47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-06-2023 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06491799.exe
Size

770KB
MD5

8cd7c19b6dc76c116cdb84e369fd5d9a
SHA1

5e3ecd3e4ef8adc294db1e3525cdbde46b2b7ddc
SHA256

47769a82ac9994bf50fdb7ff521d2364775afea3da02d55450448a25e6f94645
SHA512

909d0a2ec4af33c374d7453926e5999badd2f9fa79d0648a7308f63911f673ae34ec275917999199e9fb3a669af5c4aa460e7639c5e346f261decd28b520039a
SSDEEP

24576:ePPNsFNARXFh0Gy9Gtgt09HlncQXZlFeI5D7Cj+o:RNkltHXXZlFeiHab

Score

7^/10

aspackv2 persistence upx

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Program Files (x86)\VAV\vav.cpl	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

vav.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\International\Geo\Nation vav.exe
Executes dropped EXE 1 IoCs

Processes:

vav.exe

pid process

1220 vav.exe
Loads dropped DLL 7 IoCs

Processes:

06491799.exevav.exeregsvr32.exe

pid process

1972 06491799.exe
1972 06491799.exe
1972 06491799.exe
1220 vav.exe
1220 vav.exe
1220 vav.exe
1588 regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\International\Geo\Nation	vav.exe

pid	process
1220	vav.exe

pid	process
1972	06491799.exe
1972	06491799.exe
1972	06491799.exe
1220	vav.exe
1220	vav.exe
1220	vav.exe
1588	regsvr32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1972-77-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vav.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = "C:\\Program Files (x86)\\VAV\\vav.exe"	vav.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Antivirus = "C:\\Program Files (x86)\\VAV\\vav.exe"	vav.exe

Drops file in System32 directory 2 IoCs

Processes:

vav.exe

description ioc process

File created C:\Windows\SysWOW64\vav.cpl vav.exe
File opened for modification C:\Windows\SysWOW64\vav.cpl vav.exe

description	ioc	process
File created	C:\Windows\SysWOW64\vav.cpl	vav.exe
File opened for modification	C:\Windows\SysWOW64\vav.cpl	vav.exe

Drops file in Program Files directory 11 IoCs

Processes:

06491799.exe

description	ioc	process
File created	C:\Program Files (x86)\VAV\vav.ooo	06491799.exe
File opened for modification	C:\Program Files (x86)\VAV\vav.ooo	06491799.exe
File created	C:\Program Files (x86)\VAV\vav0.dat	06491799.exe
File opened for modification	C:\Program Files (x86)\VAV\vav0.dat	06491799.exe
File opened for modification	C:\Program Files (x86)\VAV\vav1.dat	06491799.exe
File created	C:\Program Files (x86)\VAV\vav.exe	06491799.exe
File opened for modification	C:\Program Files (x86)\VAV\vav.exe	06491799.exe
File opened for modification	C:\Program Files (x86)\VAV	06491799.exe
File created	C:\Program Files (x86)\VAV\vav.cpl	06491799.exe
File opened for modification	C:\Program Files (x86)\VAV\vav.cpl	06491799.exe
File created	C:\Program Files (x86)\VAV\vav1.dat	06491799.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

vav.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main vav.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	vav.exe

Modifies registry class 3 IoCs

Processes:

vav.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	vav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	vav.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	vav.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vav.exe

pid process

1220 vav.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

vav.exe

pid process

1220 vav.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

vav.exe

pid process

1220 vav.exe
1220 vav.exe
1220 vav.exe
1220 vav.exe
1220 vav.exe
1220 vav.exe

pid	process
1220	vav.exe

pid	process
1220	vav.exe

pid	process
1220	vav.exe
1220	vav.exe
1220	vav.exe
1220	vav.exe
1220	vav.exe
1220	vav.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

06491799.exevav.exe

description	pid	process	target process
PID 1972 wrote to memory of 1220	1972	06491799.exe	vav.exe
PID 1972 wrote to memory of 1220	1972	06491799.exe	vav.exe
PID 1972 wrote to memory of 1220	1972	06491799.exe	vav.exe
PID 1972 wrote to memory of 1220	1972	06491799.exe	vav.exe
PID 1972 wrote to memory of 1220	1972	06491799.exe	vav.exe
PID 1972 wrote to memory of 1220	1972	06491799.exe	vav.exe
PID 1972 wrote to memory of 1220	1972	06491799.exe	vav.exe
PID 1220 wrote to memory of 1588	1220	vav.exe	regsvr32.exe
PID 1220 wrote to memory of 1588	1220	vav.exe	regsvr32.exe
PID 1220 wrote to memory of 1588	1220	vav.exe	regsvr32.exe
PID 1220 wrote to memory of 1588	1220	vav.exe	regsvr32.exe
PID 1220 wrote to memory of 1588	1220	vav.exe	regsvr32.exe
PID 1220 wrote to memory of 1588	1220	vav.exe	regsvr32.exe
PID 1220 wrote to memory of 1588	1220	vav.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\06491799.exe
"C:\Users\Admin\AppData\Local\Temp\06491799.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files (x86)\VAV\vav.exe
"C:\Program Files (x86)\VAV\vav.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\VAV\vav.exe"
3⤵
- Loads dropped DLL
PID:1588

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VAV\vav.cpl
Filesize
115KB

MD5
170ef694beb6bef500d057e98af28a81

SHA1
6f6bb37e574fc70fcd90b5075a9100d254c83286

SHA256
3c476e7da59efc96bb20b95c908f7ec9a72fd48f3a8b4097cf6af8d7f6d0707a

SHA512
662abbb075d918091d58ce08ca35ecb2e3ab6f3e978f5746c0c66809c78eda78f10c07a9dd1d9ebe97638d70a8710762f8d14b2e6d9aabe7a75be7aefd3dc9a3

Download Submit
C:\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
C:\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
C:\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
C:\Program Files (x86)\VAV\vav.ooo
Filesize
10B

MD5
2bf6f3831e58fdba9281ebc90e77ff3a

SHA1
6a0d07d9bf2a2f7e2a5c9ec8b71b3b08ed10f781

SHA256
f49875853daa431bb8c724a093cf255da7eff249d4d6f3773d6729105dbdd067

SHA512
840569ce93527a931ef70a120050292d71ccee7380871c9d8434b9ca0e40d417355c2c4df8b29c80c121da68e873640bf1b634eb44407b5b92780c8c5c472a9b

Download Submit
C:\Program Files (x86)\VAV\vav0.dat
Filesize
401KB

MD5
bbe8e02db2597e6d9d874718ae5639a8

SHA1
8bf63e606a06ad3a041c438a2eb8e8107198cbc7

SHA256
d24dbaf052764d69dbfdff742289577f9b3003a6c6209d61e9a099b7782af0b6

SHA512
0c6e2ea8a029489e7f0ee61e082f1543e3eff614b1091de7c4e98c0eeef08ec06e7da159d8b6de8a3aa6206782ae5904df451756def0d7fee30821654ecec22b

Download Submit
C:\Program Files (x86)\VAV\vav1.dat
Filesize
32KB

MD5
a3e99d65018a5a49ae5bfe366da24c12

SHA1
d2f2bf216530ade6a386df363b1b01f0824f0fd4

SHA256
30d924f1db0322640e9c65f349cdf4d51fd45ea6d3263cebd4433ab2c6d979a2

SHA512
6df6b64c08b241a20f536ccb8dbaf4f324c421abf8977b98585b06505d18eaa2459718f3259b8669ca244762f98dd05c6ba8c35db4b9eb2471148f2a56b75f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\03S7L47X\g1[2]
Filesize
1024B

MD5
8f8d8d07b4d2dd7fc7c97a0396683eea

SHA1
9cfccb49f7cbf1664257f3da701125cc9a37c7c3

SHA256
d240106981f8c50ccc625329c7e92ac8b139208643eefb733a580cc5f0ad1eb3

SHA512
0f18ad300448c84dd5b4d72219b9327c522d5c6d6e870f0504f59b2963bc8c222156da9d15298929832231a00c09ac0f7aaead39fd83592d4e98830db1dc633c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\g3[2]
Filesize
1023B

MD5
aefd444122479195a041153e433d7c84

SHA1
aa68d0404afe9aa4bbd15f1c732370b8aa323072

SHA256
5adf118b3b1a73e88fd25981132f01bcb77b7961a0b219a71fb13c8e88d681eb

SHA512
131e0bc9e0a3badb4c9b29e26f36861c2876b7fc6a775ceba6393c37d8575fc6ef7fe2c7f91c1e1202b361e25aa0243f3a7f260adf8b36e157bca31196fa0d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\g2[1]
Filesize
613B

MD5
727a63363c1c5e84451ea8ef27ed1c8d

SHA1
aad7fb2b949e5045bbd9612a468611f55e47e4ca

SHA256
b0bafcaa21b73ff3b4f06f7304f08f90693eaca58c92ca4ee22ef7dcdafd823c

SHA512
bf0fc89c1057adebff595d4aa6639ea9fb6a15a07f5882223f568eda4c6b39e07f3b3972a77e106a20057a4a2584835ccf96831bd44eb5426710014c173b267b

Download Submit
\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
\Program Files (x86)\VAV\vav.exe
Filesize
317KB

MD5
2ed5d70c5af906b4935931f2fa63d1af

SHA1
5e683b5cc4d98d279f8d404e20923af19ad0e0fd

SHA256
42808502caa08f62af18d6153e08f8c8a07490f0d68c2561529444b088a6afd9

SHA512
4c05be6d5b0d0f1d573b232569ea3635edf2aaf012282e0bff9a86223e60527e0bff592179b38f84d8c068a1c99b557ff5269393c0c1833a1843c3c38c16557c

Download Submit
memory/1220-98-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1220-157-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-92-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1220-91-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1220-93-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1220-94-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1220-95-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1220-96-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/1220-97-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/1220-89-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1220-99-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1220-100-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1220-101-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1220-84-0x00000000002A0000-0x000000000032D000-memory.dmp

Filesize
564KB

Download
memory/1220-88-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1220-87-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1220-86-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1220-90-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-158-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-159-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-160-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-85-0x00000000002A0000-0x00000000002CC000-memory.dmp

Filesize
176KB

Download
memory/1220-162-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-169-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-83-0x00000000002A0000-0x000000000032D000-memory.dmp

Filesize
564KB

Download
memory/1220-335-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-328-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-194-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-214-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-233-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-249-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-271-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-290-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1220-309-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1972-77-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1972-78-0x0000000000820000-0x0000000000843000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads