blackmoon | e03193692369abba7bce150aa3d954d6d72653b6eaa64da050ef0b9bbd3cf8b1

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
10-07-2022 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape V4.08.exe
Size

12.3MB
MD5

8a6e94a3f25c16c3589b5d285241aea0
SHA1

621e46fa5c5f6c16a4335e4d9cc246b74b92b22a
SHA256

e03193692369abba7bce150aa3d954d6d72653b6eaa64da050ef0b9bbd3cf8b1
SHA512

eb9e8a7857c060d4283c93a2144d579d183859a6a40b1c0218c7b883571f0d38852710a7e2ad4f6da125ebd7036c594ba72a47f171c243fc74933d331b701571

Score

10^/10

blackmoon banker evasion persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe	family_blackmoon
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp	family_blackmoon
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp	family_blackmoon
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp	family_blackmoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

vape.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vape.exe
Executes dropped EXE 3 IoCs

Processes:

._cache_Vape V4.08.exeSynaptics.exevape.exe

pid process

1036 ._cache_Vape V4.08.exe
740 Synaptics.exe
888 vape.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vape.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

._cache_Vape V4.08.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp"	._cache_Vape V4.08.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/540-79-0x00000000001A0000-0x00000000001AB000-memory.dmp	upx
behavioral1/memory/540-83-0x00000000001A0000-0x00000000001AB000-memory.dmp	upx
behavioral1/memory/824-89-0x00000000001B0000-0x00000000001BB000-memory.dmp	upx
behavioral1/memory/824-90-0x00000000001B0000-0x00000000001BB000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vape.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vape.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vape.exe

Loads dropped DLL 6 IoCs

Processes:

Vape V4.08.exe._cache_Vape V4.08.exesvchost.exerundll32.exe

pid process

1436 Vape V4.08.exe
1436 Vape V4.08.exe
1436 Vape V4.08.exe
1036 ._cache_Vape V4.08.exe
540 svchost.exe
824 rundll32.exe

pid	process
1436	Vape V4.08.exe
1436	Vape V4.08.exe
1436	Vape V4.08.exe
1036	._cache_Vape V4.08.exe
540	svchost.exe
824	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Vape V4.08.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Vape V4.08.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

vape.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vape.exe
Drops file in System32 directory 1 IoCs

Processes:

._cache_Vape V4.08.exe

description ioc process

File created C:\Windows\SysWOW64\Delete00.bat ._cache_Vape V4.08.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

vape.exe

pid process

888 vape.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1496 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vape.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Delete00.bat	._cache_Vape V4.08.exe

pid	process
888	vape.exe

pid	process
1496	sc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

392 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1372 EXCEL.EXE

pid	process
392	PING.EXE

pid	process
1372	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Vape V4.08.exesvchost.exerundll32.exe

pid	process
1036	._cache_Vape V4.08.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
824	rundll32.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe
540	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

._cache_Vape V4.08.exevape.exesvchost.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	1036	._cache_Vape V4.08.exe
Token: SeDebugPrivilege	888	vape.exe
Token: SeDebugPrivilege	888	vape.exe
Token: SeDebugPrivilege	540	svchost.exe
Token: SeDebugPrivilege	824	rundll32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1372 EXCEL.EXE

pid	process
1372	EXCEL.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Vape V4.08.exe._cache_Vape V4.08.execmd.exesvchost.exe

description	pid	process	target process
PID 1436 wrote to memory of 1036	1436	Vape V4.08.exe	._cache_Vape V4.08.exe
PID 1436 wrote to memory of 1036	1436	Vape V4.08.exe	._cache_Vape V4.08.exe
PID 1436 wrote to memory of 1036	1436	Vape V4.08.exe	._cache_Vape V4.08.exe
PID 1436 wrote to memory of 1036	1436	Vape V4.08.exe	._cache_Vape V4.08.exe
PID 1436 wrote to memory of 740	1436	Vape V4.08.exe	Synaptics.exe
PID 1436 wrote to memory of 740	1436	Vape V4.08.exe	Synaptics.exe
PID 1436 wrote to memory of 740	1436	Vape V4.08.exe	Synaptics.exe
PID 1436 wrote to memory of 740	1436	Vape V4.08.exe	Synaptics.exe
PID 1036 wrote to memory of 888	1036	._cache_Vape V4.08.exe	vape.exe
PID 1036 wrote to memory of 888	1036	._cache_Vape V4.08.exe	vape.exe
PID 1036 wrote to memory of 888	1036	._cache_Vape V4.08.exe	vape.exe
PID 1036 wrote to memory of 888	1036	._cache_Vape V4.08.exe	vape.exe
PID 1036 wrote to memory of 1496	1036	._cache_Vape V4.08.exe	sc.exe
PID 1036 wrote to memory of 1496	1036	._cache_Vape V4.08.exe	sc.exe
PID 1036 wrote to memory of 1496	1036	._cache_Vape V4.08.exe	sc.exe
PID 1036 wrote to memory of 1496	1036	._cache_Vape V4.08.exe	sc.exe
PID 1036 wrote to memory of 1676	1036	._cache_Vape V4.08.exe	cmd.exe
PID 1036 wrote to memory of 1676	1036	._cache_Vape V4.08.exe	cmd.exe
PID 1036 wrote to memory of 1676	1036	._cache_Vape V4.08.exe	cmd.exe
PID 1036 wrote to memory of 1676	1036	._cache_Vape V4.08.exe	cmd.exe
PID 1676 wrote to memory of 392	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 392	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 392	1676	cmd.exe	PING.EXE
PID 1676 wrote to memory of 392	1676	cmd.exe	PING.EXE
PID 540 wrote to memory of 608	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 608	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 608	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 608	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 608	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 608	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 608	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 824	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 824	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 824	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 824	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 824	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 824	540	svchost.exe	rundll32.exe
PID 540 wrote to memory of 824	540	svchost.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Vape V4.08.exe
"C:\Users\Admin\AppData\Local\Temp\Vape V4.08.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe"
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Roaming\vape.exe
    "C:\Users\Admin\AppData\Roaming\vape.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Windows\SysWOW64\sc.exe
    sc failure Remote reset= 86400 actions= restart/1000
    3⤵
    - Launches sc.exe
    PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\System32\\Delete00.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:392
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp,init default |540
  2⤵
  PID:608
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp,init default |540
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:824

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe

Filesize
11.5MB

MD5
82fef60d0199e8419392666b0a91c5d9

SHA1
c671905ef7452ab527654ccc9b765aef6822ffaf

SHA256
aa8e053d42b18d924b7870a1956e0f91dfb04a39dad285c5f23a7a699004143e

SHA512
86ffd6a9fc857aa363b6edc53ef469d3203748de06cde156bce1e41d0a403b72ff8a2d7a79f468fc16473ae6c548a1ddc22f27c9a9021099dc998b4f50a2d047

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsr9cyIB.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\vape.exe

Filesize
10.2MB

MD5
1f776b1fa0b6f942c3ee927f98454d6d

SHA1
e0b67b2f3990dd15949ba5aa4a0e2e46f482af51

SHA256
1e960b61f77a0cd31e4947a5d9d1475d7e90d24b122f112fa7c402ccba267f08

SHA512
fc7d5809f8f993eea380eb97cf26e31d9aa09e66d569e5d2a7a14606154f9b198967183b1fe7181a1d76d8d03816c418ac0e7afffb590b70409cb3e42ddf81eb

Download Submit
C:\Windows\SysWOW64\Delete00.bat

Filesize
119B

MD5
1a36b583a9ef6c9b5f86eb08b185cb35

SHA1
3e393270346c0a2abe0b9ed8a69fee1ad5376656

SHA256
80722732cc6abaa35a906088a6fb5a1ec08dd0be3b323be8bf174717e839fe23

SHA512
4754e7070ff76966ce27ba224b6b7ad14a41cc8293cb3e8bd65fe3eae23b70f0896561ad52481ca2876bda23714595829295cb885e2b194e9f45f8f831cf2eb5

Download Submit
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp

Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp

Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp

Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe

Filesize
11.5MB

MD5
82fef60d0199e8419392666b0a91c5d9

SHA1
c671905ef7452ab527654ccc9b765aef6822ffaf

SHA256
aa8e053d42b18d924b7870a1956e0f91dfb04a39dad285c5f23a7a699004143e

SHA512
86ffd6a9fc857aa363b6edc53ef469d3203748de06cde156bce1e41d0a403b72ff8a2d7a79f468fc16473ae6c548a1ddc22f27c9a9021099dc998b4f50a2d047

Download Submit
\Users\Admin\AppData\Roaming\vape.exe

Filesize
10.2MB

MD5
1f776b1fa0b6f942c3ee927f98454d6d

SHA1
e0b67b2f3990dd15949ba5aa4a0e2e46f482af51

SHA256
1e960b61f77a0cd31e4947a5d9d1475d7e90d24b122f112fa7c402ccba267f08

SHA512
fc7d5809f8f993eea380eb97cf26e31d9aa09e66d569e5d2a7a14606154f9b198967183b1fe7181a1d76d8d03816c418ac0e7afffb590b70409cb3e42ddf81eb

Download Submit
memory/392-76-0x0000000000000000-mapping.dmp

Download
memory/540-83-0x00000000001A0000-0x00000000001AB000-memory.dmp

Filesize
44KB

Download
memory/540-79-0x00000000001A0000-0x00000000001AB000-memory.dmp

Filesize
44KB

Download
memory/608-80-0x0000000000000000-mapping.dmp

Download
memory/740-61-0x0000000000000000-mapping.dmp

Download
memory/824-90-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/824-86-0x0000000000000000-mapping.dmp

Download
memory/824-89-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/888-109-0x000000013F890000-0x0000000140B73000-memory.dmp

Filesize
18.9MB

Download
memory/888-74-0x000000013F890000-0x0000000140B73000-memory.dmp

Filesize
18.9MB

Download
memory/888-77-0x000000013F890000-0x0000000140B73000-memory.dmp

Filesize
18.9MB

Download
memory/888-78-0x000000013F890000-0x0000000140B73000-memory.dmp

Filesize
18.9MB

Download
memory/888-65-0x0000000000000000-mapping.dmp

Download
memory/888-82-0x00000000772E0000-0x0000000077489000-memory.dmp

Filesize
1.7MB

Download
memory/888-70-0x000000013F890000-0x0000000140B73000-memory.dmp

Filesize
18.9MB

Download
memory/1036-68-0x0000000003140000-0x0000000004423000-memory.dmp

Filesize
18.9MB

Download
memory/1036-56-0x0000000000000000-mapping.dmp

Download
memory/1372-105-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-98-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1372-106-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-94-0x000000007219D000-0x00000000721A8000-memory.dmp

Filesize
44KB

Download
memory/1372-99-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-104-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-102-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-84-0x000000002F0E1000-0x000000002F0E4000-memory.dmp

Filesize
12KB

Download
memory/1372-108-0x000000007219D000-0x00000000721A8000-memory.dmp

Filesize
44KB

Download
memory/1372-103-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-101-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-100-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-85-0x00000000711B1000-0x00000000711B3000-memory.dmp

Filesize
8KB

Download
memory/1372-97-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-96-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1372-95-0x0000000000733000-0x0000000000739000-memory.dmp

Filesize
24KB

Download
memory/1436-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1496-67-0x0000000000000000-mapping.dmp

Download
memory/1676-71-0x0000000000000000-mapping.dmp

Download