db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1

General

Target

db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe
Size

156KB
MD5

577ad57f6b38672e14dd70236b6241e5
SHA1

97643ba574dd7de03b270a52b76cbfd4f6414d8e
SHA256

db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1
SHA512

34cf0dc109692c531fb9e9a1a844ca1dda96caee38f83c938e50202c37253647e0021f90bc8c1b72c765d454a9d278c18839f665b427fd7b9aae2e4d37979104
SSDEEP

3072:ECbO/tonrGwkAjpWn1KG912QXXU+EnHsRPaVW+E5j4oQAO+:E3GiwkGG9ggkMRPacdpO+

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exevapon.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vapon.exe

Executes dropped EXE 1 IoCs

Processes:

vapon.exe

pid process

988 vapon.exe

pid	process
988	vapon.exe

Loads dropped DLL 2 IoCs

Processes:

db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe

pid	process
112	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe
112	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vapon.exedb61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /f"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /L"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /O"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /P"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /a"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /S"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /D"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /u"	vapon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /w"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /b"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /s"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /l"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /M"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /C"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /I"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /z"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /r"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /D"	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /U"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /y"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /H"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /J"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /p"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /g"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /F"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /v"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /W"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /Z"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /m"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /k"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /V"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /x"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /j"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /A"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /c"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /K"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /N"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /X"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /e"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /E"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /n"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /Y"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /i"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /h"	vapon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /T"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /R"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /t"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /d"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /G"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /q"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /Q"	vapon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vapon = "C:\\Users\\Admin\\vapon.exe /B"	vapon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exevapon.exe

pid	process
112	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe
988	vapon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exevapon.exe

pid process

112 db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe
988 vapon.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe

description	pid	process	target process
PID 112 wrote to memory of 988	112	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe	vapon.exe
PID 112 wrote to memory of 988	112	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe	vapon.exe
PID 112 wrote to memory of 988	112	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe	vapon.exe
PID 112 wrote to memory of 988	112	db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe	vapon.exe

C:\Users\Admin\AppData\Local\Temp\db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe
"C:\Users\Admin\AppData\Local\Temp\db61ba473d850fe2040f53b2fd53ffe224c5e9e7148ec53b8d2c642315d3ccc1.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112
- C:\Users\Admin\vapon.exe
  "C:\Users\Admin\vapon.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vapon.exe

Filesize
156KB

MD5
bc763dfbaae43f3dbe7c83faeaadca5d

SHA1
1a5940aea70bb4a0a13096429d9c9b69d17902c3

SHA256
4ccf09d0e7a291ae87671073f53451e63db09d806d4be8dba20f1495e5674a72

SHA512
670936cf2d93bd3caa25b6afa2a99459f56ee1ba118a7cc15613a12ec55a6ea720139374345b1ff8b976631fc9475756329f18c70b595cf231671f8ca549c94f

Download Submit
C:\Users\Admin\vapon.exe

Filesize
156KB

MD5
bc763dfbaae43f3dbe7c83faeaadca5d

SHA1
1a5940aea70bb4a0a13096429d9c9b69d17902c3

SHA256
4ccf09d0e7a291ae87671073f53451e63db09d806d4be8dba20f1495e5674a72

SHA512
670936cf2d93bd3caa25b6afa2a99459f56ee1ba118a7cc15613a12ec55a6ea720139374345b1ff8b976631fc9475756329f18c70b595cf231671f8ca549c94f

Download Submit
\Users\Admin\vapon.exe

Filesize
156KB

MD5
bc763dfbaae43f3dbe7c83faeaadca5d

SHA1
1a5940aea70bb4a0a13096429d9c9b69d17902c3

SHA256
4ccf09d0e7a291ae87671073f53451e63db09d806d4be8dba20f1495e5674a72

SHA512
670936cf2d93bd3caa25b6afa2a99459f56ee1ba118a7cc15613a12ec55a6ea720139374345b1ff8b976631fc9475756329f18c70b595cf231671f8ca549c94f

Download Submit
\Users\Admin\vapon.exe

Filesize
156KB

MD5
bc763dfbaae43f3dbe7c83faeaadca5d

SHA1
1a5940aea70bb4a0a13096429d9c9b69d17902c3

SHA256
4ccf09d0e7a291ae87671073f53451e63db09d806d4be8dba20f1495e5674a72

SHA512
670936cf2d93bd3caa25b6afa2a99459f56ee1ba118a7cc15613a12ec55a6ea720139374345b1ff8b976631fc9475756329f18c70b595cf231671f8ca549c94f

Download Submit
memory/112-56-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/988-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads