Analysis
-
max time kernel
148s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 18:53
Behavioral task
behavioral1
Sample
99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exe
Resource
win10v2004-20220901-en
General
-
Target
99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exe
-
Size
18KB
-
MD5
46c59f32897238bbfc34e14a1f5eb0e9
-
SHA1
de602b833a4a605833aef6776f1f76cf20a10572
-
SHA256
99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312
-
SHA512
bc064dd5039b6964ae380b0448ad13c1463e032712acbd12d690448f23348200f93f8090fd91d1ddb48688c486724ed78f63a86641d3ee9733d39d9aaa6aa743
-
SSDEEP
384:8DFMvS0BaZ8BxuRmaQC82YOvV9SNOxrRB:8DkSEc8BgRmTcH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vgtdcg.exepid process 1324 vgtdcg.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\vgtdcg.exe upx behavioral1/memory/872-55-0x0000000000400000-0x0000000000417000-memory.dmp upx behavioral1/memory/1324-56-0x0000000000400000-0x0000000000417000-memory.dmp upx C:\Windows\SysWOW64\vgtdcg.exe upx behavioral1/memory/1324-60-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
vgtdcg.exepid process 1324 vgtdcg.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vgtdcg.exedescription ioc process File opened (read-only) \??\F: vgtdcg.exe File opened (read-only) \??\G: vgtdcg.exe File opened (read-only) \??\M: vgtdcg.exe File opened (read-only) \??\E: vgtdcg.exe File opened (read-only) \??\I: vgtdcg.exe File opened (read-only) \??\N: vgtdcg.exe File opened (read-only) \??\R: vgtdcg.exe File opened (read-only) \??\S: vgtdcg.exe File opened (read-only) \??\V: vgtdcg.exe File opened (read-only) \??\W: vgtdcg.exe File opened (read-only) \??\J: vgtdcg.exe File opened (read-only) \??\K: vgtdcg.exe File opened (read-only) \??\U: vgtdcg.exe File opened (read-only) \??\Z: vgtdcg.exe File opened (read-only) \??\H: vgtdcg.exe File opened (read-only) \??\L: vgtdcg.exe File opened (read-only) \??\O: vgtdcg.exe File opened (read-only) \??\P: vgtdcg.exe File opened (read-only) \??\Q: vgtdcg.exe File opened (read-only) \??\T: vgtdcg.exe File opened (read-only) \??\X: vgtdcg.exe File opened (read-only) \??\Y: vgtdcg.exe -
Drops file in System32 directory 3 IoCs
Processes:
99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exevgtdcg.exedescription ioc process File created C:\Windows\SysWOW64\vgtdcg.exe 99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exe File opened for modification C:\Windows\SysWOW64\vgtdcg.exe 99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exe File created C:\Windows\SysWOW64\gei33.dll vgtdcg.exe -
Drops file in Program Files directory 2 IoCs
Processes:
vgtdcg.exedescription ioc process File created C:\Program Files\7-Zip\lpk.dll vgtdcg.exe File opened for modification C:\Program Files\7-Zip\lpk.dll vgtdcg.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exepid process 872 99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exe"C:\Users\Admin\AppData\Local\Temp\99eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
-
C:\Windows\SysWOW64\vgtdcg.exeC:\Windows\SysWOW64\vgtdcg.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\vgtdcg.exeFilesize
18KB
MD546c59f32897238bbfc34e14a1f5eb0e9
SHA1de602b833a4a605833aef6776f1f76cf20a10572
SHA25699eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312
SHA512bc064dd5039b6964ae380b0448ad13c1463e032712acbd12d690448f23348200f93f8090fd91d1ddb48688c486724ed78f63a86641d3ee9733d39d9aaa6aa743
-
C:\Windows\SysWOW64\vgtdcg.exeFilesize
18KB
MD546c59f32897238bbfc34e14a1f5eb0e9
SHA1de602b833a4a605833aef6776f1f76cf20a10572
SHA25699eb5ec80810d9e5d49fe6b70379bddc79879d6416bc1390b2cee6a0349f7312
SHA512bc064dd5039b6964ae380b0448ad13c1463e032712acbd12d690448f23348200f93f8090fd91d1ddb48688c486724ed78f63a86641d3ee9733d39d9aaa6aa743
-
\Windows\SysWOW64\gei33.dllFilesize
28KB
MD55e2304f296aebf689a579c15984a789a
SHA10151a407d1efb45666d5ddba4f2121757c4df3dc
SHA256cea63aab8d471579c7e9ff1b9efe67bcabcb0020947105fb15374e69da46e126
SHA5124470cafdbc72e88561984819e50ccb4fa68fdd1d35d7c76d6a34ccb3e47099d21a42888674a36185af2825aedd904d381870f4ce78c9b1e3a45d223fb4470404
-
memory/872-55-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1324-56-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1324-59-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/1324-60-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB