Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
20-09-2023 08:04
General
-
Target
Kerio-Vpnlike-32Bit.exe
-
Size
9.6MB
-
MD5
7f4f3492feef2acde222975aa6006f99
-
SHA1
24e4bc0d49b3b89b4910778d6642052e80ca32ec
-
SHA256
5a1dc565eea53fe57433dd5e76e093ab20e67cccd0d9fc2ba7a71d2a8f896bb9
-
SHA512
3e98da1f0654a916dee493c9aacdb293f562f7a7adc18b07662fb4267cb2deb953d9abde608cc9041bf9bd062fd330cc116f0e1910fc298e932bbf71b82b3621
-
SSDEEP
196608:Mlq+1NKOV3HbOVYt3wHpe0t/jev/cXeEzi7DQPjJf9s:Y7Hd3UeM7e8XeM8UPNfi
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 8 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 8 IoCs
-
Registers COM server for autorun 1 TTPs 50 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kerio-Vpnlike-32Bit.exe"C:\Users\Admin\AppData\Local\Temp\Kerio-Vpnlike-32Bit.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{2FE68FC1-A1F2-4F1D-9CB3-87FF0D6CE820}\kerio-control-vpnclient-9.2.2-2172-win32.msi" /Lmaeip "C:\Users\Admin\AppData\Local\Temp\kerio-kvc.setup.log" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{2FE68FC1-A1F2-4F1D-9CB3-87FF0D6CE820}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Kerio-Vpnlike-32Bit.exe"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSI9391.tmp"C:\Users\Admin\AppData\Local\Temp\MSI9391.tmp"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\vbscript.dll /s4⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\dispex.dll /s4⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\scrobj.dll /s4⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\scrrun.dll /s4⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\wshext.dll /s4⤵
- Registers COM server for autorun
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\wshom.ocx /s4⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\jscript.dll /s4⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\vbscript.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\dispex.dll /s4⤵
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\scrobj.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\scrrun.dll /s4⤵
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\wshext.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\wshom.ocx /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\jscript.dll /s4⤵
- Modifies registry class
-
C:\Windows\SysWOW64\msiexec.exe"msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\{42132246-13E8-4264-86AB-38F4465A8FE4}\ScriptRegistrator.msi /qn3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B60300F3D0B2C48CD9E963059681DE47 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\vbscript.dll2⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\jscript.dll2⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\dispex.dll2⤵
- Registers COM server for autorun
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\scrobj.dll2⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\scrrun.dll2⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\wshext.dll2⤵
- Registers COM server for autorun
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\wshom.ocx2⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f501f997ddaa839f33ffd0d5ef631276
SHA1f5092aa0b1ad2e82e3847ff4c54e683d93d380d6
SHA256455b92e7ca2d75fcfeb3e6bcdafe07b69fa2c1f390a086f16c4e86ab3156803f
SHA512b3dd1aae6685f248bd17eeff487af4a52d9a836e89df29a14513992e1f3711888e0206d4cc4f3be7e7c58bed93b26283401dd5d537a5f4d1ab2f4ab2b4314f37
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
171KB
MD5480ed917d4711aa9e3feb9ef3c1c468f
SHA1fa71b59f35f0ee44d27f74917ef5a0da2797e80b
SHA256482ffc4f87b78c3c7073983cf65b593d9f13f0a3d6dc54b4a3f616f79838f3ce
SHA512b705cc06b1bb3d31354e2071e83eb5f034d219c984438768870c08f42acff82e335e19ccea0bcc2ad5c586f1c6183c439707ce9314ab11aa438c66a245ab2f64
-
Filesize
67KB
MD5c57cd3678f1474e48022fedeba9d79b5
SHA12be5a313631900ce304964c007e0f51fc61899fb
SHA2560e0d27421281af176a5bd2d45fce129536af43b14df521d476288749d29a526f
SHA51267a422e3cec7fd4211165dd8a05e2191ae015a7580a934e7bb9d360de1d28d7196126beea15fdf54456bce18768f1cd7875908990e46028eb23b25e2efc2abd9
-
Filesize
51KB
MD5ef391367a7595d71e238a8a50cacc0dd
SHA195d877715a9e7c44cb9053857488d80dfe60eddf
SHA25684026dc80fae91ca55d93814fcdcd34861670a15e9fad92a8656318aa6caa483
SHA5127f74d1113d588e9ad557bd70cf1f8d5ea5546598e4c25b2ffdee5819791f8b81d3d5f046064ed127412f1b1641ba190ae34187241ae77767d3a94342a8a02ee4
-
Filesize
153KB
MD5ecbc19c2eb3da66c6fa30a915cb62e35
SHA1b9a415c2bbae73a42a885a5fdb58d17280e0a058
SHA2567ee4d2137a9336aa6d137f3a7cc4f94ce0fbf2facac01901e57fc3fd94c36239
SHA512603715f6409211c6d1f7e73f6ff0893fb22185dce2a990c47e9d450626bc15ee1dd26b820dedbe6b7bc1b6bffb358cfb9c55e54882cfceae254edad3d43fbaa7
-
Filesize
84KB
MD5f22359af37a8dda48f2bb8d26a6d52cd
SHA1a97e8178b7be2e6f940fa6b6335c21adb2502bdd
SHA256ccf0a175142f15985082e3e7bc846010668d3980ecb2a0cffaacc651f51b46e6
SHA512e2b72d5b98961329d123e5570afc4ffe7ba7b1db7cb3a840ee0a9eb703a2b6ac98055bc215df99d00aeb08441a1a907fb7041638fd736be255040a4e0fd38839
-
Filesize
84KB
MD5f22359af37a8dda48f2bb8d26a6d52cd
SHA1a97e8178b7be2e6f940fa6b6335c21adb2502bdd
SHA256ccf0a175142f15985082e3e7bc846010668d3980ecb2a0cffaacc651f51b46e6
SHA512e2b72d5b98961329d123e5570afc4ffe7ba7b1db7cb3a840ee0a9eb703a2b6ac98055bc215df99d00aeb08441a1a907fb7041638fd736be255040a4e0fd38839
-
Filesize
281KB
MD56e25e03bc7ae8f808ebc6010c8d2954e
SHA1f1f7f1cb7519ef64faaa1f96d0abe428640936a5
SHA25633bddefa8769fc3fd4dab20118b627c775c7f8f9d24ded3f31925afa33da7268
SHA51230022f795454f02b2872bbf20afb8b4a609a2a9aab1d1f42472b692aca132c9857b3c5eb6f0ea0a848d83d7cfe75e1e349d82284be00a551e3a4503b181b5884
-
Filesize
171KB
MD5480ed917d4711aa9e3feb9ef3c1c468f
SHA1fa71b59f35f0ee44d27f74917ef5a0da2797e80b
SHA256482ffc4f87b78c3c7073983cf65b593d9f13f0a3d6dc54b4a3f616f79838f3ce
SHA512b705cc06b1bb3d31354e2071e83eb5f034d219c984438768870c08f42acff82e335e19ccea0bcc2ad5c586f1c6183c439707ce9314ab11aa438c66a245ab2f64
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
21KB
MD58586214463bd73e1c2716113e5bd3e13
SHA1f02e3a76fd177964a846d4aa0a23f738178db2be
SHA256089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
SHA512309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b
-
Filesize
28KB
MD51bd92aa0c14dc2f6f959d1046bd7fd6f
SHA1b2b21a7108726c26791b8b0fbe569ea0b3893622
SHA2560392fc540a1f2cfbec36c1460466ef435c8f82c4b161ad04f9710cd3e8206fee
SHA51224aa9e1cc3e75a4cf21b1f67063d171ce2521dc4cf3d6bfc9cde89c062719111051742c0b9407e9162f2d8a5d175e7566b57e2caa5ca8aeb8beabbbb5bf7a792
-
Filesize
2KB
MD566d9ad71367b68a1f93f6b1a0988d790
SHA1dbb9b40226c2e59a866a47610bed7c79792c6117
SHA256a446572215b6ea80d330b918df018a1a688a0fcc4c412488dd03e3e6c0ccdfde
SHA51297da43e073ace0e46782b3e4286400f9f6265986370a1f4a9dcaaa762037ae41e0a80efb413ad043523fd6f94f40f0070c26c3c01988613b679f46f5db38ec56
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
9.6MB
MD56febb0f20ae146d1c36253421f6e8d31
SHA143a4e9143a1c0594b4883ba78fd9daabe0ec3be2
SHA256d5c0a5e45d2cd3c68d1f74cd77c9eea88404f11eb2a1b8bbc83c065274bf0145
SHA512ee7029043ae96867635e5a5360ee439930e5490bc5b313d6fc48c506fa14306a6fed82399179281e3909b1190980cdb70afd5bcb32c0972e81fa24bf65e0c537
-
Filesize
301KB
MD50b2c849eb78e28b94cc62dd0773f8b7f
SHA1d8508a88fa1b04b1c3e8ab5d0bb078cbbb3d2d7e
SHA2560267473d1f2aa56ff9973745d17fcc43d2646ad03b86edbffc57ed900bf0c374
SHA512e145313e3d2a60db130931d07f90b87a63e64777cf6ec08d65e6c70b4aa6c70499783404b49db0001dce69ccfa982340deefd2de4c73ca35ebad2d8a6f8b280b
-
Filesize
5KB
MD514feb5199b4d7245804273422e8e73f5
SHA14f6f236aee0ead97659ac156ac29f0bafcdc51e9
SHA2560795d9e731a218b3a67a5cd7efafc8e2473fdee0984dca9fc2602beb2dcb5672
SHA51291dea0adbaa1f40745211356482bbf405f3b875db990d76b8ef778c70e31e73b1c4900029c7f4ab5930baddaf9c8af544fe917be4acb7c1177c492e4df7fbaf0
-
Filesize
171KB
MD5480ed917d4711aa9e3feb9ef3c1c468f
SHA1fa71b59f35f0ee44d27f74917ef5a0da2797e80b
SHA256482ffc4f87b78c3c7073983cf65b593d9f13f0a3d6dc54b4a3f616f79838f3ce
SHA512b705cc06b1bb3d31354e2071e83eb5f034d219c984438768870c08f42acff82e335e19ccea0bcc2ad5c586f1c6183c439707ce9314ab11aa438c66a245ab2f64
-
Filesize
67KB
MD5c57cd3678f1474e48022fedeba9d79b5
SHA12be5a313631900ce304964c007e0f51fc61899fb
SHA2560e0d27421281af176a5bd2d45fce129536af43b14df521d476288749d29a526f
SHA51267a422e3cec7fd4211165dd8a05e2191ae015a7580a934e7bb9d360de1d28d7196126beea15fdf54456bce18768f1cd7875908990e46028eb23b25e2efc2abd9
-
Filesize
51KB
MD5ef391367a7595d71e238a8a50cacc0dd
SHA195d877715a9e7c44cb9053857488d80dfe60eddf
SHA25684026dc80fae91ca55d93814fcdcd34861670a15e9fad92a8656318aa6caa483
SHA5127f74d1113d588e9ad557bd70cf1f8d5ea5546598e4c25b2ffdee5819791f8b81d3d5f046064ed127412f1b1641ba190ae34187241ae77767d3a94342a8a02ee4
-
Filesize
153KB
MD5ecbc19c2eb3da66c6fa30a915cb62e35
SHA1b9a415c2bbae73a42a885a5fdb58d17280e0a058
SHA2567ee4d2137a9336aa6d137f3a7cc4f94ce0fbf2facac01901e57fc3fd94c36239
SHA512603715f6409211c6d1f7e73f6ff0893fb22185dce2a990c47e9d450626bc15ee1dd26b820dedbe6b7bc1b6bffb358cfb9c55e54882cfceae254edad3d43fbaa7
-
Filesize
84KB
MD5f22359af37a8dda48f2bb8d26a6d52cd
SHA1a97e8178b7be2e6f940fa6b6335c21adb2502bdd
SHA256ccf0a175142f15985082e3e7bc846010668d3980ecb2a0cffaacc651f51b46e6
SHA512e2b72d5b98961329d123e5570afc4ffe7ba7b1db7cb3a840ee0a9eb703a2b6ac98055bc215df99d00aeb08441a1a907fb7041638fd736be255040a4e0fd38839
-
Filesize
84KB
MD5f22359af37a8dda48f2bb8d26a6d52cd
SHA1a97e8178b7be2e6f940fa6b6335c21adb2502bdd
SHA256ccf0a175142f15985082e3e7bc846010668d3980ecb2a0cffaacc651f51b46e6
SHA512e2b72d5b98961329d123e5570afc4ffe7ba7b1db7cb3a840ee0a9eb703a2b6ac98055bc215df99d00aeb08441a1a907fb7041638fd736be255040a4e0fd38839
-
Filesize
281KB
MD56e25e03bc7ae8f808ebc6010c8d2954e
SHA1f1f7f1cb7519ef64faaa1f96d0abe428640936a5
SHA25633bddefa8769fc3fd4dab20118b627c775c7f8f9d24ded3f31925afa33da7268
SHA51230022f795454f02b2872bbf20afb8b4a609a2a9aab1d1f42472b692aca132c9857b3c5eb6f0ea0a848d83d7cfe75e1e349d82284be00a551e3a4503b181b5884
-
Filesize
171KB
MD5480ed917d4711aa9e3feb9ef3c1c468f
SHA1fa71b59f35f0ee44d27f74917ef5a0da2797e80b
SHA256482ffc4f87b78c3c7073983cf65b593d9f13f0a3d6dc54b4a3f616f79838f3ce
SHA512b705cc06b1bb3d31354e2071e83eb5f034d219c984438768870c08f42acff82e335e19ccea0bcc2ad5c586f1c6183c439707ce9314ab11aa438c66a245ab2f64