bdd813da105d01a58a4ad28b1e647eae779a61c304587f8b6bf35de693a4f47c

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54ccc42061bc9dd26370cb24baaffd45.exe
Size

184KB
MD5

54ccc42061bc9dd26370cb24baaffd45
SHA1

28d783d3d1a2f2fcfda8dab0dacb3745bffbe608
SHA256

bdd813da105d01a58a4ad28b1e647eae779a61c304587f8b6bf35de693a4f47c
SHA512

589d40b67923949298d08a246e019287d36dd1ba0f5530f29f6e3c0da5725fc06b1f897956d782694c7d091ccf32bedf98dd0a712d2a542a64c255fbc5c35469
SSDEEP

3072:5x6UW6tpmJKAqXjqqG+m3atMEChxmAkzyNLmsOGIjHRc83K3HS/eXrbIJZz0:5xDeqq3PEaxV1dVOhHR/3K0ebd

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1292	VnrPack22.exe

Loads dropped DLL 5 IoCs

pid	Process
1708	54ccc42061bc9dd26370cb24baaffd45.exe
1708	54ccc42061bc9dd26370cb24baaffd45.exe
1292	VnrPack22.exe
1292	VnrPack22.exe
1292	VnrPack22.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\VnrPack22 = "\"C:\\Program Files (x86)\\VnrPack\\VnrPack22.exe\""	54ccc42061bc9dd26370cb24baaffd45.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\iCheck\Uninstall.exe	54ccc42061bc9dd26370cb24baaffd45.exe
File created	C:\Program Files (x86)\VnrPack\VnrPack22.exe	54ccc42061bc9dd26370cb24baaffd45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1708	54ccc42061bc9dd26370cb24baaffd45.exe
Token: SeBackupPrivilege	1708	54ccc42061bc9dd26370cb24baaffd45.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1292	VnrPack22.exe
1292	VnrPack22.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1292	1708	54ccc42061bc9dd26370cb24baaffd45.exe	20
PID 1708 wrote to memory of 1292	1708	54ccc42061bc9dd26370cb24baaffd45.exe	20
PID 1708 wrote to memory of 1292	1708	54ccc42061bc9dd26370cb24baaffd45.exe	20
PID 1708 wrote to memory of 1292	1708	54ccc42061bc9dd26370cb24baaffd45.exe	20
PID 1708 wrote to memory of 1292	1708	54ccc42061bc9dd26370cb24baaffd45.exe	20
PID 1708 wrote to memory of 1292	1708	54ccc42061bc9dd26370cb24baaffd45.exe	20
PID 1708 wrote to memory of 1292	1708	54ccc42061bc9dd26370cb24baaffd45.exe	20

C:\Users\Admin\AppData\Local\Temp\54ccc42061bc9dd26370cb24baaffd45.exe
"C:\Users\Admin\AppData\Local\Temp\54ccc42061bc9dd26370cb24baaffd45.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files (x86)\VnrPack\VnrPack22.exe
  "C:\Program Files (x86)\VnrPack\VnrPack22.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VnrPack\VnrPack22.exe

Filesize
257KB

MD5
f25dc24a13a03a3e9e0c2524f9c4625f

SHA1
2b814a551f7f606d913b13ac36d540f97290b40b

SHA256
b3e2793738d1c79442b5c23b1addd1c637e6f6cfb158a3814c055ffa9f2d7621

SHA512
7ca832d418b5608a54067af41c6845ea8e844145d94a900c2ff00cb6ad16a83d602e0a68b7e3b418b16685b341d2104144c2e4ece814441c55c2b5adf85e0460

Download Submit
C:\Program Files (x86)\VnrPack\VnrPack22.exe

Filesize
228KB

MD5
6831ff309e4a9e0d2a6feb91c81e1c56

SHA1
b4c560db40bc9b13ff5b56af428aaab362221f86

SHA256
c02f916ad788e6a44d1679ee02288f979d55edcb45d51b84b5668ea8e9aa8f8a

SHA512
814a1ef2cfc1db7bbaa3379eaff0825e206fe927946e2f72f5dc43d4563fbb5569d11b3727ea1d6beddbfef1ce9275b1c446510ca1bdc776c224a4365347cfad

Download Submit
\Program Files (x86)\VnrPack\VnrPack22.exe

Filesize
336KB

MD5
80a4f2962c8689bd86bc7cd0864163c1

SHA1
a5d59c01dac1b36beeac1b17e5c48cf395dcab3c

SHA256
c060bf9383bacdb3f6c56826b1280da16b68c980932505be03816b17f6db5fca

SHA512
58547a88809857d07af23559d288e07d200791aa444e9af1da2f1adfe22abee96c4f9dd01cf3fa2e300b6d1f1d8362002db527496d0928bb68c41220c4028720

Download Submit
\Program Files (x86)\VnrPack\VnrPack22.exe

Filesize
250KB

MD5
c83024b20054504e13fe71cd45388d85

SHA1
c09ad0e912080688ad07b8781440a30681561da9

SHA256
674cff1281480ab08449ed46f5b0d7bead44fa1a704edc5b11202b8cb5dfa0e6

SHA512
8d0dbcf1610959597023327bf1df45cb1491f18fa90aff4d960f9d09393a036ec670e9ad2d37bf6a08e66df65367749c787f479a27f78753e52423ea63a5b770

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads