Analysis
-
max time kernel
17s -
max time network
22s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 14:22
General
-
Target
vanta_free.exe
-
Size
57.4MB
-
MD5
a5b1c8309492a63c0ce56866298665db
-
SHA1
f08e6aea1da73ab3d4859b353d325f2b6b460481
-
SHA256
cd0d05edff074baacf0686932cfa19885c22588e580319e3c6a99e1970aadcf7
-
SHA512
03cfe515a7ea3a7db6111a73c7b7e60108861c47737e16b4f42c391dcf174db26329c6f73245124a78d4701ec63765b7e07b8c21d8b7dbdda2c38e148dbcc8b9
-
SSDEEP
786432:DMguj8Q4VfvFqFTrYAY8tIRS02PrmlNcicqmDAgpv:DiAQIHFkHl02SU58gpv
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
vanta_free.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vanta_free.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
vanta_free.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vanta_free.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vanta_free.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vanta_free.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation vanta_free.exe -
Drops startup file 2 IoCs
Processes:
vanta_free.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe vanta_free.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe vanta_free.exe -
Loads dropped DLL 2 IoCs
Processes:
vanta_free.exepid process 2744 vanta_free.exe 2744 vanta_free.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2744-134-0x00007FF7A9B20000-0x00007FF7ACA8C000-memory.dmp themida behavioral1/memory/2744-279-0x00007FF7A9B20000-0x00007FF7ACA8C000-memory.dmp themida -
Processes:
vanta_free.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vanta_free.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 api.ipify.org 24 api.ipify.org -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
vanta_free.execmd.exedescription pid process target process PID 2744 wrote to memory of 1880 2744 vanta_free.exe cmd.exe PID 2744 wrote to memory of 1880 2744 vanta_free.exe cmd.exe PID 1880 wrote to memory of 4800 1880 cmd.exe HOSTNAME.EXE PID 1880 wrote to memory of 4800 1880 cmd.exe HOSTNAME.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\vanta_free.exe"C:\Users\Admin\AppData\Local\Temp\vanta_free.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "hostname"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\HOSTNAME.EXEhostname3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Save-jfGte6DrhC\Browsers\downloads.jsonFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Temp\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.nodeFilesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
C:\Users\Admin\AppData\Local\Temp\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.nodeFilesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
C:\Users\Admin\AppData\Local\Temp\pkg\e10aac7f4d6da58e15d7dd196cbcace09cb6c9a0c9c83fbf6fa9df14f3bfba2f\win-dpapi\build\Release\node-dpapi.nodeFilesize
137KB
MD556004171b2d27b113a96327ac3240d9e
SHA16b481e8a255ce889b0500a63162452fffa44fd08
SHA256e10aac7f4d6da58e15d7dd196cbcace09cb6c9a0c9c83fbf6fa9df14f3bfba2f
SHA51267c23466a5a7fa276391a08d40122ad6336d989e7c33515f7de68386448a8cf6c5a826580416d3b0ee49c1a31e73a55b420bb0794d64087ef593358706c3ff7c
-
C:\Users\Admin\AppData\Local\Temp\pkg\e10aac7f4d6da58e15d7dd196cbcace09cb6c9a0c9c83fbf6fa9df14f3bfba2f\win-dpapi\build\Release\node-dpapi.nodeFilesize
137KB
MD556004171b2d27b113a96327ac3240d9e
SHA16b481e8a255ce889b0500a63162452fffa44fd08
SHA256e10aac7f4d6da58e15d7dd196cbcace09cb6c9a0c9c83fbf6fa9df14f3bfba2f
SHA51267c23466a5a7fa276391a08d40122ad6336d989e7c33515f7de68386448a8cf6c5a826580416d3b0ee49c1a31e73a55b420bb0794d64087ef593358706c3ff7c
-
memory/2744-134-0x00007FF7A9B20000-0x00007FF7ACA8C000-memory.dmpFilesize
47.4MB
-
memory/2744-279-0x00007FF7A9B20000-0x00007FF7ACA8C000-memory.dmpFilesize
47.4MB