1ef565359cc00e7f24235e6e72122abd8c0b1eb22ec936cd5bcacbf4510bf21d

Analysis

max time kernel
154s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VDownloaderSetup.exe
Size

15.2MB
MD5

1a24f047cdfc86d48b521f2582106980
SHA1

b477d278279ccf7928b785213fd1a92064fce7a2
SHA256

7ec0e42285ca1761f1812e589bb988d0d8cae9044351c0bae75f4f08f127f462
SHA512

0ac3fad09a39961ac05a961b761753f2887dcad03a2a1f090c5ca08debcaf5ccc5f10503b1fb605a3bbfde9a42eb9b51cffa1fdac76269d7dda62fb745cbb007
SSDEEP

393216:8Vu+ssrcvFIKciM2U234u59Ls2I7BfjeiCDpauNB2ui4i5m83:nWrcxZM/A4ubL4jeiClPNi4i5m83

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	VDownloaderSetup.tmp

Executes dropped EXE 1 IoCs

pid	Process
3968	VDownloaderSetup.tmp

Loads dropped DLL 3 IoCs

pid	Process
3968	VDownloaderSetup.tmp
3968	VDownloaderSetup.tmp
1536	RunDll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe
1536	RunDll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3968	1168	VDownloaderSetup.exe	90
PID 1168 wrote to memory of 3968	1168	VDownloaderSetup.exe	90
PID 1168 wrote to memory of 3968	1168	VDownloaderSetup.exe	90
PID 3968 wrote to memory of 1536	3968	VDownloaderSetup.tmp	96
PID 3968 wrote to memory of 1536	3968	VDownloaderSetup.tmp	96
PID 3968 wrote to memory of 1536	3968	VDownloaderSetup.tmp	96

C:\Users\Admin\AppData\Local\Temp\VDownloaderSetup.exe
"C:\Users\Admin\AppData\Local\Temp\VDownloaderSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\is-DE01R.tmp\VDownloaderSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DE01R.tmp\VDownloaderSetup.tmp" /SL5="$3022A,15417274,141824,C:\Users\Admin\AppData\Local\Temp\VDownloaderSetup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\RunDll32.exe
    RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-HI7VB.tmp\OCSetupHlp.dll",_OCPRD110RunOpenCandyDLL@16 3968
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-DE01R.tmp\VDownloaderSetup.tmp

Filesize
1.1MB

MD5
713bfb93270414f034fa70496d5cfffc

SHA1
f6b5e6a6d7ec32a1d32bbab37986da0cf1bc94c6

SHA256
8f7c04c54c61b7f11d3c6016254abaab89997cb0d5198e8c7ef0df2edbca16d7

SHA512
e9cfbc676e02854821cbd585d3de2b3f5cadf2c11fe306244cbba7ae066574dbfc7971f0e6a1d38a6e47af75762f608a8f14082d0e2f8d7c224c591caed00472

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HI7VB.tmp\OCSetupHlp.dll

Filesize
750KB

MD5
c6cef91b4abcebc8e86acb0dab99a496

SHA1
d74806351749e22a8a4c11c327d53b802561ef12

SHA256
c176f3957092d03b9f53e020e0711b534bef3a8e528d2dc58475a19a4eef0723

SHA512
f20b7608cdfa893f3384bbcdc41d4eac79c028c4bd0f4881b0006c0323d7f806c9bea2db19adf7245abd4b06b25bde1aca8c4ee68053cd997684f75c220586e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HI7VB.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
memory/1168-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-28-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/3968-7-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/3968-24-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3968-30-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3968-31-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download