Overview

overview

9

Static

static

URLScan

urlscan

https://github.com/d...

windows7-x64

9

https://github.com/d...

windows10-2004-x64

9

Analysis

  • max time kernel
    73s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/dremonq/VapeV4-Cracked/releases/download/Vape/Vapev4.zip

Score
9/10
evasionthemida

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/dremonq/VapeV4-Cracked/releases/download/Vape/Vapev4.zip
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1148
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x54c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1540
  • C:\Users\Admin\AppData\Local\Temp\Temp1_Vapev4.zip\v4\Vape_V4\Kangaroo Patcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp1_Vapev4.zip\v4\Vape_V4\Kangaroo Patcher.exe"
    1⤵
      PID:1692
    • C:\Users\Admin\AppData\Local\Temp\Temp1_Vapev4.zip\v4\Vape_V4\Vape_V4.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_Vapev4.zip\v4\Vape_V4\Vape_V4.exe"
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1448 -s 348
        2⤵
        • Program crash
        PID:808

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      02742e86381bf4ea5c4b6d74939bcfa5

      SHA1

      5d52ee6c42ab9ab9fbf3d5e87e80b06e69d3a4d6

      SHA256

      6709bac47c8c71bbf5a4e241ad3f7f262604ff5b127c14b3bc2983e21077440c

      SHA512

      6e5cf892d6bf0ff41e431cf85c5822e8fa627e2f52fabb434d7ceb49d96d8a27693c418e989cc7ab879fcb2381027295bc2e430b0f6b92d138406726b3a3409b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\Vapev4.zip.v4bezu9.partial
      Filesize

      12.8MB

      MD5

      d6a4cd3ad9621ba84697ee2b017170ee

      SHA1

      4e41c2170db82499df89fb5d7fd676707cbd7e09

      SHA256

      0246049df401a38f1d65b7e893f7267a9e0202e5b99ef243a88cac69bce724f8

      SHA512

      7bd0357f9f177e628b48fae1ab89704f056981bfe0e2fc7ba08bc5ac247338398d2bbca1fbd6b4914fe63e0619aa0635799a72f04e1ad8652a4159e464619e74

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YDS5I7QV.txt
      Filesize

      608B

      MD5

      4a5de194220d475df4a219eba7b8ccfe

      SHA1

      97b376cd773be41be104853535de845a1d4f70c5

      SHA256

      023b805b16bb60210e30b5b0b8015b25a710f8d44fd07c694aba64a8c29aa8f1

      SHA512

      5b62f482a84d566c176cba7a9af3dfa74bccf7534e836b44c3f22963f286150cb6b45e1fe9e5a83ff98234b006338c00bf0a4420429398bcb3a51c40e98ec8b8

      Download Submit
    • memory/808-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1448-55-0x000000013FDB0000-0x0000000140A9A000-memory.dmp
      Filesize

      12.9MB

      Download
    • memory/1448-57-0x000000013FDB0000-0x0000000140A9A000-memory.dmp
      Filesize

      12.9MB

      Download
    • memory/1448-58-0x00000000775E0000-0x0000000077789000-memory.dmp
      Filesize

      1.7MB

      Download