Analysis
-
max time kernel
43s -
max time network
56s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
13-06-2022 01:51
Static task
static1
Behavioral task
behavioral1
Sample
VAPE4.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
VAPE4.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
VAPE4.exe
-
Size
37.1MB
-
MD5
c735bff65f7005656d1606bed35c8c96
-
SHA1
da017a4ab363040ab96fbbd03173e1c01319bd09
-
SHA256
afbf5da99b569974c5e8ccec0286cb4ed45401cce45b6f6c7f05a3d5565db7f0
-
SHA512
3bbae0c5c3e2e48e155e0d9eaba955285f4c086acca05d40807cf6037cf5862077878c24235805367f3a1074a715150f7bf96909c31ec5a7c5c4c2e6eff6ca51
Score
6/10
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
VAPE4.exedescription ioc process File opened for modification \??\physicaldrive0 VAPE4.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
VAPE4.exepid process 840 VAPE4.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
VAPE4.exeAUDIODG.EXEshutdown.exeshutdown.exedescription pid process Token: SeDebugPrivilege 840 VAPE4.exe Token: 33 1544 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1544 AUDIODG.EXE Token: 33 1544 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1544 AUDIODG.EXE Token: SeShutdownPrivilege 268 shutdown.exe Token: SeRemoteShutdownPrivilege 268 shutdown.exe Token: SeShutdownPrivilege 1048 shutdown.exe Token: SeRemoteShutdownPrivilege 1048 shutdown.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
VAPE4.execmd.execmd.execmd.exedescription pid process target process PID 840 wrote to memory of 1708 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 1708 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 1708 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 472 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 472 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 472 840 VAPE4.exe cmd.exe PID 472 wrote to memory of 268 472 cmd.exe shutdown.exe PID 472 wrote to memory of 268 472 cmd.exe shutdown.exe PID 472 wrote to memory of 268 472 cmd.exe shutdown.exe PID 840 wrote to memory of 1184 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 1184 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 1184 840 VAPE4.exe cmd.exe PID 1184 wrote to memory of 1048 1184 cmd.exe shutdown.exe PID 1184 wrote to memory of 1048 1184 cmd.exe shutdown.exe PID 1184 wrote to memory of 1048 1184 cmd.exe shutdown.exe PID 840 wrote to memory of 752 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 752 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 752 840 VAPE4.exe cmd.exe PID 752 wrote to memory of 1980 752 cmd.exe shutdown.exe PID 752 wrote to memory of 1980 752 cmd.exe shutdown.exe PID 752 wrote to memory of 1980 752 cmd.exe shutdown.exe PID 840 wrote to memory of 1712 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 1712 840 VAPE4.exe cmd.exe PID 840 wrote to memory of 1712 840 VAPE4.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VAPE4.exe"C:\Users\Admin\AppData\Local\Temp\VAPE4.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color c12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -s -t 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\shutdown.exeshutdown -s -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -s -t 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -s -t 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\shutdown.exeshutdown -s -t 03⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -s -t 02⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5141⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\shutdown.exeshutdown -s -t 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-56-0x0000000000000000-mapping.dmp
-
memory/472-55-0x0000000000000000-mapping.dmp
-
memory/752-60-0x0000000000000000-mapping.dmp
-
memory/828-57-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmpFilesize
8KB
-
memory/1048-59-0x0000000000000000-mapping.dmp
-
memory/1184-58-0x0000000000000000-mapping.dmp
-
memory/1708-54-0x0000000000000000-mapping.dmp
-
memory/1712-62-0x0000000000000000-mapping.dmp
-
memory/1980-61-0x0000000000000000-mapping.dmp