1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc

General

Target

1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe
Size

275KB
MD5

d785e64bc3533bd6a2f69d82d50bc33b
SHA1

83963a262d48ad7b10151c3be7748ab15086a826
SHA256

1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc
SHA512

93796bbed214a4ff97f10b497cb0b42ed37d0e138a2e0b3dded99707251cfafe3b83abd3e69ca8c20991338f7f03885da573872ea6c79b95af043bb361e2decc

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vtnclncf.exe

pid process

2032 vtnclncf.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1180-55-0x0000000000400000-0x000000000045A000-memory.dmp	upx
\Users\Admin\AppData\Roaming\vtnclncf.exe	upx
C:\Users\Admin\AppData\Roaming\vtnclncf.exe	upx
C:\Users\Admin\AppData\Roaming\vtnclncf.exe	upx

Loads dropped DLL 1 IoCs

Processes:

1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe

pid process

1180 1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe

pid	process
1180	1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\vtnclncf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\vtnclncf.exe"	1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

vtnclncf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	vtnclncf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	vtnclncf.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	vtnclncf.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

vtnclncf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	vtnclncf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vtnclncf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vtnclncf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vtnclncf.exe

pid	process
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe
2032	vtnclncf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vtnclncf.exe

pid process

2032 vtnclncf.exe
2032 vtnclncf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe

description	pid	process	target process
PID 1180 wrote to memory of 2032	1180	1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe	vtnclncf.exe
PID 1180 wrote to memory of 2032	1180	1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe	vtnclncf.exe
PID 1180 wrote to memory of 2032	1180	1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe	vtnclncf.exe
PID 1180 wrote to memory of 2032	1180	1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe	vtnclncf.exe

C:\Users\Admin\AppData\Local\Temp\1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe
"C:\Users\Admin\AppData\Local\Temp\1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Roaming\vtnclncf.exe
"C:\Users\Admin\AppData\Roaming\vtnclncf.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4u242q45iufmyjg5.dat
Filesize
8B

MD5
da3364ba3b9592d4a22c4031f48aa26a

SHA1
7e46426b1ab0cebc7e88cbf3703132347819da3f

SHA256
4b621e863657c8b738c116e5691f70a3a4c0dcf9ba51bd27036a5a2844ec8c1d

SHA512
3859105d098ef9ce7ac5e025135a2d90dd2bda27d7b777391611d6a4c51710ae6c56aeddb2b9c47746a957010282cd00e3c75a55be911016f11a3a1668997678

Download Submit
C:\Users\Admin\AppData\Roaming\vtnclncf.exe
Filesize
275KB

MD5
d785e64bc3533bd6a2f69d82d50bc33b

SHA1
83963a262d48ad7b10151c3be7748ab15086a826

SHA256
1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc

SHA512
93796bbed214a4ff97f10b497cb0b42ed37d0e138a2e0b3dded99707251cfafe3b83abd3e69ca8c20991338f7f03885da573872ea6c79b95af043bb361e2decc

Download Submit
C:\Users\Admin\AppData\Roaming\vtnclncf.exe
Filesize
275KB

MD5
d785e64bc3533bd6a2f69d82d50bc33b

SHA1
83963a262d48ad7b10151c3be7748ab15086a826

SHA256
1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc

SHA512
93796bbed214a4ff97f10b497cb0b42ed37d0e138a2e0b3dded99707251cfafe3b83abd3e69ca8c20991338f7f03885da573872ea6c79b95af043bb361e2decc

Download Submit
\Users\Admin\AppData\Roaming\vtnclncf.exe
Filesize
275KB

MD5
d785e64bc3533bd6a2f69d82d50bc33b

SHA1
83963a262d48ad7b10151c3be7748ab15086a826

SHA256
1139b174bfc32ce3c26494dd59585c6fd4b199084d8d4b0e439703a25b4f29dc

SHA512
93796bbed214a4ff97f10b497cb0b42ed37d0e138a2e0b3dded99707251cfafe3b83abd3e69ca8c20991338f7f03885da573872ea6c79b95af043bb361e2decc

Download Submit
memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1180-55-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1180-56-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/1180-57-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1180-62-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download
memory/2032-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2032-81-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads