456	vape-all-versions_439051442.tmp
2456	vape-all-versions_439051442.tmp

pid	process
2456	vape-all-versions_439051442.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

vape-all-versions_439051442.exevape-all-versions_439051442.tmp

description	pid	process	target process
PID 3016 wrote to memory of 2456	3016	vape-all-versions_439051442.exe	vape-all-versions_439051442.tmp
PID 3016 wrote to memory of 2456	3016	vape-all-versions_439051442.exe	vape-all-versions_439051442.tmp
PID 3016 wrote to memory of 2456	3016	vape-all-versions_439051442.exe	vape-all-versions_439051442.tmp
PID 2456 wrote to memory of 4032	2456	vape-all-versions_439051442.tmp	fmanager.exe
PID 2456 wrote to memory of 4032	2456	vape-all-versions_439051442.tmp	fmanager.exe
PID 2456 wrote to memory of 4032	2456	vape-all-versions_439051442.tmp	fmanager.exe

C:\Users\Admin\AppData\Local\Temp\vape-all-versions_439051442.exe
"C:\Users\Admin\AppData\Local\Temp\vape-all-versions_439051442.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\is-RVUEQ.tmp\vape-all-versions_439051442.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RVUEQ.tmp\vape-all-versions_439051442.tmp" /SL5="$20110,8644647,773120,C:\Users\Admin\AppData\Local\Temp\vape-all-versions_439051442.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2456

C:\Program Files (x86)\Ffector saver\fmanager.exe
"C:\Program Files (x86)\Ffector saver\fmanager.exe" vape-all-versions_439051442.exe
3⤵
- Executes dropped EXE
PID:4032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ffector saver\fmanager.exe
MD5
d3a9995922c9bae5c8a138702cf69697

SHA1
a85f6e8b1ec2f7a70f4ea39732b19f6e174d3935

SHA256
31d443de8a9e6df658441d71d0a15f6ea2ab979e5bf55d9caaaccd0594b46da8

SHA512
eaa3acefa52dcbb70eb83b157b91512d765591fa6b4be73af75b276216e8d3a0f1bc812422af2e526897be7b0bfd4a7436561f6baa4a3946875e452072c0e8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RVUEQ.tmp\vape-all-versions_439051442.tmp
MD5
ced227b04c706dd0725fc8a6d9cc5848

SHA1
a0466f62fb5e8607d422126c87b0e66bbe023ac1

SHA256
27ca56dd67d6bacddbcdffa36f5aca9ec8d1fb526bda6c6785c216bb94849a90

SHA512
efad1f700541a7a1cdd37b1e9a055096faa3bd5778d6b96ea3a4af63f9e62346ac7970fbd48c58d260c557b024740ff639a36d0fae0a7cdcdeddd37950394faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RVUEQ.tmp\vape-all-versions_439051442.tmp
MD5
ced227b04c706dd0725fc8a6d9cc5848

SHA1
a0466f62fb5e8607d422126c87b0e66bbe023ac1

SHA256
27ca56dd67d6bacddbcdffa36f5aca9ec8d1fb526bda6c6785c216bb94849a90

SHA512
efad1f700541a7a1cdd37b1e9a055096faa3bd5778d6b96ea3a4af63f9e62346ac7970fbd48c58d260c557b024740ff639a36d0fae0a7cdcdeddd37950394faa

Download Submit
memory/2456-115-0x0000000000000000-mapping.dmp

Download
memory/2456-119-0x00000000007C0000-0x000000000090A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-117-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/4032-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing