02a2392e3fc3dd97161c798dc28c5b1e97c862fadf5a3c9cdc6212678d156ed4

General

Target

VitalInstaller.exe
Size

23.8MB
MD5

4fafa10339b7647020ad883d3aa4a98d
SHA1

af4a20d54a304542654dfd0f90511d26b910ebf9
SHA256

02a2392e3fc3dd97161c798dc28c5b1e97c862fadf5a3c9cdc6212678d156ed4
SHA512

7953db49c9b6f9474a0a0efb878507a25e9121ec626e766721ec7bfb068e0181f7ef5b1cb9db8a92218197f7563b0be9175c16d869c33c3420f40c2ea6e4a96b
SSDEEP

393216:eSi33I1feDrtzookjbFdXK1MA/8SNO+A5qwStVW7EyFnT/Lm73az2okYEdG:eST1W5zook//Wt/8x/5qjq7EylwKzvkk

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
768	VitalInstaller.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Steinberg\VstPlugins\Vital.dll	VitalInstaller.tmp
File opened for modification	C:\Program Files\Vital\stub\vc_redist.x64.exe	VitalInstaller.tmp
File created	C:\Program Files\Vital\is-39C4K.tmp	VitalInstaller.tmp
File created	C:\Program Files\Common Files\VST3\is-O0NIB.tmp	VitalInstaller.tmp
File created	C:\Program Files\Steinberg\VstPlugins\is-908C3.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\stub\is-DGQN3.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\is-UKM1D.tmp	VitalInstaller.tmp
File opened for modification	C:\Program Files\Vital\Vital.exe	VitalInstaller.tmp
File opened for modification	C:\Program Files\Vital\unins000.dat	VitalInstaller.tmp
File created	C:\Program Files\Vital\is-NCAFH.tmp	VitalInstaller.tmp
File created	C:\Program Files\Vital\unins000.msg	VitalInstaller.tmp
File created	C:\Program Files\Vital\unins000.dat	VitalInstaller.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\DefaultIcon	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell\open\command	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell\open	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\shell\open\command\ = "\"C:\\Program Files\\Vital\\Vital.exe\" \"%1\""	VitalInstaller.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vital	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\ = "Program Vital"	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vital\DefaultIcon\ = "C:\\Program Files\\Vital\\vital_icon.ico,0"	VitalInstaller.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vital\ = "Vital"	VitalInstaller.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
768	VitalInstaller.tmp
768	VitalInstaller.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
768	VitalInstaller.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 768	660	VitalInstaller.exe	88
PID 660 wrote to memory of 768	660	VitalInstaller.exe	88
PID 660 wrote to memory of 768	660	VitalInstaller.exe	88

C:\Users\Admin\AppData\Local\Temp\VitalInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\VitalInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\is-JD7FI.tmp\VitalInstaller.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JD7FI.tmp\VitalInstaller.tmp" /SL5="$B002C,24009235,1039360,C:\Users\Admin\AppData\Local\Temp\VitalInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Vital\unins000.exe

Filesize
2.7MB

MD5
9e0e3450b7d24aeae2ecba43a386fd71

SHA1
0c64c2421dd9468095feaf9d18d396586562ca2d

SHA256
a83a3da7c1a06d9a3177af6ee7b5405b1d16d46fc8e6c4dde90d3fccafe5abef

SHA512
fe2f84ece40f27e42abcce2bfdf48ace6eae9008978e013c2da3fac0da6eb8ee851a4fe6aac184ad5496b7dd21680535fb83a884941a0bfe566e17438ae3b0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JD7FI.tmp\VitalInstaller.tmp

Filesize
2.7MB

MD5
9e0e3450b7d24aeae2ecba43a386fd71

SHA1
0c64c2421dd9468095feaf9d18d396586562ca2d

SHA256
a83a3da7c1a06d9a3177af6ee7b5405b1d16d46fc8e6c4dde90d3fccafe5abef

SHA512
fe2f84ece40f27e42abcce2bfdf48ace6eae9008978e013c2da3fac0da6eb8ee851a4fe6aac184ad5496b7dd21680535fb83a884941a0bfe566e17438ae3b0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JD7FI.tmp\VitalInstaller.tmp

Filesize
2.7MB

MD5
9e0e3450b7d24aeae2ecba43a386fd71

SHA1
0c64c2421dd9468095feaf9d18d396586562ca2d

SHA256
a83a3da7c1a06d9a3177af6ee7b5405b1d16d46fc8e6c4dde90d3fccafe5abef

SHA512
fe2f84ece40f27e42abcce2bfdf48ace6eae9008978e013c2da3fac0da6eb8ee851a4fe6aac184ad5496b7dd21680535fb83a884941a0bfe566e17438ae3b0f0

Download Submit
memory/660-0-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/660-7-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/660-37-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/768-5-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/768-8-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/768-31-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download
memory/768-32-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/768-36-0x0000000000400000-0x00000000006C1000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing