6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f

General

Target

6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe
Size

307KB
MD5

23d23e7f1a274b773003eee67dc596be
SHA1

be22e91f666b0906ec2b6ec1226ad9857d465057
SHA256

6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f
SHA512

69d20ca99f781c0a3b75e3a800586c5dc1bbde00a61f2826ef9eaeab1619a019126fcfaf929306e3562685990f5bba4447695f3fbb01d17c391a806fc67deb34
SSDEEP

6144:c2zydZlCjJW1RUpzYMDr+izzJwr1KHrECeykKTeEpSYRrc07qi7+M1GyRz:c2ydZlCjJWkFDDx15kKThPgk7+0X

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

vata.exe

pid process

1128 vata.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2044 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe

pid process

1448 6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe

pid	process
2044	cmd.exe

pid	process
1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vata.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	vata.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Tavufu\\vata.exe"	vata.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe

description	pid	process	target process
PID 1448 set thread context of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

vata.exe

pid	process
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe
1128	vata.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exevata.exe

description	pid	process	target process
PID 1448 wrote to memory of 1128	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	vata.exe
PID 1448 wrote to memory of 1128	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	vata.exe
PID 1448 wrote to memory of 1128	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	vata.exe
PID 1448 wrote to memory of 1128	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	vata.exe
PID 1128 wrote to memory of 1248	1128	vata.exe	taskhost.exe
PID 1128 wrote to memory of 1248	1128	vata.exe	taskhost.exe
PID 1128 wrote to memory of 1248	1128	vata.exe	taskhost.exe
PID 1128 wrote to memory of 1248	1128	vata.exe	taskhost.exe
PID 1128 wrote to memory of 1248	1128	vata.exe	taskhost.exe
PID 1128 wrote to memory of 1360	1128	vata.exe	Dwm.exe
PID 1128 wrote to memory of 1360	1128	vata.exe	Dwm.exe
PID 1128 wrote to memory of 1360	1128	vata.exe	Dwm.exe
PID 1128 wrote to memory of 1360	1128	vata.exe	Dwm.exe
PID 1128 wrote to memory of 1360	1128	vata.exe	Dwm.exe
PID 1128 wrote to memory of 1392	1128	vata.exe	Explorer.EXE
PID 1128 wrote to memory of 1392	1128	vata.exe	Explorer.EXE
PID 1128 wrote to memory of 1392	1128	vata.exe	Explorer.EXE
PID 1128 wrote to memory of 1392	1128	vata.exe	Explorer.EXE
PID 1128 wrote to memory of 1392	1128	vata.exe	Explorer.EXE
PID 1128 wrote to memory of 1448	1128	vata.exe	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe
PID 1128 wrote to memory of 1448	1128	vata.exe	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe
PID 1128 wrote to memory of 1448	1128	vata.exe	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe
PID 1128 wrote to memory of 1448	1128	vata.exe	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe
PID 1128 wrote to memory of 1448	1128	vata.exe	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe
PID 1448 wrote to memory of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe
PID 1448 wrote to memory of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe
PID 1448 wrote to memory of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe
PID 1448 wrote to memory of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe
PID 1448 wrote to memory of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe
PID 1448 wrote to memory of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe
PID 1448 wrote to memory of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe
PID 1448 wrote to memory of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe
PID 1448 wrote to memory of 2044	1448	6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe
"C:\Users\Admin\AppData\Local\Temp\6371b1fa50cc53e19eb562ad40b96a06625816ca78dcc12c479fcad83cdecf8f.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Roaming\Tavufu\vata.exe
"C:\Users\Admin\AppData\Roaming\Tavufu\vata.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7f1abfa4.bat"
3⤵
- Deletes itself
PID:2044

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1360

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7f1abfa4.bat

Filesize
307B

MD5
737a158236ae10c69cfb6672602d2fba

SHA1
700c8e88af3aebf27e472f632dc3730ca112d3cd

SHA256
b8a0a7aad881b0c644aac0423222426db959f66c1dfe2ef3fbd6b877aea38129

SHA512
d877d1e173160ab241211d0121eafc3cf1a2f7350cddae6b469fa21a232d32c8062722477f8b47b8cc215282a03d7d2be494fd9468a2ce2e0673a26a9b19b5da

Download Submit
C:\Users\Admin\AppData\Roaming\Tavufu\vata.exe

Filesize
307KB

MD5
48bb48d7247742d79aa72e67ba5c6131

SHA1
2d262b15974dd1b9dd46cb159b7da56f5cc86e07

SHA256
b53f0069dfc3ba2cc47be7b55275a76245586c1ada6d5c5d678c494b01208154

SHA512
ec9ae6b5c876d944f4ce076131e7041e69ea1c8dcc2d1fa5047cb052e27366d461f3613eb5461ffbb951d48bfe1c16d3fbae7392a0c9cd8015a2bcab217d3dba

Download Submit
C:\Users\Admin\AppData\Roaming\Tavufu\vata.exe

Filesize
307KB

MD5
48bb48d7247742d79aa72e67ba5c6131

SHA1
2d262b15974dd1b9dd46cb159b7da56f5cc86e07

SHA256
b53f0069dfc3ba2cc47be7b55275a76245586c1ada6d5c5d678c494b01208154

SHA512
ec9ae6b5c876d944f4ce076131e7041e69ea1c8dcc2d1fa5047cb052e27366d461f3613eb5461ffbb951d48bfe1c16d3fbae7392a0c9cd8015a2bcab217d3dba

Download Submit
\Users\Admin\AppData\Roaming\Tavufu\vata.exe

Filesize
307KB

MD5
48bb48d7247742d79aa72e67ba5c6131

SHA1
2d262b15974dd1b9dd46cb159b7da56f5cc86e07

SHA256
b53f0069dfc3ba2cc47be7b55275a76245586c1ada6d5c5d678c494b01208154

SHA512
ec9ae6b5c876d944f4ce076131e7041e69ea1c8dcc2d1fa5047cb052e27366d461f3613eb5461ffbb951d48bfe1c16d3fbae7392a0c9cd8015a2bcab217d3dba

Download Submit
memory/1128-104-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1128-59-0x0000000000000000-mapping.dmp

Download
memory/1128-105-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1128-64-0x00000000010D0000-0x0000000001120000-memory.dmp

Filesize
320KB

Download
memory/1128-106-0x00000000010D0000-0x0000000001120000-memory.dmp

Filesize
320KB

Download
memory/1248-71-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1248-66-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1248-68-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1248-70-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1248-69-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1360-77-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1392-80-0x0000000002670000-0x00000000026B4000-memory.dmp

Filesize
272KB

Download
memory/1392-83-0x0000000002670000-0x00000000026B4000-memory.dmp

Filesize
272KB

Download
memory/1392-81-0x0000000002670000-0x00000000026B4000-memory.dmp

Filesize
272KB

Download
memory/1392-82-0x0000000002670000-0x00000000026B4000-memory.dmp

Filesize
272KB

Download
memory/1448-99-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1448-100-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1448-87-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1448-86-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1448-89-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1448-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1448-55-0x0000000000F80000-0x0000000000FD0000-memory.dmp

Filesize
320KB

Download
memory/1448-57-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1448-56-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1448-62-0x000000007EF60000-0x000000007EFA4000-memory.dmp

Filesize
272KB

Download
memory/1448-88-0x00000000001A0000-0x00000000001E4000-memory.dmp

Filesize
272KB

Download
memory/1448-98-0x0000000000F80000-0x0000000000FD0000-memory.dmp

Filesize
320KB

Download
memory/1448-63-0x00000000001A0000-0x00000000001F0000-memory.dmp

Filesize
320KB

Download
memory/2044-97-0x00000000000671E6-mapping.dmp

Download
memory/2044-95-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/2044-103-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/2044-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/2044-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/2044-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads