Analysis
-
max time kernel
37s -
max time network
39s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
-
submitted
04/02/2024, 10:38
General
-
Target
https://cdn.discordapp.com/attachments/1203642046229774346/1203650746558713866/VAPEV4.rar?ex=65d1de1c&is=65bf691c&hm=1589e00dfc7456aa2303e41feb289c7405636c2400887a4a574f99e12465659b&
Malware Config
Signatures
-
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1203642046229774346/1203650746558713866/VAPEV4.rar?ex=65d1de1c&is=65bf691c&hm=1589e00dfc7456aa2303e41feb289c7405636c2400887a4a574f99e12465659b&1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbfd253cb8,0x7ffbfd253cc8,0x7ffbfd253cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\VAPEV4.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,13100043251594963859,9990485914549330124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Desktop\VAPEV4.exe"C:\Users\Admin\Desktop\VAPEV4.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 12563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 12683⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2596 -ip 25961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2596 -ip 25961⤵
-
C:\Users\Admin\Desktop\VAPEV4.exe"C:\Users\Admin\Desktop\VAPEV4.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137B
MD58a8f1e8a778dff107b41ea564681fe7b
SHA108efcfdc3e33281b2b107d16b739b72af4898041
SHA256d09cdd05da4e3e875d3d5d66c542404519759acda2efa7c00ca69aa3f6234de4
SHA512a372330793e09c661e6bf8b2c293c1af81de77972b8b4ba47055f07be0fcdfe5e507adbc53903a0cd90c392b36fe4a8a41d3fea923ad97fa061dbef65398edf6
-
Filesize
152B
MD55cabc17286e25c0ade7a7f050b6e92a6
SHA1c25ab09177ad0da9ee6caf78310236bdc2cba319
SHA2560e75f9140c154297d8f741aea07b90fc1be1b8deb79c3f204148471800e322b6
SHA5120cc35eda0168f51e5e719ba0bfb226c9f5293a6056d47190a23377deb98244f42c62b8416696cdd13b2db6228c1c8a2513cdf6dbb1d4b59f0c1c889d1acee6e8
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD59ae16d66130bfb12539d639fe89ba995
SHA100a79a778b72afb0961c2fa1fe38476e99b05afe
SHA25676a25c0a71060b785145959592f71333af3befd28298d0e815f32b94cc244784
SHA512512deb32723393567538033048e4ab758bfbdbd03dc6c21a4247bfbd3e2540b50556d858d885318d84fd598e61327cc0caff236ea4b136747a49c7d5b6ad5d0d
-
Filesize
5KB
MD5c0b87c7d2be8593d14b7867fec88f8ff
SHA1143d0a4026fec27e4aa59bc444419967e7f7390a
SHA25609489f93d830bd8c890a7c453abbec25df31c0f9ff5553b8690c93cbee8f6e28
SHA512b2818e6dd04b2d48528ac4b95a260115ae4b22291adddb1e602977dc7e3edf5b7bc86f633f1b1339181da91e1a926b0b93cbf5b7c048444d958068f81c95782f
-
Filesize
5KB
MD5d81a437bff77e8925f2eb19b1f69e6a8
SHA1061916082f5477535e1ed630c32f4284b7e32aa6
SHA25677732bbe1ee38c2d2c59a8ea900d49b8c56978b33c973139fdde535e0cf62ca4
SHA512861dab958423dfa617d9935e4552fb9c6ebc7af8cef8eee785dabc6d6cbfe76b28c5552c4c197ab0c1fba4cbdbdd7a9ffa09225d6501afa47f32bb94fc272cc3
-
Filesize
25KB
MD568fe6f34e7d6603a3d2f4c95919f8408
SHA1c7be30582f94d46f05338cc39726f72c9e2fa4cf
SHA2568cba909149b2d3fc45315cf63cdb8fbe42a4b7c614347171ba00aaf859639c1a
SHA51248eac2f55675b01ebeb28680ed9af6dcb9c558f76fd647cf05f8a7e1fa04ee57f7a8c70bc0ea882bdbca48b29d62ea7af74b76a03b09c19762e4c93118929be1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD523205b6f93e7d9bd899da7b849984aca
SHA19f7aa1572635125cc152daa8935f6dab74fba83a
SHA2568ad8473733186cd166ae9dea9489d99e500cf62d3f849247f4a198a7c0dd7098
SHA512f6eab72f3e356787b0f897d1298b8d39cbaeb1a48305462d219c9b62b320ff021b05b896150679e022a6ae6b08ffd18568a55406542ad854d79355d38514504b
-
Filesize
10KB
MD59075c3bad5ffaa2dfd266a2392bc2c96
SHA12d4fd837c3e20fb7200b620e2835e183f5ae79c4
SHA25610018190d11695c18a1d0680dc15cc2f2f85c00825c2a59edd359c982d6d5ab1
SHA51231844b8734b88d1de310672fe952b377a4930d0a9b0fd7cc48962ded637e1a2c31fef345a4d3aa5a8e806d4563bf2d6715b8dbb6d03367893d37390dc3122cb7
-
Filesize
733KB
MD5269080d3bbec9bbea3995c5a088998fe
SHA1115ee947afdb07a005aaa63321375450ca8f265f
SHA256178e842d5d286ca9effe0fe9e545d6e5bd751ca7a491d96d7aeeececc7b5ca22
SHA512be68cae5832ead9817617ad84f337bb8931403b5006acebb110ad3b6159cb3f6e9f85507b7e04cf89eaf6d5d95adce06d133b4cee4bbd894be61920a9057bca1
-
Filesize
666KB
MD50c7fea7d7b3f476b8eb3a01d8ba80281
SHA11369315b5f3d22a21b7d301e5057b221a271c30f
SHA25660f6652f8e85e6747c3e79ebc43babbcd442d33812954abc829c56e9250199eb
SHA512a80473bdb2ecfe295ceeabf4a181c3346247b5f639bdc754f5bbdeff2c6e21facc5215d1e424ecce32693c61b4304bcca56a2412bf763a6880b0cae1905b6fa5
-
Filesize
564KB
-
Filesize
4KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32.0MB
-
Filesize
648KB
-
Filesize
64KB
-
Filesize
640KB
-
Filesize
5.6MB