Analysis

  • max time kernel
    418s
  • max time network
    431s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2023, 13:35 UTC

General

  • Target

    VAMPSET v2.2.206 - Lite/configs/P3G30_30.109.vfm

  • Size

    13.8MB

  • MD5

    cbc75b212f3bfa24c069865d0d073ead

  • SHA1

    69478d5ff42939acb948d1468b5922e05ed5e1d5

  • SHA256

    19cafa97dde1522364e17d60adeb5dc93f97e50a6288dbf234945b4122198d14

  • SHA512

    5d6c48c93a195ac781774c402c5cef594b14ea77124eaadda5cd24e6dd310f2022168a44a519722dcbe863435b40bbd31ea4f2c1c1824b5a9330cf9c09f63237

  • SSDEEP

    6144:kr2WpWo2E2WcsutCJ3sqX5PTJeW6uupYcU6IzaHX4Z/FJncyWIdGwti90e7GnUMx:FqX5PTJeW6uwo9

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\VAMPSET v2.2.206 - Lite\configs\P3G30_30.109.vfm"
    1⤵
    • Modifies registry class
    PID:4684
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2880

Network

  • flag-us
    DNS
    120.208.253.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    120.208.253.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    108.211.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    108.211.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    59.128.231.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    59.128.231.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.173.189.20.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    120.208.253.8.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    120.208.253.8.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    71.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    71.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    108.211.229.192.in-addr.arpa
    dns
    74 B
    145 B
    1
    1

    DNS Request

    108.211.229.192.in-addr.arpa

  • 8.8.8.8:53
    59.128.231.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    59.128.231.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    86.23.85.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    86.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    10.173.189.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.