989a0d6488c53005814f0ce89e01814ef67df76de32c6ca7e26de27a38eca0b6

Analysis

max time kernel
5s
max time network
7s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2023, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LoaderVIP.exe
Size

16KB
MD5

497466ba1ebbb8fa534926f620d05825
SHA1

a6a3ed16390df2848ae3467d4309483c309c1886
SHA256

989a0d6488c53005814f0ce89e01814ef67df76de32c6ca7e26de27a38eca0b6
SHA512

f2bb8a7b18e31266622bd2639a5713743b7b2d21bcb7d9e331964d1a3d892ba3f69747f889e6736d25b18ca4b4eab4651975571b450e810871b0c84ee7a06248
SSDEEP

384:VL9SDQZxLTehau23G6c1YwfN09t6cDE33DhSHkON/GlfgOb5:pghaN39NwFJiE33VSEONulfgO

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3200	Token.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	LoaderVIP.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AF\Token.exe	LoaderVIP.exe
File opened for modification	C:\Windows\AF\Token.mentah	LoaderVIP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3200	Token.exe
3200	Token.exe
3200	Token.exe
3200	Token.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 3200	792	LoaderVIP.exe	85
PID 792 wrote to memory of 3200	792	LoaderVIP.exe	85
PID 792 wrote to memory of 3200	792	LoaderVIP.exe	85

C:\Users\Admin\AppData\Local\Temp\LoaderVIP.exe
"C:\Users\Admin\AppData\Local\Temp\LoaderVIP.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\AF\Token.exe
  "C:\Windows\AF\Token.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AF\Token.exe

Filesize
31KB

MD5
a5395109068698d637173dfff99f8c70

SHA1
403aab73d04cf403dc50c4073d0ae0050d331c27

SHA256
486b964b184390a950236bed26bd6dc69b68b516999a62f0a39666b327f54a69

SHA512
9aa47e255416c77d34a5d3819a294d5b17c22179c5110db60cb5f2b509f736c1d7bdcd5fe129bceb298e57d43ade7165c51b04bde93832762e0455474157ed1b

Download Submit
C:\Windows\AF\Token.exe

Filesize
31KB

MD5
a5395109068698d637173dfff99f8c70

SHA1
403aab73d04cf403dc50c4073d0ae0050d331c27

SHA256
486b964b184390a950236bed26bd6dc69b68b516999a62f0a39666b327f54a69

SHA512
9aa47e255416c77d34a5d3819a294d5b17c22179c5110db60cb5f2b509f736c1d7bdcd5fe129bceb298e57d43ade7165c51b04bde93832762e0455474157ed1b

Download Submit