Overview

overview

10

Static

static

10

VTOLVR-Mod...ZF.exe

windows7-x64

7

VTOLVR-Mod...ZF.exe

windows10-2004-x64

7

Resubmissions

05-11-2023 22:53

231105-2t5zvaeb2x 10

Analysis

  • max time kernel
    66s
  • max time network
    79s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2023 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VTOLVR-ModLoader_H80Z7ZF.exe

  • Size

    166.3MB

  • MD5

    d12d22f45c51d21b1e3ffd2dd3655e83

  • SHA1

    2e3d2c844d6d54c7c4b7dca41986ec9dbfacd067

  • SHA256

    06f916d0e2860c5a0ae4e6256a5cf55be9e425d7a6d3ede529299be71b413b06

  • SHA512

    d26536e4808590fbaa2bcb1bf6be46526b1327f1e700b1f7414a70d0f5b7c3f1e36b7cfb3eb9c393c6ed783c1d04810012375727ca85524d81c603a55ab74118

  • SSDEEP

    1572864:6+8IZ6lU/gm92tuB+chCE9GQs/vvKCk6XDn:pZ6O/gmYYB+ch/9K/3KUj

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VTOLVR-ModLoader_H80Z7ZF.exe
    "C:\Users\Admin\AppData\Local\Temp\VTOLVR-ModLoader_H80Z7ZF.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\.net\VTOLVR-ModLoader_H80Z7ZF\5PPe80strmtd3fp+1hlMlxzPW1fxIPk=\D3DCompiler_47_cor3.dll
    Filesize

    4.7MB

    MD5

    c4974c924b605bd322c4872d72de90d1

    SHA1

    20df9433eab24d3291696046646f493794b77cba

    SHA256

    71d766b4742ca9f7422bb2efc3dc03f2cee509a5a43d241e748cda7aaac24bf4

    SHA512

    3889648dbb4608ece9c68f1cd5b1601da5b795eade7910764dd4769090cdb209a39acf3986e6e7190745f3bc6b1477a52dfaccb96a7e799eafc0825e2c44a846

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\.net\VTOLVR-ModLoader_H80Z7ZF\5PPe80strmtd3fp+1hlMlxzPW1fxIPk=\PresentationNative_cor3.dll
    Filesize

    1.2MB

    MD5

    8e874bb782193fa45d027254e7d03244

    SHA1

    024ccc78d1d23050164e8cfdf141c921f42e0c74

    SHA256

    f75f98fbbb02dad69bcd8c69ec26eb3705dbd95dad996b58308b50e6c9904246

    SHA512

    3f3b0f93e5600c0671688317ee00d7a88411b80b7c4aa383d274af318782a66665409a528d484409bfe598c309ed54480c86a4d4e109dee5265351d5902d0c56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\.net\VTOLVR-ModLoader_H80Z7ZF\5PPe80strmtd3fp+1hlMlxzPW1fxIPk=\clrjit.dll
    Filesize

    1.2MB

    MD5

    b2eb7b51bd58201cf498e83846e90110

    SHA1

    ca439759b5c5162e626d2b84ab55b93adc552e06

    SHA256

    180557694842854789457a872df849b2130098a9c2bfd70d201f77bec6f9fddb

    SHA512

    1a92064b3417b287246fadd88fea9138dfcc659283e063aab9305e424feac0d1b2c216be5f65ce7a95f0322ab3849478892ae407399aa6029a504c4c8a5884da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\.net\VTOLVR-ModLoader_H80Z7ZF\5PPe80strmtd3fp+1hlMlxzPW1fxIPk=\coreclr.dll
    Filesize

    5.0MB

    MD5

    1c434dc8cb09095640c776385ba69691

    SHA1

    97fe8e25bebfb7d790768175a4625d07f3d4abfd

    SHA256

    3b3558c408c57be332c9595624f6d49413fe0dd43d3d5fa4626041851f77216a

    SHA512

    4bdb7c0e8571422927fbc8eec6d05959915748acce035fef336b32381922a0a54f029f959fb66cb96a89a024c11e2b94ee6948f618dd04d9ae87cc83f3f83ec8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\.net\VTOLVR-ModLoader_H80Z7ZF\5PPe80strmtd3fp+1hlMlxzPW1fxIPk=\vcruntime140_cor3.dll
    Filesize

    95KB

    MD5

    f34eb034aa4a9735218686590cba2e8b

    SHA1

    2bc20acdcb201676b77a66fa7ec6b53fa2644713

    SHA256

    9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

    SHA512

    d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\.net\VTOLVR-ModLoader_H80Z7ZF\5PPe80strmtd3fp+1hlMlxzPW1fxIPk=\wpfgfx_cor3.dll
    Filesize

    1.9MB

    MD5

    0c0be30d77de3f65e1c990b7d99143da

    SHA1

    fd9a4e456f56308d5bed48e7049de64e88a73833

    SHA256

    12a8b75ceecb6c5ce8ce81ad064aaf2bcb09d6338e5e03a7eddc57acd58e2a7d

    SHA512

    9a2a6acad9b21c3f093d4d72289f32ca6ebaee304c9a9e3ec9319558919452c3b2f23ea5e72c06c9af7a2a1ded0ce266e45f4fb9113d2bb3897320fcbdf7ebad

    Download Submit

  • memory/1288-50-0x00000210D1710000-0x00000210D1714000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1288-64-0x00000210F3ED0000-0x00000210F3F16000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1288-28-0x00000644A0060000-0x00000644A00A5000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1288-31-0x00000644A0040000-0x00000644A005C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1288-33-0x00000210D16C0000-0x00000210D16FB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1288-36-0x0000000080360000-0x0000000080BA1000-memory.dmp

    Filesize

    8.3MB

    Download

  • memory/1288-39-0x0000000180050000-0x00000001800CA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1288-42-0x00000210D1690000-0x00000210D1694000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1288-44-0x00000210D1680000-0x00000210D168C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1288-47-0x00000210D16B0000-0x00000210D16B5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1288-23-0x00000210D1660000-0x00000210D166A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1288-52-0x00000210D1740000-0x00000210D1753000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1288-55-0x00000210D1720000-0x00000210D1726000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1288-58-0x00000210D1790000-0x00000210D17A9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1288-61-0x00000210D1820000-0x00000210D1886000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1288-25-0x00000210F2160000-0x00000210F22BB000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1288-67-0x00000210D17B0000-0x00000210D17C5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1288-70-0x00000210D17D0000-0x00000210D17E7000-memory.dmp

    Filesize

    92KB

    Download

  • memory/1288-73-0x00000210D16A0000-0x00000210D16B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1288-76-0x00000210D1760000-0x00000210D1764000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1288-20-0x0000000180110000-0x0000000180329000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1288-17-0x00000001805C0000-0x0000000181517000-memory.dmp

    Filesize

    15.3MB

    Download

  • memory/1288-16-0x00007FFBBF840000-0x00007FFBBFD4F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1288-169-0x00000210D18D0000-0x00000210D18E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1288-221-0x00007FFBBF840000-0x00007FFBBFD4F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1288-222-0x00000210D18D0000-0x00000210D18E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1288-223-0x00000210D18D0000-0x00000210D18E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1288-11-0x000006448A000000-0x000006448A8F5000-memory.dmp

    Filesize

    9.0MB

    Download

  • memory/1288-226-0x00007FFBBF840000-0x00007FFBBFD4F000-memory.dmp

    Filesize

    5.1MB

    Download