Analysis
-
max time kernel
73s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 15:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/dremonq/VapeV4-Cracked/releases/download/Vape/Vapev4.zip
Resource
win7-20220901-en
General
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Vape_V4.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Vape_V4.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Vape_V4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Vape_V4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Vape_V4.exe -
Processes:
resource yara_rule behavioral1/memory/1448-55-0x000000013FDB0000-0x0000000140A9A000-memory.dmp themida behavioral1/memory/1448-57-0x000000013FDB0000-0x0000000140A9A000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Vape_V4.exepid process 1448 Vape_V4.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 808 1448 WerFault.exe Vape_V4.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = f04a61a03f03d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376414944" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D89C18F1-6F32-11ED-979A-4A7553B9BC92} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Vape_V4.exepid process 1448 Vape_V4.exe 1448 Vape_V4.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
AUDIODG.EXEVape_V4.exedescription pid process Token: 33 1540 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1540 AUDIODG.EXE Token: 33 1540 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1540 AUDIODG.EXE Token: SeDebugPrivilege 1448 Vape_V4.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 1712 iexplore.exe 1712 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1712 iexplore.exe 1712 iexplore.exe 1148 IEXPLORE.EXE 1148 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
iexplore.exeVape_V4.exedescription pid process target process PID 1712 wrote to memory of 1148 1712 iexplore.exe IEXPLORE.EXE PID 1712 wrote to memory of 1148 1712 iexplore.exe IEXPLORE.EXE PID 1712 wrote to memory of 1148 1712 iexplore.exe IEXPLORE.EXE PID 1712 wrote to memory of 1148 1712 iexplore.exe IEXPLORE.EXE PID 1448 wrote to memory of 808 1448 Vape_V4.exe WerFault.exe PID 1448 wrote to memory of 808 1448 Vape_V4.exe WerFault.exe PID 1448 wrote to memory of 808 1448 Vape_V4.exe WerFault.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/dremonq/VapeV4-Cracked/releases/download/Vape/Vapev4.zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x54c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Vapev4.zip\v4\Vape_V4\Kangaroo Patcher.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Vapev4.zip\v4\Vape_V4\Kangaroo Patcher.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Vapev4.zip\v4\Vape_V4\Vape_V4.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Vapev4.zip\v4\Vape_V4\Vape_V4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1448 -s 3482⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD502742e86381bf4ea5c4b6d74939bcfa5
SHA15d52ee6c42ab9ab9fbf3d5e87e80b06e69d3a4d6
SHA2566709bac47c8c71bbf5a4e241ad3f7f262604ff5b127c14b3bc2983e21077440c
SHA5126e5cf892d6bf0ff41e431cf85c5822e8fa627e2f52fabb434d7ceb49d96d8a27693c418e989cc7ab879fcb2381027295bc2e430b0f6b92d138406726b3a3409b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\Vapev4.zip.v4bezu9.partialFilesize
12.8MB
MD5d6a4cd3ad9621ba84697ee2b017170ee
SHA14e41c2170db82499df89fb5d7fd676707cbd7e09
SHA2560246049df401a38f1d65b7e893f7267a9e0202e5b99ef243a88cac69bce724f8
SHA5127bd0357f9f177e628b48fae1ab89704f056981bfe0e2fc7ba08bc5ac247338398d2bbca1fbd6b4914fe63e0619aa0635799a72f04e1ad8652a4159e464619e74
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YDS5I7QV.txtFilesize
608B
MD54a5de194220d475df4a219eba7b8ccfe
SHA197b376cd773be41be104853535de845a1d4f70c5
SHA256023b805b16bb60210e30b5b0b8015b25a710f8d44fd07c694aba64a8c29aa8f1
SHA5125b62f482a84d566c176cba7a9af3dfa74bccf7534e836b44c3f22963f286150cb6b45e1fe9e5a83ff98234b006338c00bf0a4420429398bcb3a51c40e98ec8b8
-
memory/808-56-0x0000000000000000-mapping.dmp
-
memory/1448-55-0x000000013FDB0000-0x0000000140A9A000-memory.dmpFilesize
12.9MB
-
memory/1448-57-0x000000013FDB0000-0x0000000140A9A000-memory.dmpFilesize
12.9MB
-
memory/1448-58-0x00000000775E0000-0x0000000077789000-memory.dmpFilesize
1.7MB