10f81c435c9a627bd1d8bc04fded50a723cd3afb59ddfd1441288c637fb0e7cc

General

Target

free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.exe
Size

1.7MB
MD5

b01445231a203d761f6806350c6b4da7
SHA1

590d3af0e35d10659473c878e80894330ed23c45
SHA256

10f81c435c9a627bd1d8bc04fded50a723cd3afb59ddfd1441288c637fb0e7cc
SHA512

208c70364fbb5b958396149629f5d85bb02cf1bb47d5c047afb9569eac2bf3cac75e8a50b01636a069a213dde5b1843e6b8b846a73e4a9432a17c4fa35fd1779
SSDEEP

24576:A7FUDowAyrTVE3U5FmEj6CIFeuTxV/A/Tcr/OzuwibgRb+V8Wb:ABuZrEUR6C6euTxV/ALcr0uxzS

Score

6^/10

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 6 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\AVAST Software\Avast	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\AVG\AV\Dir	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp

Executes dropped EXE 1 IoCs

pid	Process
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp

Loads dropped DLL 2 IoCs

pid	Process
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4060	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 4060	2744	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.exe	84
PID 2744 wrote to memory of 4060	2744	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.exe	84
PID 2744 wrote to memory of 4060	2744	free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.exe	84

C:\Users\Admin\AppData\Local\Temp\free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.exe
"C:\Users\Admin\AppData\Local\Temp\free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\is-JC2HM.tmp\free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JC2HM.tmp\free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp" /SL5="$B0058,879088,832512,C:\Users\Admin\AppData\Local\Temp\free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

Security Software Discovery

1

T1063

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-20RBB.tmp\AVAST.png

Filesize
64KB

MD5
096ff7dbb7f5dfb71cf40fcd37a59fd6

SHA1
5cc8f2256ae43e597edaf7841771d7471d8d0590

SHA256
6197d9ad63a37760e88b7ee53077faf94d0deeb9d8740428d2dc76a7242d7843

SHA512
8a37e62cdd1989443f1ac98c0e827cdbdd00f1a9d243e7b433ce1bf5dbdd05c8e1c7fdc07261086c18b6e39d2494c3b2acaac60a24bec84f4631f295efc4891d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-20RBB.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-20RBB.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-20RBB.tmp\mainlogo

Filesize
2KB

MD5
88d3d0ef18fd80da1e888099691ec365

SHA1
f2a3b683f0d72e66a69b71df1e2002fdba9aeb1f

SHA256
395f730075cafa769b2397599c21bdd035f2ea6b1f4a39d0628e39f2c8ac4878

SHA512
7728656d4d9b26e56b345396ef46f7f6b6fbc868fa21336864e23879241a1b1555f9a076d3acf9ab84fbec372a313fa5c5a78c93aa4d1ee8a62b8ef7a2db1186

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-20RBB.tmp\v_in_black_circle.png

Filesize
1KB

MD5
a0f78df30ebc15bda8858e4c490a5eb1

SHA1
07140fdad7c7415fbb23461e243d7b576eb08749

SHA256
0c679e463254ec4652917110ca1387fb3663d464e4bd792d97c2d853e156d900

SHA512
f5539152f7faf5fa3505a2ebd1ccbe3145ee46564b814549a96b63f385a73b7e69176ca853d07adef386ea0cc7c0cea4989c74bd4334997b389d85a2f8db1508

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JC2HM.tmp\free-virtual-serial-ports-emulator-0.923.3.694-installer_VNha-r3.tmp

Filesize
3.1MB

MD5
c4630882db671a55924f100c5c1f0056

SHA1
24c08e7061301d9a3ef6b2fbbbbad484e5f4bc37

SHA256
49cbceb57abe33bad7c5f8c56a8bc5ddd06507d185859554f1de31f3761741e3

SHA512
6d044efc68d07317b298fa10ed6d68a6b36df6a31c57f32fc0e358ad2c039307dcec9a1755e3b2dac48efa6a9f31845aa0ae52d2b67e7daeb6ea503ec45257d6

Download Submit
C:\Users\Admin\Downloads\free-virtual-serial-ports-emulator-0.923.3.694-installer.exe

Filesize
3.1MB

MD5
aab8d91b5b0f8e64fd54810256de36bf

SHA1
1214930e8607c936369950e338e31656ee65bc41

SHA256
168258e6769256a3db40e7feeaa8cc888fe2e3603788aba4c22f439a5b28e489

SHA512
d7e9cfafffa13ec419a402d8d97271310f8a87318afbad19f2ad90a6f39e9b29c60f2c5f58eb011394fff13fc0f8dd951a507325c976368e8b8fe96954545a25

Download Submit
memory/2744-217-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2744-156-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2744-133-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4060-157-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4060-159-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4060-168-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4060-169-0x0000000005720000-0x000000000572F000-memory.dmp

Filesize
60KB

Download
memory/4060-158-0x0000000005720000-0x000000000572F000-memory.dmp

Filesize
60KB

Download
memory/4060-183-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4060-150-0x0000000005720000-0x000000000572F000-memory.dmp

Filesize
60KB

Download
memory/4060-215-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/4060-138-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads