cd0d05edff074baacf0686932cfa19885c22588e580319e3c6a99e1970aadcf7

Resubmissions

27-03-2023 14:27

230327-rsnn3adh24 9

27-03-2023 14:22

230327-rp3zksfh6x 9

Analysis

max time kernel
17s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vanta_free.exe
Size

57.4MB
MD5

a5b1c8309492a63c0ce56866298665db
SHA1

f08e6aea1da73ab3d4859b353d325f2b6b460481
SHA256

cd0d05edff074baacf0686932cfa19885c22588e580319e3c6a99e1970aadcf7
SHA512

03cfe515a7ea3a7db6111a73c7b7e60108861c47737e16b4f42c391dcf174db26329c6f73245124a78d4701ec63765b7e07b8c21d8b7dbdda2c38e148dbcc8b9
SSDEEP

786432:DMguj8Q4VfvFqFTrYAY8tIRS02PrmlNcicqmDAgpv:DiAQIHFkHl02SU58gpv

Score

9^/10

evasion spyware stealer themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

vanta_free.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vanta_free.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vanta_free.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vanta_free.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vanta_free.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vanta_free.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vanta_free.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	vanta_free.exe

Drops startup file 2 IoCs

Processes:

vanta_free.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	vanta_free.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	vanta_free.exe

Loads dropped DLL 2 IoCs

Processes:

vanta_free.exe

pid process

2744 vanta_free.exe
2744 vanta_free.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2744	vanta_free.exe
2744	vanta_free.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2744-134-0x00007FF7A9B20000-0x00007FF7ACA8C000-memory.dmp	themida
behavioral1/memory/2744-279-0x00007FF7A9B20000-0x00007FF7ACA8C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

vanta_free.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vanta_free.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 api.ipify.org
24 api.ipify.org

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vanta_free.exe

flow	ioc
23	api.ipify.org
24	api.ipify.org

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

vanta_free.execmd.exe

description	pid	process	target process
PID 2744 wrote to memory of 1880	2744	vanta_free.exe	cmd.exe
PID 2744 wrote to memory of 1880	2744	vanta_free.exe	cmd.exe
PID 1880 wrote to memory of 4800	1880	cmd.exe	HOSTNAME.EXE
PID 1880 wrote to memory of 4800	1880	cmd.exe	HOSTNAME.EXE

C:\Users\Admin\AppData\Local\Temp\vanta_free.exe
"C:\Users\Admin\AppData\Local\Temp\vanta_free.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "hostname"
2⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\HOSTNAME.EXE
hostname
3⤵
PID:4800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Save-jfGte6DrhC\Browsers\downloads.json
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\e10aac7f4d6da58e15d7dd196cbcace09cb6c9a0c9c83fbf6fa9df14f3bfba2f\win-dpapi\build\Release\node-dpapi.node
Filesize
137KB

MD5
56004171b2d27b113a96327ac3240d9e

SHA1
6b481e8a255ce889b0500a63162452fffa44fd08

SHA256
e10aac7f4d6da58e15d7dd196cbcace09cb6c9a0c9c83fbf6fa9df14f3bfba2f

SHA512
67c23466a5a7fa276391a08d40122ad6336d989e7c33515f7de68386448a8cf6c5a826580416d3b0ee49c1a31e73a55b420bb0794d64087ef593358706c3ff7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\e10aac7f4d6da58e15d7dd196cbcace09cb6c9a0c9c83fbf6fa9df14f3bfba2f\win-dpapi\build\Release\node-dpapi.node
Filesize
137KB

MD5
56004171b2d27b113a96327ac3240d9e

SHA1
6b481e8a255ce889b0500a63162452fffa44fd08

SHA256
e10aac7f4d6da58e15d7dd196cbcace09cb6c9a0c9c83fbf6fa9df14f3bfba2f

SHA512
67c23466a5a7fa276391a08d40122ad6336d989e7c33515f7de68386448a8cf6c5a826580416d3b0ee49c1a31e73a55b420bb0794d64087ef593358706c3ff7c

Download Submit
memory/2744-134-0x00007FF7A9B20000-0x00007FF7ACA8C000-memory.dmp

Filesize
47.4MB

Download
memory/2744-279-0x00007FF7A9B20000-0x00007FF7ACA8C000-memory.dmp

Filesize
47.4MB

Download