Analysis
-
max time kernel
60s -
max time network
62s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
-
submitted
19-02-2024 20:12
Errors
General
-
Target
VC_redist.x86.exe
-
Size
13.2MB
-
MD5
9882a328c8414274555845fa6b542d1e
-
SHA1
ab4a97610b127d68c45311deabfbcd8aa7066f4b
-
SHA256
510fc8c2112e2bc544fb29a72191eabcc68d3a5a7468d35d7694493bc8593a79
-
SHA512
c08d1aa7e6e6215a0cee2793592b65668066c8c984b26675d2b8c09bc7fee21411cb3c0a905eaee7a48e7a47535fa777de21eeb07c78bca7bf3d7bb17192acf2
-
SSDEEP
196608:oRjgvJ2flpQcIIS/Rj7BWl+aV8t8z72BxBwBgO42BE6+2DQlMp1sHW5ZDmCCM0Xr:IgRIlptVYmfr7yBG/4pXMHsHW76CsGE
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 49 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 27 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 24 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe"C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{C16CF9DE-CBD4-47AC-B752-CA052BBB8EFC}\.cr\VC_redist.x86.exe"C:\Windows\Temp\{C16CF9DE-CBD4-47AC-B752-CA052BBB8EFC}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe" -burn.filehandle.attached=568 -burn.filehandle.self=5642⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{A4635A34-E9AB-41DC-A5B5-C27B9D217975}\.be\VC_redist.x86.exe"C:\Windows\Temp\{A4635A34-E9AB-41DC-A5B5-C27B9D217975}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{2E478347-8C83-4731-BAEE-4ECEA137DB90} {F7955AB1-3404-4BDB-BEA8-B63D585B715F} 28763⤵
- Adds Run key to start application
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=984 -burn.embedded BurnPipe.{8ACF8D6A-C473-4A1D-8D66-AFD5F1865171} {22C23186-B537-45D3-BA26-CE9F110984F9} 40564⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=984 -burn.embedded BurnPipe.{8ACF8D6A-C473-4A1D-8D66-AFD5F1865171} {22C23186-B537-45D3-BA26-CE9F110984F9} 40565⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{04B5FACD-FD7A-474D-8E8D-DF3222D87787} {A5E153AF-45B1-411A-A7C8-7AF3EB4EA515} 26166⤵
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" RenamePC1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a2b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e578ec8.rbsFilesize
16KB
MD5849f0cebd6c0e29abc0b3621d4427ffa
SHA188e3cc1c75be5160fcd4919c728f49fdfbbd947c
SHA2560320151bb4910a305619876e3b59dfe9a003d56040fe210d946789b3890a398f
SHA51244079874b69f543e38b58920f03b4ca2149a633948d2aabe8a69d3634be830d8a9688e700863183a5a53181838a0dd21468a41718b47164e635dd7f4c581534e
-
C:\Config.Msi\e578ecd.rbsFilesize
18KB
MD5e8e0525d1c55db1713de29a5386c815d
SHA118c04b2edc8ff6a9618ca80058df09ef1181d47d
SHA2568ee336823eb12d36f6f124c3f4866ce450667732a9cee8165e6d3a91958fd927
SHA512de1f606d751c9ce95f7dcd33462994c4bc5f278c1b6966acb3cf9a583b4d5a79c82cffd4bc13deaeda4d1f568483a55d5ab60de30a1dc5845f07b19955d3af56
-
C:\Config.Msi\e578eda.rbsFilesize
20KB
MD51d1e377b4b97601c98251c9952a9c0e7
SHA11126c4dfb62c3e1fdbeff969b3c75bcb69b0a83c
SHA256784924729e93a4d1e4a6a02d91cc5bd25dbff54e84154163d24a95700a04f9e8
SHA512fe8bd11012a9898f22667fbd47a45860c709f86effe7d70bc5ac1944a2aaa4977ea442c81c4b0e30aa4a2d709905acda36f955a363c914e5dc18166e0727b689
-
C:\Config.Msi\e578ee9.rbsFilesize
19KB
MD5a369c0fbf51de2b7033cd6b28650115e
SHA1fbfd98efbd7ff0f8e9e836a915cf68d8d8941094
SHA2561abae6f9410328cd2b4a543d20d75fd9a2755de80af3fc592a5ff38cd19b1f13
SHA51243b4821d86b0f62bbd8125430fe57d2e0f0dbc37d687ee84a505b053da0bd57c5be69eee911b27b45790d7d3f3eb1ad8bf33138567f737bcf3de50888f6ddba0
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-2-19.2012.2220.1.odlFilesize
706B
MD5f7fdaecee7f9f673ed5ca1aeeda37fc8
SHA1ed1c53cd5f948545c6e4653afe8b825d5502a1bf
SHA25603fc4941cba05f5e539add449e25deebaef9eb967024890663217765dfa34844
SHA512c94753dfa468f6bf9f7df337722f806da2748f222e5a62b315bcfc2c35a87d0a694b2db116d7c920552f7fa3a63ca82207b68327c8670c9805e91a910044304a
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-2-19.2012.2784.1.odlFilesize
706B
MD5fa0864bec89a19bcc22bd0737db53032
SHA153ccd2a0d7c46b91314c61e832c218dad559def3
SHA25609548679825617784185abae53d2f1070078dcadd31efcf7710fd3b0354b0b88
SHA512ece7e2af1a505cc6449898ea52220c4324734d2f316d4a0d7e676d46da7dda577247b1b6f223c67574c5da14902d000db99f4185c7feca4dbf05c4cb1384eeae
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240219201235_000_vcRuntimeMinimum_x86.logFilesize
2KB
MD53be20ecb42c639bf464c7eefe8e66e79
SHA1d9dba184414502673a77d9eec82ff0d8fa9180dd
SHA25629b131d76e14184c66212d8cf4046124dc4bf9c158e3f70a8955b1f1ab1ceb1c
SHA51279a6aedb407012154f465a6c4df95660b9995fab7c1c9ebaff4e16efc3669db334cf0027a10734463e80e657f7880f519408aca2ec85b3effe697f6201788977
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240219201235_001_vcRuntimeAdditional_x86.logFilesize
4KB
MD5262296d30149d5c27845a817926b075e
SHA1dd7c21b4a28445c057b8d6537f8570a0da8954ef
SHA256be587f3902a3e17a0a7315a79d5ddab7afb1cc378745d00349e8a3c0d6840ad1
SHA51299fff134fb246b170d3e6746dfa3d1cc577579a7cd1a664a6ac7f0ebbe8a2cfd4085adfa11857c8d8c183a3db0f78c32963219286503d6151007f84ddeba1e0a
-
C:\Windows\Temp\{A4635A34-E9AB-41DC-A5B5-C27B9D217975}\.ba\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Windows\Temp\{A4635A34-E9AB-41DC-A5B5-C27B9D217975}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{A4635A34-E9AB-41DC-A5B5-C27B9D217975}\cab54A5CABBE7274D8A22EB58060AAB7623Filesize
814KB
MD5a57efc0afffdf914cbc76bb882cad37e
SHA1732dbef27c49c27d9f1c00eba177eabc21650fb8
SHA256c384da7cc6ead2ce054a67fded26d7e4cff2f981a83c64de62e53864665e5f45
SHA512ad2cfc0fd199fe2726fd18c0a5972185e8331fe49807ca6340212901dd61d30853e2c72015ee9bac0425e287ef488190a245676173194fafbf8f6fc7fbf9baba
-
C:\Windows\Temp\{A4635A34-E9AB-41DC-A5B5-C27B9D217975}\cabB3E1576D1FEFBB979E13B1A5379E0B16Filesize
4.9MB
MD54a17e4da145fa1ea92a52266221ad628
SHA1f6304de9d73609f6b9717d6a4d44efd7ab7ffe9e
SHA2569544abbd46b39bec491cf63076fb109306e519f303df9cd583a28956172bf038
SHA512de9a6a1391070a9470f78208ff74120cffd2a1e2580af4add87914ba6dd27e07b092e66caa847726e05eb5fae0c1252681de37f34b560d4d95f3b76f3599e16c
-
C:\Windows\Temp\{A4635A34-E9AB-41DC-A5B5-C27B9D217975}\vcRuntimeAdditional_x86Filesize
180KB
MD5a37983d3fca236d6ae2d22ab0fa9f1d4
SHA182f77032813aeddf321d681da4e1aa50786258dd
SHA256a7f13351ce5b41fcf6c2ed95f223f5e2aab5411bf8499a772f69ad8ffb87f96b
SHA512619467e6d4aa6bc8f1cc02daf52330e28c313d774a1d0b0bb96d40a2ed2dc3697cee738463faed040e1bca407c3471ae1bc8dd91472682b25c579caacdbf7374
-
C:\Windows\Temp\{A4635A34-E9AB-41DC-A5B5-C27B9D217975}\vcRuntimeMinimum_x86Filesize
180KB
MD53ca6b74aefe34587f479055f5915e136
SHA161771e0a8ccabac8783a22f67adcbce612f11704
SHA256a6f3a8e4e2162d8df176418e9a238becb645b2db31d8073bfc4f4cdb7fb1aa22
SHA5123949cb3fdad3e8d5e9c649141a72783e0b403d3e835433d4d456654bcdad1290258f6d023ce127740f9c82459d337b9f8731c799efcf99775955d38cf3fef750
-
C:\Windows\Temp\{C16CF9DE-CBD4-47AC-B752-CA052BBB8EFC}\.cr\VC_redist.x86.exeFilesize
634KB
MD57bd0b2d204d75012d3a9a9ce107c379e
SHA141edd6321965d48e11ecded3852eb32e3c13848d
SHA256d4c6f5c74bbb45c4f33d9cb7ddce47226ea0a5ab90b8ff3f420b63a55c3f6dd2
SHA512d85ac030ebb3ba4412e69b5693406fe87e46696ca2a926ef75b6f6438e16b0c7ed1342363098530cdceb4db8e50614f33f972f7995e4222313fcef036887d0f0
