533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432

Analysis

max time kernel
148s
max time network
51s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432.exe
Size

67KB
MD5

66f05a7f09c0596cd5d7385614ddff41
SHA1

3620f342d546c2708bcbb8f886d6981494811bc9
SHA256

533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432
SHA512

c7322d2cc63060e8b3e76ce173a70914db2d89d6a23e6835232c3ce6a8a4f2966b736e226572be57f39722db430ca29edd6e516c092c1a20f787f42723847642
SSDEEP

1536:CA90d89X55W22vZ9/IezAqtPeMfzpw50qfWT5MVkOZE:CdyNV2vLjs6PecpwGwWT5dn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1344	vgtdcg.exe

Loads dropped DLL 1 IoCs

pid	Process
1344	vgtdcg.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	vgtdcg.exe
File opened (read-only)	\??\S:	vgtdcg.exe
File opened (read-only)	\??\V:	vgtdcg.exe
File opened (read-only)	\??\P:	vgtdcg.exe
File opened (read-only)	\??\R:	vgtdcg.exe
File opened (read-only)	\??\W:	vgtdcg.exe
File opened (read-only)	\??\H:	vgtdcg.exe
File opened (read-only)	\??\I:	vgtdcg.exe
File opened (read-only)	\??\L:	vgtdcg.exe
File opened (read-only)	\??\M:	vgtdcg.exe
File opened (read-only)	\??\N:	vgtdcg.exe
File opened (read-only)	\??\X:	vgtdcg.exe
File opened (read-only)	\??\Z:	vgtdcg.exe
File opened (read-only)	\??\E:	vgtdcg.exe
File opened (read-only)	\??\G:	vgtdcg.exe
File opened (read-only)	\??\K:	vgtdcg.exe
File opened (read-only)	\??\O:	vgtdcg.exe
File opened (read-only)	\??\T:	vgtdcg.exe
File opened (read-only)	\??\F:	vgtdcg.exe
File opened (read-only)	\??\Q:	vgtdcg.exe
File opened (read-only)	\??\U:	vgtdcg.exe
File opened (read-only)	\??\Y:	vgtdcg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vgtdcg.exe	533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432.exe
File opened for modification	C:\Windows\SysWOW64\vgtdcg.exe	533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432.exe
File created	C:\Windows\SysWOW64\gei33.dll	vgtdcg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\lpk.dll	vgtdcg.exe
File opened for modification	C:\Program Files\7-Zip\lpk.dll	vgtdcg.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1204	533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432.exe

C:\Users\Admin\AppData\Local\Temp\533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432.exe
"C:\Users\Admin\AppData\Local\Temp\533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
PID:1204

C:\Windows\SysWOW64\vgtdcg.exe
C:\Windows\SysWOW64\vgtdcg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vgtdcg.exe

Filesize
67KB

MD5
66f05a7f09c0596cd5d7385614ddff41

SHA1
3620f342d546c2708bcbb8f886d6981494811bc9

SHA256
533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432

SHA512
c7322d2cc63060e8b3e76ce173a70914db2d89d6a23e6835232c3ce6a8a4f2966b736e226572be57f39722db430ca29edd6e516c092c1a20f787f42723847642

Download Submit
C:\Windows\SysWOW64\vgtdcg.exe

Filesize
67KB

MD5
66f05a7f09c0596cd5d7385614ddff41

SHA1
3620f342d546c2708bcbb8f886d6981494811bc9

SHA256
533c733435878a2ecb1bf9718c163935470564678904d7dcdb2fe71b5db0b432

SHA512
c7322d2cc63060e8b3e76ce173a70914db2d89d6a23e6835232c3ce6a8a4f2966b736e226572be57f39722db430ca29edd6e516c092c1a20f787f42723847642

Download Submit
\Windows\SysWOW64\gei33.dll

Filesize
79KB

MD5
35bc41e10c8551464e25362a7e2f0e30

SHA1
47e52c16d84cb3f3d5531a3f0afddf98ab44fdff

SHA256
8db3a82ada72a8839c392c271d62e7e6f38e9fa155dba4a5fd190321f6e6a358

SHA512
bf8fed1a274ddf2632d20b24ed5454200281de4945222044b92e8f2399d3a22f8732d8e0094af1bbaaaf796774cd15866a6a366db3f2a34dbb4252bdcd991468

Download Submit
memory/1344-57-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download