Overview

overview

6

Static

static

1

VIPAccessSetup.exe

windows7-x64

6

VIPAccessSetup.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VIPAccessSetup.exe

  • Size

    15.2MB

  • MD5

    4c9eefdf645daec351e2dcc24f23ce11

  • SHA1

    5b448eebcabc9208df32ef4ba7794a7c5e3e6b5e

  • SHA256

    74bf074b7cadce06a8633ec33a91a19ff31dcf2e48cad17b71fe44795f355b60

  • SHA512

    08fb706095ef2f29fbd1deff303608194a88c214f9f04b678dd4200c10cfee74f138827fc9f0e14a8208ac955409de80c2e58821d92ab4c57334a5808b4b63b1

  • SSDEEP

    393216:Qk9ENNSNeklpkbUvwhg1y3QSJg+NXcBNaWEaVZu:b9kSNnQbICOy3QSJLtrUO

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VIPAccessSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\VIPAccessSetup.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\VIPSetup.msi" TRANSFORMS=1033.mst /lv "C:\Users\Admin\AppData\Local\Temp\VIPSetup.log"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2424
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\1033.mst
    Filesize

    20KB

    MD5

    738b1c1da7f4c322c16bf9af507c4261

    SHA1

    98c2db1fe49b1da583d413fef5046d9b0b2f1cb3

    SHA256

    6cd35d4186e066775b2b99d9be49d8ac8e1eda66325871a61ecc42c28f62236c

    SHA512

    6caac39ac635991208f37e577cbdcf4157407f0d3e73ad35a9049498e2ebd6bf980f2e3fa90da41df03b8ccac7ef51b6d6bb1dbc8a8f3f48cbfa5782de7bc147

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\1040.mst
    Filesize

    108KB

    MD5

    8b1f7d2e166df7c5a594889b58405ed4

    SHA1

    14d32e5c1abce3f56a2183a84c88dc494b3539bd

    SHA256

    d956cd3de13084fa15c12f477740184ad12360d1f4d45c56540da70c6a90c996

    SHA512

    13ab59fa0dfe6046ca4accf17dec23b4cdce26cd35c64ee6d1228f5469dfb96a3861ee6e74ec27209dc30abc52e133c76ea117cab75d39f6f499e9cef3b7e1eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VIPAccess_Installer\VIPSetup.msi
    Filesize

    3.5MB

    MD5

    5b3a137a191bd1aa572712b76518f04a

    SHA1

    d62897038a98d44ca2500b8831404ac1f0ab94c1

    SHA256

    4d5a93d3180384802e73ec56d693b695dfbdb16e0b764bb380bd33b788bead3f

    SHA512

    67826df3c57cea677a1911f7c0bc7eb721262142245ee70aa6ca5dcff0be0564799e83e11999c0549d21824dd35f273fc6c526486d4acbd577f3339076266421

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
    Filesize

    502KB

    MD5

    0c1d13aed68a7cccab3fe21c15ba0152

    SHA1

    33384dac20bf94aff6507b0d32a33c1fd4103e3b

    SHA256

    8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

    SHA512

    bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
    Filesize

    502KB

    MD5

    0c1d13aed68a7cccab3fe21c15ba0152

    SHA1

    33384dac20bf94aff6507b0d32a33c1fd4103e3b

    SHA256

    8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

    SHA512

    bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\install.exe
    Filesize

    502KB

    MD5

    0c1d13aed68a7cccab3fe21c15ba0152

    SHA1

    33384dac20bf94aff6507b0d32a33c1fd4103e3b

    SHA256

    8a269d55860f8b71dc0eaa2958b133e9fda9277d73f29e3bbbfc29e4fe8435a5

    SHA512

    bc10071360320ebb816cd32ac1af811f4c05cdedecad1b4e495c56c23a0b7c93c1e9af8e1127c3e652a0333cc833d23cf6a6e1c146f8a4f2a23007219539ea91

    Download Submit