Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
12-10-2023 10:35
General
-
Target
Kerio-Vpnlike-32Bit.exe
-
Size
9.6MB
-
MD5
7f4f3492feef2acde222975aa6006f99
-
SHA1
24e4bc0d49b3b89b4910778d6642052e80ca32ec
-
SHA256
5a1dc565eea53fe57433dd5e76e093ab20e67cccd0d9fc2ba7a71d2a8f896bb9
-
SHA512
3e98da1f0654a916dee493c9aacdb293f562f7a7adc18b07662fb4267cb2deb953d9abde608cc9041bf9bd062fd330cc116f0e1910fc298e932bbf71b82b3621
-
SSDEEP
196608:Mlq+1NKOV3HbOVYt3wHpe0t/jev/cXeEzi7DQPjJf9s:Y7Hd3UeM7e8XeM8UPNfi
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 9 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Registers COM server for autorun 1 TTPs 50 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kerio-Vpnlike-32Bit.exe"C:\Users\Admin\AppData\Local\Temp\Kerio-Vpnlike-32Bit.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\{ABDF551A-3A76-4EE8-834D-7B3B52CE6B99}\kerio-control-vpnclient-9.2.2-2172-win32.msi" /Lmaeip "C:\Users\Admin\AppData\Local\Temp\kerio-kvc.setup.log" TRANSFORMS="C:\Users\Admin\AppData\Local\Temp\{ABDF551A-3A76-4EE8-834D-7B3B52CE6B99}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Kerio-Vpnlike-32Bit.exe"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSI1B3.tmp"C:\Users\Admin\AppData\Local\Temp\MSI1B3.tmp"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\vbscript.dll /s4⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\dispex.dll /s4⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\scrobj.dll /s4⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\scrrun.dll /s4⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\wshext.dll /s4⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\wshom.ocx /s4⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\jscript.dll /s4⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\vbscript.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\dispex.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\scrobj.dll /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\scrrun.dll /s4⤵
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\wshext.dll /s4⤵
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\wshom.ocx /s4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\jscript.dll /s4⤵
- Modifies registry class
-
C:\Windows\SysWOW64\msiexec.exe"msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\{42132246-13E8-4264-86AB-38F4465A8FE4}\ScriptRegistrator.msi /qn3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C243AEB29E19F2BC88ED3AC97425DE17 C2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\vbscript.dll2⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\jscript.dll2⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\dispex.dll2⤵
- Registers COM server for autorun
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\scrobj.dll2⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\scrrun.dll2⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\wshext.dll2⤵
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" /s C:\Windows\\system32\wshom.ocx2⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ce2e4dd15ffdd64337b0b77058bab6a8
SHA1bbd948a2ec5d989e3c1af51118fdd9e714ed3021
SHA25627fd57000f033455e123f2a3d57f371acac9bd603e711feccbb01b455f807a83
SHA512914012c4468402582bf994d092e89fb449f500dfef9eed55804974a7176705577e42467d410c22fe3c7fff0f393a1eb2ddcc320cd8703665660b150211c1f90b
-
Filesize
67KB
MD5c57cd3678f1474e48022fedeba9d79b5
SHA12be5a313631900ce304964c007e0f51fc61899fb
SHA2560e0d27421281af176a5bd2d45fce129536af43b14df521d476288749d29a526f
SHA51267a422e3cec7fd4211165dd8a05e2191ae015a7580a934e7bb9d360de1d28d7196126beea15fdf54456bce18768f1cd7875908990e46028eb23b25e2efc2abd9
-
Filesize
67KB
MD5c57cd3678f1474e48022fedeba9d79b5
SHA12be5a313631900ce304964c007e0f51fc61899fb
SHA2560e0d27421281af176a5bd2d45fce129536af43b14df521d476288749d29a526f
SHA51267a422e3cec7fd4211165dd8a05e2191ae015a7580a934e7bb9d360de1d28d7196126beea15fdf54456bce18768f1cd7875908990e46028eb23b25e2efc2abd9
-
Filesize
51KB
MD5ef391367a7595d71e238a8a50cacc0dd
SHA195d877715a9e7c44cb9053857488d80dfe60eddf
SHA25684026dc80fae91ca55d93814fcdcd34861670a15e9fad92a8656318aa6caa483
SHA5127f74d1113d588e9ad557bd70cf1f8d5ea5546598e4c25b2ffdee5819791f8b81d3d5f046064ed127412f1b1641ba190ae34187241ae77767d3a94342a8a02ee4
-
Filesize
51KB
MD5ef391367a7595d71e238a8a50cacc0dd
SHA195d877715a9e7c44cb9053857488d80dfe60eddf
SHA25684026dc80fae91ca55d93814fcdcd34861670a15e9fad92a8656318aa6caa483
SHA5127f74d1113d588e9ad557bd70cf1f8d5ea5546598e4c25b2ffdee5819791f8b81d3d5f046064ed127412f1b1641ba190ae34187241ae77767d3a94342a8a02ee4
-
Filesize
153KB
MD5ecbc19c2eb3da66c6fa30a915cb62e35
SHA1b9a415c2bbae73a42a885a5fdb58d17280e0a058
SHA2567ee4d2137a9336aa6d137f3a7cc4f94ce0fbf2facac01901e57fc3fd94c36239
SHA512603715f6409211c6d1f7e73f6ff0893fb22185dce2a990c47e9d450626bc15ee1dd26b820dedbe6b7bc1b6bffb358cfb9c55e54882cfceae254edad3d43fbaa7
-
Filesize
153KB
MD5ecbc19c2eb3da66c6fa30a915cb62e35
SHA1b9a415c2bbae73a42a885a5fdb58d17280e0a058
SHA2567ee4d2137a9336aa6d137f3a7cc4f94ce0fbf2facac01901e57fc3fd94c36239
SHA512603715f6409211c6d1f7e73f6ff0893fb22185dce2a990c47e9d450626bc15ee1dd26b820dedbe6b7bc1b6bffb358cfb9c55e54882cfceae254edad3d43fbaa7
-
Filesize
84KB
MD5f22359af37a8dda48f2bb8d26a6d52cd
SHA1a97e8178b7be2e6f940fa6b6335c21adb2502bdd
SHA256ccf0a175142f15985082e3e7bc846010668d3980ecb2a0cffaacc651f51b46e6
SHA512e2b72d5b98961329d123e5570afc4ffe7ba7b1db7cb3a840ee0a9eb703a2b6ac98055bc215df99d00aeb08441a1a907fb7041638fd736be255040a4e0fd38839
-
Filesize
84KB
MD5f22359af37a8dda48f2bb8d26a6d52cd
SHA1a97e8178b7be2e6f940fa6b6335c21adb2502bdd
SHA256ccf0a175142f15985082e3e7bc846010668d3980ecb2a0cffaacc651f51b46e6
SHA512e2b72d5b98961329d123e5570afc4ffe7ba7b1db7cb3a840ee0a9eb703a2b6ac98055bc215df99d00aeb08441a1a907fb7041638fd736be255040a4e0fd38839
-
Filesize
84KB
MD5f22359af37a8dda48f2bb8d26a6d52cd
SHA1a97e8178b7be2e6f940fa6b6335c21adb2502bdd
SHA256ccf0a175142f15985082e3e7bc846010668d3980ecb2a0cffaacc651f51b46e6
SHA512e2b72d5b98961329d123e5570afc4ffe7ba7b1db7cb3a840ee0a9eb703a2b6ac98055bc215df99d00aeb08441a1a907fb7041638fd736be255040a4e0fd38839
-
Filesize
84KB
MD5f22359af37a8dda48f2bb8d26a6d52cd
SHA1a97e8178b7be2e6f940fa6b6335c21adb2502bdd
SHA256ccf0a175142f15985082e3e7bc846010668d3980ecb2a0cffaacc651f51b46e6
SHA512e2b72d5b98961329d123e5570afc4ffe7ba7b1db7cb3a840ee0a9eb703a2b6ac98055bc215df99d00aeb08441a1a907fb7041638fd736be255040a4e0fd38839
-
Filesize
281KB
MD56e25e03bc7ae8f808ebc6010c8d2954e
SHA1f1f7f1cb7519ef64faaa1f96d0abe428640936a5
SHA25633bddefa8769fc3fd4dab20118b627c775c7f8f9d24ded3f31925afa33da7268
SHA51230022f795454f02b2872bbf20afb8b4a609a2a9aab1d1f42472b692aca132c9857b3c5eb6f0ea0a848d83d7cfe75e1e349d82284be00a551e3a4503b181b5884
-
Filesize
281KB
MD56e25e03bc7ae8f808ebc6010c8d2954e
SHA1f1f7f1cb7519ef64faaa1f96d0abe428640936a5
SHA25633bddefa8769fc3fd4dab20118b627c775c7f8f9d24ded3f31925afa33da7268
SHA51230022f795454f02b2872bbf20afb8b4a609a2a9aab1d1f42472b692aca132c9857b3c5eb6f0ea0a848d83d7cfe75e1e349d82284be00a551e3a4503b181b5884
-
Filesize
171KB
MD5480ed917d4711aa9e3feb9ef3c1c468f
SHA1fa71b59f35f0ee44d27f74917ef5a0da2797e80b
SHA256482ffc4f87b78c3c7073983cf65b593d9f13f0a3d6dc54b4a3f616f79838f3ce
SHA512b705cc06b1bb3d31354e2071e83eb5f034d219c984438768870c08f42acff82e335e19ccea0bcc2ad5c586f1c6183c439707ce9314ab11aa438c66a245ab2f64
-
Filesize
171KB
MD5480ed917d4711aa9e3feb9ef3c1c468f
SHA1fa71b59f35f0ee44d27f74917ef5a0da2797e80b
SHA256482ffc4f87b78c3c7073983cf65b593d9f13f0a3d6dc54b4a3f616f79838f3ce
SHA512b705cc06b1bb3d31354e2071e83eb5f034d219c984438768870c08f42acff82e335e19ccea0bcc2ad5c586f1c6183c439707ce9314ab11aa438c66a245ab2f64
-
Filesize
301KB
MD50b2c849eb78e28b94cc62dd0773f8b7f
SHA1d8508a88fa1b04b1c3e8ab5d0bb078cbbb3d2d7e
SHA2560267473d1f2aa56ff9973745d17fcc43d2646ad03b86edbffc57ed900bf0c374
SHA512e145313e3d2a60db130931d07f90b87a63e64777cf6ec08d65e6c70b4aa6c70499783404b49db0001dce69ccfa982340deefd2de4c73ca35ebad2d8a6f8b280b
-
Filesize
21KB
MD58586214463bd73e1c2716113e5bd3e13
SHA1f02e3a76fd177964a846d4aa0a23f738178db2be
SHA256089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
SHA512309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b
-
Filesize
28KB
MD51bd92aa0c14dc2f6f959d1046bd7fd6f
SHA1b2b21a7108726c26791b8b0fbe569ea0b3893622
SHA2560392fc540a1f2cfbec36c1460466ef435c8f82c4b161ad04f9710cd3e8206fee
SHA51224aa9e1cc3e75a4cf21b1f67063d171ce2521dc4cf3d6bfc9cde89c062719111051742c0b9407e9162f2d8a5d175e7566b57e2caa5ca8aeb8beabbbb5bf7a792
-
Filesize
9.6MB
MD56febb0f20ae146d1c36253421f6e8d31
SHA143a4e9143a1c0594b4883ba78fd9daabe0ec3be2
SHA256d5c0a5e45d2cd3c68d1f74cd77c9eea88404f11eb2a1b8bbc83c065274bf0145
SHA512ee7029043ae96867635e5a5360ee439930e5490bc5b313d6fc48c506fa14306a6fed82399179281e3909b1190980cdb70afd5bcb32c0972e81fa24bf65e0c537
-
Filesize
5KB
MD514feb5199b4d7245804273422e8e73f5
SHA14f6f236aee0ead97659ac156ac29f0bafcdc51e9
SHA2560795d9e731a218b3a67a5cd7efafc8e2473fdee0984dca9fc2602beb2dcb5672
SHA51291dea0adbaa1f40745211356482bbf405f3b875db990d76b8ef778c70e31e73b1c4900029c7f4ab5930baddaf9c8af544fe917be4acb7c1177c492e4df7fbaf0