7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e

General

Target

7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
Size

263KB
MD5

9df31e17af46a4c7d2965f3f933776de
SHA1

6cc651676e746a405f149601bee7026fb0cef38b
SHA256

7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e
SHA512

1c1bdbc76a4c40e7a9da41852f37f66151d0c3bb59fcf5cdbad3686446a640df07d2997fccae1174ae3cdcd38e4f889260314fdced10be171c834a52a633677d
SSDEEP

3072:XauaSO3kjPlvmwCU7yMhb2HfY7EUDJJG6MQTsYxdbJYwurSquWSWAS9x00Ee3PtE:KCckjFJCUJbFdDJg6M2OluW19tPtIP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
520	Vkmusicdownloader.exe

Deletes itself 1 IoCs

pid	Process
112	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vkmusicdownloader = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Vkmusicdownloader.exe\""	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Vkmusicdownloader = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Vkmusicdownloader.exe\""	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vkmusicdownloader = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Vkmusicdownloader.exe\""	Vkmusicdownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Vkmusicdownloader = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Vkmusicdownloader.exe\""	Vkmusicdownloader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlgdemkdapolikbjimjajpmonpbpmipk\1.0_0\manifest.json	Vkmusicdownloader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2004	schtasks.exe
1144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
520	Vkmusicdownloader.exe
520	Vkmusicdownloader.exe
520	Vkmusicdownloader.exe
520	Vkmusicdownloader.exe
520	Vkmusicdownloader.exe
520	Vkmusicdownloader.exe
520	Vkmusicdownloader.exe
520	Vkmusicdownloader.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1648	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	27
PID 900 wrote to memory of 1648	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	27
PID 900 wrote to memory of 1648	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	27
PID 900 wrote to memory of 1648	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	27
PID 900 wrote to memory of 2004	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	28
PID 900 wrote to memory of 2004	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	28
PID 900 wrote to memory of 2004	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	28
PID 900 wrote to memory of 2004	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	28
PID 900 wrote to memory of 112	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	32
PID 900 wrote to memory of 112	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	32
PID 900 wrote to memory of 112	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	32
PID 900 wrote to memory of 112	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	32
PID 900 wrote to memory of 520	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	34
PID 900 wrote to memory of 520	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	34
PID 900 wrote to memory of 520	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	34
PID 900 wrote to memory of 520	900	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	34
PID 520 wrote to memory of 1164	520	Vkmusicdownloader.exe	35
PID 520 wrote to memory of 1164	520	Vkmusicdownloader.exe	35
PID 520 wrote to memory of 1164	520	Vkmusicdownloader.exe	35
PID 520 wrote to memory of 1164	520	Vkmusicdownloader.exe	35
PID 520 wrote to memory of 1144	520	Vkmusicdownloader.exe	37
PID 520 wrote to memory of 1144	520	Vkmusicdownloader.exe	37
PID 520 wrote to memory of 1144	520	Vkmusicdownloader.exe	37
PID 520 wrote to memory of 1144	520	Vkmusicdownloader.exe	37

C:\Users\Admin\AppData\Local\Temp\7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
"C:\Users\Admin\AppData\Local\Temp\7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /delete /tn Vkmusicdownloader /f
  2⤵
  PID:1648
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn Vkmusicdownloader /tr ""C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe"" /sc ONLOGON /f
  2⤵
  - Creates scheduled task(s)
  PID:2004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe.cmd" "
  2⤵
  - Deletes itself
  PID:112
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops Chrome extension
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /delete /tn Vkmusicdownloader /f
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /tn Vkmusicdownloader /tr ""C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe"" /sc ONLOGON /f
    3⤵
    - Creates scheduled task(s)
    PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe

Filesize
263KB

MD5
9df31e17af46a4c7d2965f3f933776de

SHA1
6cc651676e746a405f149601bee7026fb0cef38b

SHA256
7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e

SHA512
1c1bdbc76a4c40e7a9da41852f37f66151d0c3bb59fcf5cdbad3686446a640df07d2997fccae1174ae3cdcd38e4f889260314fdced10be171c834a52a633677d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe.cmd

Filesize
365B

MD5
5d17045ca0005d7f123f49b9c3555939

SHA1
995501a8528654abb4a359d8018ec1e2820a6b76

SHA256
eb8059c7567a02097432429979fd09e9c8df2296b084f7e5d5b0b51d4b9fd968

SHA512
b0940f57defb3fc2d5052c7c2099b0b6a27fde6a30df7bc2e5c02277f52af3ad85bd89778970265bd17a699031aa2c01587a24d14e4ada3c0367b643dea1ac0b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe

Filesize
263KB

MD5
9df31e17af46a4c7d2965f3f933776de

SHA1
6cc651676e746a405f149601bee7026fb0cef38b

SHA256
7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e

SHA512
1c1bdbc76a4c40e7a9da41852f37f66151d0c3bb59fcf5cdbad3686446a640df07d2997fccae1174ae3cdcd38e4f889260314fdced10be171c834a52a633677d

Download Submit
memory/900-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads