8a0b8137278ad2cb6dc352a96f8ade5724a595dcb777432e6c8f078d70f3f718

General

Target

VapeV4Cracked/VapeV4Cracked.exe
Size

13.6MB
MD5

a3c081e2912080dfdc6a9c981530b6f0
SHA1

4eeb04ea61ff6b829b8b52952d68584a1cdb6e69
SHA256

38ae76715fa9a566a0e74f682b7dd9f588b54b263bea369429be49848ff0422c
SHA512

c16e60520245030f3cb3f52266bf20295c2f020bebdc2416e51b0db87d931069e02b3c5f5a92bc83316136767eb055066bc8c34be8cf2a7061841be2cb64f291
SSDEEP

393216:/niIE7Yo5D2nwW+eGQRIMTozGxu8C0ibfz6e57K1bmXdWCNx+:/87r5DawW+e5R5oztZ026e5IkVN4

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1036	VapeV4Cracked.exe
1460	VapeV4Cracked.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2644	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1036	VapeV4Cracked.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1036	2016	VapeV4Cracked.exe	41
PID 2016 wrote to memory of 1036	2016	VapeV4Cracked.exe	41
PID 2016 wrote to memory of 1036	2016	VapeV4Cracked.exe	41
PID 2816 wrote to memory of 1460	2816	VapeV4Cracked.exe	55
PID 2816 wrote to memory of 1460	2816	VapeV4Cracked.exe	55
PID 2816 wrote to memory of 1460	2816	VapeV4Cracked.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VapeV4Cracked\VapeV4Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\VapeV4Cracked\VapeV4Cracked.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\VapeV4Cracked\VapeV4Cracked.exe
  "C:\Users\Admin\AppData\Local\Temp\VapeV4Cracked\VapeV4Cracked.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=4336 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:1
1⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=2740 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:1
1⤵
PID:696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3952 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:8
1⤵
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3340 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:8
1⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:8
1⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --mojo-platform-channel-handle=3700 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:1
1⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=1396 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:1
1⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2340 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:1
1⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=3308 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:1
1⤵
PID:344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4344 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:8
1⤵
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:8
1⤵
PID:272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1256,i,8824019661052169353,9449282323160433736,131072 /prefetch:8
1⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\Temp1_VapeV4Cracked.zip\VapeV4Cracked\VapeV4Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_VapeV4Cracked.zip\VapeV4Cracked\VapeV4Cracked.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\Temp1_VapeV4Cracked.zip\VapeV4Cracked\VapeV4Cracked.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_VapeV4Cracked.zip\VapeV4Cracked\VapeV4Cracked.exe"
  2⤵
  - Loads dropped DLL
  PID:1460

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_VapeV4Cracked.zip\VapeV4Cracked\instructions.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI20162\python312.dll

Filesize
6.7MB

MD5
48ebfefa21b480a9b0dbfc3364e1d066

SHA1
b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

SHA256
0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

SHA512
4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

Download Submit

Analysis

Sharing