baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6

Analysis

max time kernel
68s
max time network
84s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe
Size

4.1MB
MD5

55b72bf2640735c429fd48c5e5c76f68
SHA1

63b9047f61955b06e58c8e552f87348df619bcbc
SHA256

baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6
SHA512

8fe9cdbb89d7efe071e0d7f096c7ed4eab1258adad0de045c0b31f368d8d4c386583d31cb4e1bbe84e7da4c7e9c580f6102569ffd00ebd47e229450b71757374
SSDEEP

98304:gdqHbG+0DQaBQ4LQRj6Ep4vx+m1OEMNEC/YPv6qWmBdBHRgvs0:gdqqDQIRQQu4vxBI2C/DiBdPYT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

VaccineTools_ebiz4.exe

pid process

1188 VaccineTools_ebiz4.exe

pid	process
1188	VaccineTools_ebiz4.exe

Loads dropped DLL 11 IoCs

Processes:

baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exeVaccineTools_ebiz4.exe

pid	process
1772	baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe
1188	VaccineTools_ebiz4.exe
1188	VaccineTools_ebiz4.exe
1188	VaccineTools_ebiz4.exe
1188	VaccineTools_ebiz4.exe
1188	VaccineTools_ebiz4.exe
1188	VaccineTools_ebiz4.exe
1188	VaccineTools_ebiz4.exe
1188	VaccineTools_ebiz4.exe
1188	VaccineTools_ebiz4.exe
1188	VaccineTools_ebiz4.exe

Drops file in Program Files directory 1 IoCs

Processes:

baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe

description	ioc	process
File created	C:\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

Processes:

resource	yara_rule
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_1
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_2
C:\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_1
C:\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_2
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_1
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_2
C:\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_1
C:\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_2
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_1
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_2
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_1
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe

description	pid	process	target process
PID 1772 wrote to memory of 1188	1772	baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe	VaccineTools_ebiz4.exe
PID 1772 wrote to memory of 1188	1772	baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe	VaccineTools_ebiz4.exe
PID 1772 wrote to memory of 1188	1772	baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe	VaccineTools_ebiz4.exe
PID 1772 wrote to memory of 1188	1772	baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe	VaccineTools_ebiz4.exe
PID 1772 wrote to memory of 1188	1772	baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe	VaccineTools_ebiz4.exe
PID 1772 wrote to memory of 1188	1772	baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe	VaccineTools_ebiz4.exe
PID 1772 wrote to memory of 1188	1772	baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe	VaccineTools_ebiz4.exe

C:\Users\Admin\AppData\Local\Temp\baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe
"C:\Users\Admin\AppData\Local\Temp\baa71891b2a7e63e1219e38ca5e6ebcaed5bdfcb34e718cf751193ed301b8ae6.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe
"C:\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe

Filesize
4.0MB

MD5
e2f683c72bdeae5a1d4f4efbdb3275f3

SHA1
be39e991738a3d29b7574a266ef60d4a114a96d0

SHA256
c3229f907bc806ae4a3ffdd56721902db2345cf4bedd92f2079930646aff66cd

SHA512
abae599f2fba158d7296cd1f357a7d68879857a41ace64a5923c6071d21bafada5c519ef0a469381a60430a1fa501c97f88458feccfb52f1322b7e4e13d402e9

Download Submit
C:\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe

Filesize
4.0MB

MD5
e2f683c72bdeae5a1d4f4efbdb3275f3

SHA1
be39e991738a3d29b7574a266ef60d4a114a96d0

SHA256
c3229f907bc806ae4a3ffdd56721902db2345cf4bedd92f2079930646aff66cd

SHA512
abae599f2fba158d7296cd1f357a7d68879857a41ace64a5923c6071d21bafada5c519ef0a469381a60430a1fa501c97f88458feccfb52f1322b7e4e13d402e9

Download Submit
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe

Filesize
4.0MB

MD5
e2f683c72bdeae5a1d4f4efbdb3275f3

SHA1
be39e991738a3d29b7574a266ef60d4a114a96d0

SHA256
c3229f907bc806ae4a3ffdd56721902db2345cf4bedd92f2079930646aff66cd

SHA512
abae599f2fba158d7296cd1f357a7d68879857a41ace64a5923c6071d21bafada5c519ef0a469381a60430a1fa501c97f88458feccfb52f1322b7e4e13d402e9

Download Submit
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe

Filesize
4.0MB

MD5
e2f683c72bdeae5a1d4f4efbdb3275f3

SHA1
be39e991738a3d29b7574a266ef60d4a114a96d0

SHA256
c3229f907bc806ae4a3ffdd56721902db2345cf4bedd92f2079930646aff66cd

SHA512
abae599f2fba158d7296cd1f357a7d68879857a41ace64a5923c6071d21bafada5c519ef0a469381a60430a1fa501c97f88458feccfb52f1322b7e4e13d402e9

Download Submit
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe

Filesize
4.0MB

MD5
e2f683c72bdeae5a1d4f4efbdb3275f3

SHA1
be39e991738a3d29b7574a266ef60d4a114a96d0

SHA256
c3229f907bc806ae4a3ffdd56721902db2345cf4bedd92f2079930646aff66cd

SHA512
abae599f2fba158d7296cd1f357a7d68879857a41ace64a5923c6071d21bafada5c519ef0a469381a60430a1fa501c97f88458feccfb52f1322b7e4e13d402e9

Download Submit
\Program Files (x86)\vaccinetools\VaccineTools_ebiz4.exe

Filesize
4.0MB

MD5
e2f683c72bdeae5a1d4f4efbdb3275f3

SHA1
be39e991738a3d29b7574a266ef60d4a114a96d0

SHA256
c3229f907bc806ae4a3ffdd56721902db2345cf4bedd92f2079930646aff66cd

SHA512
abae599f2fba158d7296cd1f357a7d68879857a41ace64a5923c6071d21bafada5c519ef0a469381a60430a1fa501c97f88458feccfb52f1322b7e4e13d402e9

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF401.tmp\ChkClient120207.dll

Filesize
116KB

MD5
bc3f0f97b4c35b380d000ee3d06e7718

SHA1
da7cc213d6a2839c1facfe841971e591af1c8ae7

SHA256
3a783a07f4ab795e9cb5e61636a889882ae5a0908ad0724e67729c6bc115ce5a

SHA512
b3dd0c1bbd6a3912d6b3252f8139f12278f73310ea579639013326fc8145d7f0053c539fdbd22f807893c9e7fd4aab659096d5b9f367c1bfe7e03b6b303b0e76

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF401.tmp\FILEDownPlug120207.dll

Filesize
28KB

MD5
89c563060d908e5df6848ad15731e6d0

SHA1
404d8d41700ecc907e5b7c849a0dcde8edda1e72

SHA256
8bd1c61e9be2b8b07f6dac4782a96ee9e679c5f163133a51b57e1ecd72f3eff9

SHA512
8eb86ed92ba4d3305a954d824a1ffc23d9aef02559c794c085f67583f32d8228834b09ad45edfd8a78b4634e62344f53e1106db64134b8dd2c5e0fae391da763

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF401.tmp\FILEDownPlug120207.dll

Filesize
28KB

MD5
89c563060d908e5df6848ad15731e6d0

SHA1
404d8d41700ecc907e5b7c849a0dcde8edda1e72

SHA256
8bd1c61e9be2b8b07f6dac4782a96ee9e679c5f163133a51b57e1ecd72f3eff9

SHA512
8eb86ed92ba4d3305a954d824a1ffc23d9aef02559c794c085f67583f32d8228834b09ad45edfd8a78b4634e62344f53e1106db64134b8dd2c5e0fae391da763

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF401.tmp\FILEDownPlug120207.dll

Filesize
28KB

MD5
89c563060d908e5df6848ad15731e6d0

SHA1
404d8d41700ecc907e5b7c849a0dcde8edda1e72

SHA256
8bd1c61e9be2b8b07f6dac4782a96ee9e679c5f163133a51b57e1ecd72f3eff9

SHA512
8eb86ed92ba4d3305a954d824a1ffc23d9aef02559c794c085f67583f32d8228834b09ad45edfd8a78b4634e62344f53e1106db64134b8dd2c5e0fae391da763

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF401.tmp\InstallOptions.dll

Filesize
14KB

MD5
eef9e469e8a30717974499f277d97e2a

SHA1
2d33c25984ebd9116beeb55cdde4c5c86c023e5d

SHA256
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078

SHA512
d860132106a1c03dfa23f983b3c503f1216ac02f3d47833b96dfb333fb30bc8ab4d4fecd1f1f0a89f0c7f3586405461e2d53c26f282bb48970e549659b364b48

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF401.tmp\IsVista120207.dll

Filesize
28KB

MD5
df26cb5648875a0e72947d411fe6ccf0

SHA1
f550f76a764916d32f4652db9ff140d39221a87b

SHA256
b9f88ab5181d008063306c0020cde819cd4e30e325df0aac1fd5c70a881da69c

SHA512
7c6658258698a2028a4c3e96ddb06c740a3edf0c01e8a93592f3ed9f537ead6a11492d1bd92053a5699eade714f312fdfac9e291fb0d042941bb39d855764d67

Download Submit
\Users\Admin\AppData\Local\Temp\nsyF401.tmp\stack.dll

Filesize
10KB

MD5
0f61a81a543822de5fcb9a8a43f230dd

SHA1
d01d4a0f542f3c654637fdfe5a574fe1f150ece1

SHA256
46b4a72ae8590b0afb3304cc5c13db0502bc4c4cb02f64f37c79008c17db814f

SHA512
596b7a897ba64c32e26ba6168aa3628aad37b187a9814a286298307d8c42eabf8e8a679dbda558f8b2cdc8676c94ec819256432aa5ad7c05a5387759262a4402

Download Submit
memory/1188-65-0x0000000002490000-0x00000000024B1000-memory.dmp

Filesize
132KB

Download
memory/1188-56-0x0000000000000000-mapping.dmp

Download
memory/1772-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download