Overview

overview

8

Static

static

1

VIPAccessSetup.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    53s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2023 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VIPAccessSetup.exe

  • Size

    15.2MB

  • MD5

    4c9eefdf645daec351e2dcc24f23ce11

  • SHA1

    5b448eebcabc9208df32ef4ba7794a7c5e3e6b5e

  • SHA256

    74bf074b7cadce06a8633ec33a91a19ff31dcf2e48cad17b71fe44795f355b60

  • SHA512

    08fb706095ef2f29fbd1deff303608194a88c214f9f04b678dd4200c10cfee74f138827fc9f0e14a8208ac955409de80c2e58821d92ab4c57334a5808b4b63b1

  • SSDEEP

    393216:Qk9ENNSNeklpkbUvwhg1y3QSJg+NXcBNaWEaVZu:b9kSNnQbICOy3QSJLtrUO

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 18 IoCs
  • Executes dropped EXE 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VIPAccessSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\VIPAccessSetup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\VIPSetup.msi" TRANSFORMS=1033.mst /lv "C:\Users\Admin\AppData\Local\Temp\VIPSetup.log"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1460
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F59C4C823A3658E29D9E321A47D2582A
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe" /C sc config VIPAppService start= delayed-auto
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4940
        • C:\Windows\SysWOW64\sc.exe
          sc config VIPAppService start= delayed-auto
          4⤵
          • Launches sc.exe
          PID:4788
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe" /C sc start VIPAppService
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Windows\SysWOW64\sc.exe
          sc start VIPAppService
          4⤵
          • Launches sc.exe
          PID:860
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9496C84131F76D30E78F3CA46103C4CE C
      2⤵
        PID:1148
    • C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
      "C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe"
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57ab46.rbs
      Filesize

      24KB

      MD5

      37e150e03fee61295bfc78b8d20bb709

      SHA1

      4924a678fbfcf7d72ccbc8a96bd36bd054aeaca3

      SHA256

      0ad5206de939bbce67791f73c7b883c65f07897f762b86f66843cb563521d5b5

      SHA512

      8e0b0e8d2252a5f704b7e7bf48482043608d8770608cbf70ea5a534ef6876f6426f1bb9ee6b457889add66bb81d537e299b6d2e5725750a3a1db52d6e278be02

      Download Submit

    • C:\Program Files (x86)\Symantec\VIP Access Client\LiveUpdateUI.exe
      Filesize

      465KB

      MD5

      d1a41e1853a193bfe33f9c2d0d21cd9f

      SHA1

      5062e4d8ad5ea5c4dd8e29c2ce93e32dbae350e3

      SHA256

      23d47a5d6162a4d241b6bea3c22cc194491f5e09c13cb95402d826e294bff275

      SHA512

      2b04a634f984c31326429bfda725321026a42eeafd7f4c5d204840f7f968c776b797cfb1c613fa43ea72c5ae9fb57f0aa6679564899dc6f07a27c00f3f35da8f

      Download Submit

    • C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
      Filesize

      73KB

      MD5

      e82412b9cfc6fd5d5108a6bccf3362f5

      SHA1

      1bb9f3a233cacf1727b98d17efeee2b2b97eb2d8

      SHA256

      c436b2380a521b6841716382dfb1bf2bd0fdc413c24ce20511e4bc791514afa1

      SHA512

      6a185594254d332f2d401357952eb3ab8a4a06b7a10a7d45cbe544786a42da12f31d8b8fb995ca6278774c517939604a29fa5253391c219f9122eb3aec4a73fd

      Download Submit

    • C:\Program Files (x86)\Symantec\VIP Access Client\VIPAppService.exe
      Filesize

      73KB

      MD5

      e82412b9cfc6fd5d5108a6bccf3362f5

      SHA1

      1bb9f3a233cacf1727b98d17efeee2b2b97eb2d8

      SHA256

      c436b2380a521b6841716382dfb1bf2bd0fdc413c24ce20511e4bc791514afa1

      SHA512

      6a185594254d332f2d401357952eb3ab8a4a06b7a10a7d45cbe544786a42da12f31d8b8fb995ca6278774c517939604a29fa5253391c219f9122eb3aec4a73fd

      Download Submit

    • C:\Program Files (x86)\Symantec\VIP Access Client\VIPUIManager.exe
      Filesize

      1.5MB

      MD5

      5d4c06bdc1ec28ef79e7f9bddb8ec0e0

      SHA1

      a695e12caa3b80bfe3e9788fe0af0dc7c50596b4

      SHA256

      5e5049341084106e8014e45b7adb0d2e316e44e73a2d2499d21b9c08d495970c

      SHA512

      8b565391bd47ddd8d2f999060a1f46b87036d3892b2403561633219d2883caf83e360d49edbfe4835ed807f8e60ec59b8a123a6793c496d66d2863daeae4cff0

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
      Filesize

      1KB

      MD5

      b8f9ca9f51ae4b98a24a1d04eb3ec69a

      SHA1

      a96f9799dcb5a56cf3c7f42c20ec7f3c8c75f275

      SHA256

      01c15a95fdeb9360dfc3efe5f0e16574e96c843a53497ce10dec8d5d3bcfaf31

      SHA512

      6aba3f4312bf77ca62389f67c2e155cd74f8d18cb69eab82d869f223267b80106214b258cf29bfd6276568a81579bc469a3fb15c682d9bcce3b29086f796bc43

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_62F070800935B58FA184DB97FCB304B2
      Filesize

      1KB

      MD5

      6d837857c1a7c0db422b9d539ed02886

      SHA1

      71e96b78eed4aa0b8fe81594e1170e0227605f49

      SHA256

      4670cacb73f1fa6bf08dc6d2ce4740ee2ab37fed2dd8525da6b81854f66d83f4

      SHA512

      474b2162d1330d5bb0cfc6f95f9e9c88ee26b15bc6965325dc8be81e36c1cebb42d11f21c225088599ee8e04fde5c7b5edb29b792139bf07353cbde6ae3c7a3c

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
      Filesize

      398B

      MD5

      a7e79df3236064d0509f0d5c84d02c48

      SHA1

      af0066d40a718fcfd3038e7fbd901a529e5c6074

      SHA256

      c05452181f5fd18f258281eb21a4f638fbfde56d3d25897b5842b16040db0120

      SHA512

      5a5d37e2c3b7ce2c3d6e9404cb61c37f7dae901858989e007d3b4956937c3d54f7a38f77d7d81c2f9706d73322ca4f6abab23ca815ebd37b136d2253a0e14f6b

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_62F070800935B58FA184DB97FCB304B2
      Filesize

      406B

      MD5

      2c9f34cf24211127614eb4aac69ce35c

      SHA1

      6299bae2454c9fbb5a233b47e7436db5bd8b8d37

      SHA256

      297e3fc4d4b082f4282a212ef07dc13710bfd5a7d5d7cac8d562bd195d2ba717

      SHA512

      3ea66b382a2e4cd120bdfab165d7502e6cc709b6b9f5ec9b55444b5879258ea6526a1c8571f269225e2d5cccb2d281a79c9af04930f48a07a1ab96b1c841a1b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\1033.mst
      Filesize

      20KB

      MD5

      738b1c1da7f4c322c16bf9af507c4261

      SHA1

      98c2db1fe49b1da583d413fef5046d9b0b2f1cb3

      SHA256

      6cd35d4186e066775b2b99d9be49d8ac8e1eda66325871a61ecc42c28f62236c

      SHA512

      6caac39ac635991208f37e577cbdcf4157407f0d3e73ad35a9049498e2ebd6bf980f2e3fa90da41df03b8ccac7ef51b6d6bb1dbc8a8f3f48cbfa5782de7bc147

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\1040.mst
      Filesize

      108KB

      MD5

      8b1f7d2e166df7c5a594889b58405ed4

      SHA1

      14d32e5c1abce3f56a2183a84c88dc494b3539bd

      SHA256

      d956cd3de13084fa15c12f477740184ad12360d1f4d45c56540da70c6a90c996

      SHA512

      13ab59fa0dfe6046ca4accf17dec23b4cdce26cd35c64ee6d1228f5469dfb96a3861ee6e74ec27209dc30abc52e133c76ea117cab75d39f6f499e9cef3b7e1eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\1041.mst
      Filesize

      100KB

      MD5

      705e326105e752f12aa9723f77a608e0

      SHA1

      a602793dbbf026e2051ddab43de02b47f6489d2c

      SHA256

      c8566623c4908a2fa166680c86cd6897ab2f713b5a14c91a88880a3bc526fcf6

      SHA512

      4870b2ad5d78675917b4d7006304424829f58152e968160574427b4cc76f58a24c91f480d6294fb53bf95483654e2dfe90b5197c249875297f3103dbc451c06a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\VIPSetup.msi
      Filesize

      3.5MB

      MD5

      5b3a137a191bd1aa572712b76518f04a

      SHA1

      d62897038a98d44ca2500b8831404ac1f0ab94c1

      SHA256

      4d5a93d3180384802e73ec56d693b695dfbdb16e0b764bb380bd33b788bead3f

      SHA512

      67826df3c57cea677a1911f7c0bc7eb721262142245ee70aa6ca5dcff0be0564799e83e11999c0549d21824dd35f273fc6c526486d4acbd577f3339076266421

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
      Filesize

      502KB

      MD5

      0c1d13aed68a7cccab3fe21c15ba0152

      SHA1

      33384dac20bf94aff6507b0d32a33c1fd4103e3b

      SHA256

      8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

      SHA512

      bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
      Filesize

      502KB

      MD5

      0c1d13aed68a7cccab3fe21c15ba0152

      SHA1

      33384dac20bf94aff6507b0d32a33c1fd4103e3b

      SHA256

      8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

      SHA512

      bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
      Filesize

      502KB

      MD5

      0c1d13aed68a7cccab3fe21c15ba0152

      SHA1

      33384dac20bf94aff6507b0d32a33c1fd4103e3b

      SHA256

      8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

      SHA512

      bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\VIPSetup.log
      Filesize

      77KB

      MD5

      10d9d66a59d0d983c8e15c5e3a2cd5a7

      SHA1

      4b081fee1ca0c940444b057ef2e7011d4dc809ea

      SHA256

      9f03e2d721ec91c66bdd834d403028d7d6f412421c33fc4d66ad46f8bb40019d

      SHA512

      704b105fba4faa2b8c9ea23e55a39b269bf33031be225a24f40f191c1f8feca5e116f302b9b48c58a14af99bee491952f6128d3448bf78ee9e9f0d9948bc609e

      Download Submit

    • C:\Windows\Installer\e57ab44.msi
      Filesize

      3.5MB

      MD5

      5b3a137a191bd1aa572712b76518f04a

      SHA1

      d62897038a98d44ca2500b8831404ac1f0ab94c1

      SHA256

      4d5a93d3180384802e73ec56d693b695dfbdb16e0b764bb380bd33b788bead3f

      SHA512

      67826df3c57cea677a1911f7c0bc7eb721262142245ee70aa6ca5dcff0be0564799e83e11999c0549d21824dd35f273fc6c526486d4acbd577f3339076266421

      Download Submit

    • C:\Windows\Installer\{58594A65-ACD7-41A2-B6ED-2597777F2850}\1033.mst
      Filesize

      20KB

      MD5

      738b1c1da7f4c322c16bf9af507c4261

      SHA1

      98c2db1fe49b1da583d413fef5046d9b0b2f1cb3

      SHA256

      6cd35d4186e066775b2b99d9be49d8ac8e1eda66325871a61ecc42c28f62236c

      SHA512

      6caac39ac635991208f37e577cbdcf4157407f0d3e73ad35a9049498e2ebd6bf980f2e3fa90da41df03b8ccac7ef51b6d6bb1dbc8a8f3f48cbfa5782de7bc147

      Download Submit

    • C:\Windows\Installer\{58594A65-ACD7-41A2-B6ED-2597777F2850}\NewShortcut11_68EC464F37144EFB941594C65A7AE1A6.exe
      Filesize

      404KB

      MD5

      9d3892ffe6b611481328e144a723c45e

      SHA1

      823f2a66ef5378072e656b4e81849feccd12f819

      SHA256

      ce785b40091deb867bc158263bd7add159c6e3f004aa43e462625df0c7aa5503

      SHA512

      8d647cb1bbd0066992dc562195b90f54d4c2e1bd7875fa7e34e9c44402c063e0f4f299779321995576f5fd00dcf7c205efa723c689a12cfbfc13105f6e75b346

      Download Submit