7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e

General

Target

7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
Size

263KB
MD5

9df31e17af46a4c7d2965f3f933776de
SHA1

6cc651676e746a405f149601bee7026fb0cef38b
SHA256

7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e
SHA512

1c1bdbc76a4c40e7a9da41852f37f66151d0c3bb59fcf5cdbad3686446a640df07d2997fccae1174ae3cdcd38e4f889260314fdced10be171c834a52a633677d
SSDEEP

3072:XauaSO3kjPlvmwCU7yMhb2HfY7EUDJJG6MQTsYxdbJYwurSquWSWAS9x00Ee3PtE:KCckjFJCUJbFdDJg6M2OluW19tPtIP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4432	Vkmusicdownloader.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Vkmusicdownloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vkmusicdownloader = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Vkmusicdownloader.exe\""	Vkmusicdownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vkmusicdownloader = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Vkmusicdownloader.exe\""	Vkmusicdownloader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vkmusicdownloader = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Vkmusicdownloader.exe\""	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Vkmusicdownloader = "\"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\Vkmusicdownloader.exe\""	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlgdemkdapolikbjimjajpmonpbpmipk\1.0_0\manifest.json	Vkmusicdownloader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3196	schtasks.exe
912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe
4432	Vkmusicdownloader.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2780	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	82
PID 1904 wrote to memory of 2780	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	82
PID 1904 wrote to memory of 2780	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	82
PID 1904 wrote to memory of 3196	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	84
PID 1904 wrote to memory of 3196	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	84
PID 1904 wrote to memory of 3196	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	84
PID 1904 wrote to memory of 3068	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	86
PID 1904 wrote to memory of 3068	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	86
PID 1904 wrote to memory of 3068	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	86
PID 1904 wrote to memory of 4432	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	88
PID 1904 wrote to memory of 4432	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	88
PID 1904 wrote to memory of 4432	1904	7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe	88
PID 4432 wrote to memory of 1280	4432	Vkmusicdownloader.exe	89
PID 4432 wrote to memory of 1280	4432	Vkmusicdownloader.exe	89
PID 4432 wrote to memory of 1280	4432	Vkmusicdownloader.exe	89
PID 4432 wrote to memory of 912	4432	Vkmusicdownloader.exe	91
PID 4432 wrote to memory of 912	4432	Vkmusicdownloader.exe	91
PID 4432 wrote to memory of 912	4432	Vkmusicdownloader.exe	91

C:\Users\Admin\AppData\Local\Temp\7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe
"C:\Users\Admin\AppData\Local\Temp\7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /delete /tn Vkmusicdownloader /f
  2⤵
  PID:2780
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn Vkmusicdownloader /tr ""C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe"" /sc ONLOGON /f
  2⤵
  - Creates scheduled task(s)
  PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe.cmd" "
  2⤵
  PID:3068
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops Chrome extension
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /delete /tn Vkmusicdownloader /f
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /tn Vkmusicdownloader /tr ""C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe"" /sc ONLOGON /f
    3⤵
    - Creates scheduled task(s)
    PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe

Filesize
263KB

MD5
9df31e17af46a4c7d2965f3f933776de

SHA1
6cc651676e746a405f149601bee7026fb0cef38b

SHA256
7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e

SHA512
1c1bdbc76a4c40e7a9da41852f37f66151d0c3bb59fcf5cdbad3686446a640df07d2997fccae1174ae3cdcd38e4f889260314fdced10be171c834a52a633677d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Vkmusicdownloader.exe

Filesize
263KB

MD5
9df31e17af46a4c7d2965f3f933776de

SHA1
6cc651676e746a405f149601bee7026fb0cef38b

SHA256
7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e

SHA512
1c1bdbc76a4c40e7a9da41852f37f66151d0c3bb59fcf5cdbad3686446a640df07d2997fccae1174ae3cdcd38e4f889260314fdced10be171c834a52a633677d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f78231c86222a0279f91873776349555087fc51845fb668c885ce21899ba79e.exe.cmd

Filesize
365B

MD5
5d17045ca0005d7f123f49b9c3555939

SHA1
995501a8528654abb4a359d8018ec1e2820a6b76

SHA256
eb8059c7567a02097432429979fd09e9c8df2296b084f7e5d5b0b51d4b9fd968

SHA512
b0940f57defb3fc2d5052c7c2099b0b6a27fde6a30df7bc2e5c02277f52af3ad85bd89778970265bd17a699031aa2c01587a24d14e4ada3c0367b643dea1ac0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads