02a2392e3fc3dd97161c798dc28c5b1e97c862fadf5a3c9cdc6212678d156ed4

General

Target

VitalInstaller.exe
Size

23.8MB
MD5

4fafa10339b7647020ad883d3aa4a98d
SHA1

af4a20d54a304542654dfd0f90511d26b910ebf9
SHA256

02a2392e3fc3dd97161c798dc28c5b1e97c862fadf5a3c9cdc6212678d156ed4
SHA512

7953db49c9b6f9474a0a0efb878507a25e9121ec626e766721ec7bfb068e0181f7ef5b1cb9db8a92218197f7563b0be9175c16d869c33c3420f40c2ea6e4a96b
SSDEEP

393216:eSi33I1feDrtzookjbFdXK1MA/8SNO+A5qwStVW7EyFnT/Lm73az2okYEdG:eST1W5zook//Wt/8x/5qjq7EylwKzvkk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2568	VitalInstaller.tmp

Loads dropped DLL 3 IoCs

pid	Process
1940	VitalInstaller.exe
2568	VitalInstaller.tmp
2568	VitalInstaller.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Steinberg\VstPlugins\Vital.dll	VitalInstaller.tmp
File opened for modification	C:\Program Files\Vital\stub\vc_redist.x64.exe	VitalInstaller.tmp
File opened for modification	C:\Program Files\Vital\Vital.exe	VitalInstaller.tmp
File created	C:\Program Files\Vital\unins000.dat	VitalInstaller.tmp
File created	C:\Program Files\Common Files\VST3\is-H2JUO.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\is-9G2TB.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\unins000.msg	VitalInstaller.tmp
File created	C:\Program Files\Vital\is-96O3T.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\is-AELS0.tmp	VitalInstaller.tmp
File created	C:\Program Files\Steinberg\VstPlugins\is-BM0VK.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\stub\is-E0R4C.tmp	VitalInstaller.tmp
File opened for modification	C:\Program Files\Vital\unins000.dat	VitalInstaller.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vital\ = "Vital"	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\ = "Program Vital"	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\DefaultIcon	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\DefaultIcon\ = "C:\\Program Files\\Vital\\vital_icon.ico,0"	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell\open\command\ = "\"C:\\Program Files\\Vital\\Vital.exe\" \"%1\""	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vital	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell\open\command	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell\open	VitalInstaller.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2568	VitalInstaller.tmp
2568	VitalInstaller.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	VitalInstaller.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2568	VitalInstaller.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2568	1940	VitalInstaller.exe	28
PID 1940 wrote to memory of 2568	1940	VitalInstaller.exe	28
PID 1940 wrote to memory of 2568	1940	VitalInstaller.exe	28
PID 1940 wrote to memory of 2568	1940	VitalInstaller.exe	28
PID 1940 wrote to memory of 2568	1940	VitalInstaller.exe	28
PID 1940 wrote to memory of 2568	1940	VitalInstaller.exe	28
PID 1940 wrote to memory of 2568	1940	VitalInstaller.exe	28

C:\Users\Admin\AppData\Local\Temp\VitalInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\VitalInstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\is-76KER.tmp\VitalInstaller.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-76KER.tmp\VitalInstaller.tmp" /SL5="$8001A,24009235,1039360,C:\Users\Admin\AppData\Local\Temp\VitalInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Vital\unins000.exe

Filesize
2.7MB

MD5
9e0e3450b7d24aeae2ecba43a386fd71

SHA1
0c64c2421dd9468095feaf9d18d396586562ca2d

SHA256
a83a3da7c1a06d9a3177af6ee7b5405b1d16d46fc8e6c4dde90d3fccafe5abef

SHA512
fe2f84ece40f27e42abcce2bfdf48ace6eae9008978e013c2da3fac0da6eb8ee851a4fe6aac184ad5496b7dd21680535fb83a884941a0bfe566e17438ae3b0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76KER.tmp\VitalInstaller.tmp

Filesize
2.7MB

MD5
9e0e3450b7d24aeae2ecba43a386fd71

SHA1
0c64c2421dd9468095feaf9d18d396586562ca2d

SHA256
a83a3da7c1a06d9a3177af6ee7b5405b1d16d46fc8e6c4dde90d3fccafe5abef

SHA512
fe2f84ece40f27e42abcce2bfdf48ace6eae9008978e013c2da3fac0da6eb8ee851a4fe6aac184ad5496b7dd21680535fb83a884941a0bfe566e17438ae3b0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-76KER.tmp\VitalInstaller.tmp

Filesize
2.7MB

MD5
9e0e3450b7d24aeae2ecba43a386fd71

SHA1
0c64c2421dd9468095feaf9d18d396586562ca2d

SHA256
a83a3da7c1a06d9a3177af6ee7b5405b1d16d46fc8e6c4dde90d3fccafe5abef

SHA512
fe2f84ece40f27e42abcce2bfdf48ace6eae9008978e013c2da3fac0da6eb8ee851a4fe6aac184ad5496b7dd21680535fb83a884941a0bfe566e17438ae3b0f0

Download Submit
\Program Files\Vital\Vital.exe

Filesize
11.4MB

MD5
cdb76b1c00aab0aee035a948efe72c78

SHA1
2a610785a0d65d7dac8194a19cb396d5dfcff58d

SHA256
df9a5d95e1c88e2210ff3b07fe1d5f40a9f3a3d4a36ee689979ecd0fcfb14284

SHA512
707ae6e8ac42bf3821d24152fe7e0b8206093ce60fbb35950c146740aedf7f2cd73df423e8f066d95fdc58312d14c0d5e1af388c7fc16054ab8b172a4c8758fb

Download Submit
\Program Files\Vital\unins000.exe

Filesize
2.7MB

MD5
9e0e3450b7d24aeae2ecba43a386fd71

SHA1
0c64c2421dd9468095feaf9d18d396586562ca2d

SHA256
a83a3da7c1a06d9a3177af6ee7b5405b1d16d46fc8e6c4dde90d3fccafe5abef

SHA512
fe2f84ece40f27e42abcce2bfdf48ace6eae9008978e013c2da3fac0da6eb8ee851a4fe6aac184ad5496b7dd21680535fb83a884941a0bfe566e17438ae3b0f0

Download Submit
\Users\Admin\AppData\Local\Temp\is-76KER.tmp\VitalInstaller.tmp

Filesize
2.7MB

MD5
9e0e3450b7d24aeae2ecba43a386fd71

SHA1
0c64c2421dd9468095feaf9d18d396586562ca2d

SHA256
a83a3da7c1a06d9a3177af6ee7b5405b1d16d46fc8e6c4dde90d3fccafe5abef

SHA512
fe2f84ece40f27e42abcce2bfdf48ace6eae9008978e013c2da3fac0da6eb8ee851a4fe6aac184ad5496b7dd21680535fb83a884941a0bfe566e17438ae3b0f0

Download Submit
memory/1940-1-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1940-13-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2568-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2568-14-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/2568-36-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/2568-37-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing