1ef9d617c7c3ede521cd790a41c37f8c6c9041d8a1ac83e7ef373deb7595f4b5

Analysis

max time kernel
1738s
max time network
1229s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2023, 07:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

vDosSetup.exe
Size

2.5MB
MD5

c9dc201c28ff87cfe45f96dee579b267
SHA1

ea78bb8850c7d2f338a12add69b7a3856fcf7178
SHA256

1ef9d617c7c3ede521cd790a41c37f8c6c9041d8a1ac83e7ef373deb7595f4b5
SHA512

19c40187de906e2c8276c21be5c20a37ac168023155a489b23d4f9169d0d34d535c1644ba4d11dee2f2cfecda63bfb714ef57e5502a0759096e369d5c7e6a8e8
SSDEEP

49152:3qe3f6dDIPpWhOEHTpruJI4nGo5GgB6d6D9yWWwm2d+:6SidMxWFHTpIx2d8Hw

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2136	vDosSetup.tmp
3084	bspatch.exe
4260	vDos.exe
2936	vDos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2136	vDosSetup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2136	4556	vDosSetup.exe	83
PID 4556 wrote to memory of 2136	4556	vDosSetup.exe	83
PID 4556 wrote to memory of 2136	4556	vDosSetup.exe	83
PID 2136 wrote to memory of 3084	2136	vDosSetup.tmp	88
PID 2136 wrote to memory of 3084	2136	vDosSetup.tmp	88
PID 2136 wrote to memory of 3084	2136	vDosSetup.tmp	88

C:\Users\Admin\AppData\Local\Temp\vDosSetup.exe
"C:\Users\Admin\AppData\Local\Temp\vDosSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Users\Admin\AppData\Local\Temp\is-V45D8.tmp\vDosSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-V45D8.tmp\vDosSetup.tmp" /SL5="$B00DE,1762905,831488,C:\Users\Admin\AppData\Local\Temp\vDosSetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\vDos\bspatch.exe
    "C:\vDos\bspatch.exe" vDos.exe vDos.exe vDosPatch
    3⤵
    - Executes dropped EXE
    PID:3084

C:\vDos\vDos.exe
"C:\vDos\vDos.exe"
1⤵
- Executes dropped EXE
PID:4260

C:\vDos\vDos.exe
"C:\vDos\vDos.exe"
1⤵
- Executes dropped EXE
PID:2936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-V45D8.tmp\vDosSetup.tmp

Filesize
3.0MB

MD5
6bcd0eff3d7cfc30dd09024c5bcc0254

SHA1
a195b433a34fd784f5e0e7ddbccf1b0fd1a9ca9d

SHA256
ae0159b82ff20db2d50924319550742fed8ff7baf10d0adaa574f8e77dd5d8be

SHA512
2c481c962d0259ab95ed28a863dc9553266b7d0009a4d963ca00380c5f838bb7c20867c49f48d2f83710e9327d5a77f6e69b1b0babb2553958e002556c873375

Download Submit
C:\vDos\CONFIG.TXT

Filesize
3KB

MD5
4464ff8a124de2a626c362c2014a3622

SHA1
6456565f74bcf2511b0dfd72a61c678546d6e5c3

SHA256
aa2c6c9e0c5be8ecb710275825750b69404fc07911b018f6647ad50231dc2ff5

SHA512
bf4af315c164e2dd715866c8ff3d8575922638e476a88cc5cb38a7bacbea5eb987b00c60075588e3e11f9da974fd6cdabc8db3be0adfe2caaf00e69dd9e86ae7

Download Submit
C:\vDos\bspatch.exe

Filesize
32KB

MD5
aeb914a7e39eb9fdda7cc1c59ea01201

SHA1
972559c605741802331f899fc75226179c0f61bd

SHA256
d5514bdbef8aa057efe347c2dae3a634cf99d87a3e7aef17553736e0d992aa09

SHA512
7bcc7e5ecb57122765cfb1b0952f3aab695c531b54f76eae3162a64e5fc6022fe736c95c25f933d64926d1df44684559eed5ce1142e9cd5d60cb3d80aa8f1f70

Download Submit
C:\vDos\bspatch.exe

Filesize
32KB

MD5
aeb914a7e39eb9fdda7cc1c59ea01201

SHA1
972559c605741802331f899fc75226179c0f61bd

SHA256
d5514bdbef8aa057efe347c2dae3a634cf99d87a3e7aef17553736e0d992aa09

SHA512
7bcc7e5ecb57122765cfb1b0952f3aab695c531b54f76eae3162a64e5fc6022fe736c95c25f933d64926d1df44684559eed5ce1142e9cd5d60cb3d80aa8f1f70

Download Submit
C:\vDos\vDos.exe

Filesize
527KB

MD5
879ddc7a3d3df6c912a5dbd1317b7aca

SHA1
030fc82a02f5dee5c897f88297421d2d2f2fc792

SHA256
ac21b4c50561598c8176558c584526ac0e54a4ddda046d7a0ed23c2a681cc90e

SHA512
fe3e9c0e502505ffd0deab3ebe3e71fabaccf2d32e5ffcf9f66f0bd9c642c83728782648010ed2a9918610c36140e0f886b257f5af5336446e6fb24fc5bc4709

Download Submit
C:\vDos\vDos.exe

Filesize
527KB

MD5
17e71fc31a63036739b8dfbfc61ed015

SHA1
58867607e2492340a39e97d0fb2812c9c789b533

SHA256
a948bfbf2d21cabda98d1e959e454e48daadd886b3ca71d1f8667ef3eff832f8

SHA512
d6814cbbf4cdff5e264af392f2a03507a822dfa47e9821076a3d3ae9031b7debfbb4d8500c074cd12fa406bc7aecd9145670e97b1c810b4385a0be242ad10529

Download Submit
C:\vDos\vDos.exe

Filesize
527KB

MD5
17e71fc31a63036739b8dfbfc61ed015

SHA1
58867607e2492340a39e97d0fb2812c9c789b533

SHA256
a948bfbf2d21cabda98d1e959e454e48daadd886b3ca71d1f8667ef3eff832f8

SHA512
d6814cbbf4cdff5e264af392f2a03507a822dfa47e9821076a3d3ae9031b7debfbb4d8500c074cd12fa406bc7aecd9145670e97b1c810b4385a0be242ad10529

Download Submit
C:\vDos\vDos.exe

Filesize
527KB

MD5
17e71fc31a63036739b8dfbfc61ed015

SHA1
58867607e2492340a39e97d0fb2812c9c789b533

SHA256
a948bfbf2d21cabda98d1e959e454e48daadd886b3ca71d1f8667ef3eff832f8

SHA512
d6814cbbf4cdff5e264af392f2a03507a822dfa47e9821076a3d3ae9031b7debfbb4d8500c074cd12fa406bc7aecd9145670e97b1c810b4385a0be242ad10529

Download Submit
C:\vDos\vDosPatch

Filesize
201KB

MD5
d0608e0697c22fadb09df0e1459999f6

SHA1
61a76ed675e4a636bc033741261689dc275687f2

SHA256
fbf7e7d3fb6a31c285d19d49699de19cf43eace9eb3701323e8d8f75e0c5d964

SHA512
45224defc3e047a9891be733d484214f548dcd199e413e05f42180ffceebda2a69b2e797b7c950922938d5b46974e409bd3691e1c0bd51ac41a626f22fcba691

Download Submit
memory/2136-377-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2136-139-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4556-133-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4556-375-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4556-379-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download