f73b5ddee602453364fa40dabfab33a8b192d59211ef7056f0196da4ff4a54c0

Resubmissions

24/02/2024, 16:45

240224-t9jsjsgg37 5

Analysis

max time kernel
152s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EN/VCDS-Release-23.3.0-Installer.exe
Size

66.0MB
MD5

9473934cd9d76fd3db99e802447b5b49
SHA1

7c50c0406f61b4cb9c90f96a6c72224b30d7939c
SHA256

ba07a666c5655fca6da3e71336aa044b1fbdceecbbfe1bd2f0cc30bdae2ebd78
SHA512

c4c48b9bf53985abf7dca34c5e6988c672d9210687e30653eebe60ddc950132e83c5ae3cc8afb79b1ca0506e183525bc124c6bc07cec61671c9f30fb4d3ee95c
SSDEEP

1572864:PPX3xVVQkjW31Qg6+rH0fVI1rgYokRrVKL/HpBmy:P5VG3hRrU9IBgO3KLxT

Score

4^/10

link pdf

Malware Config

Signatures

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x0037000000014286-95.dat	pdf_with_link_action

Loads dropped DLL 4 IoCs

pid	Process
924	VCDS-Release-23.3.0-Installer.exe
924	VCDS-Release-23.3.0-Installer.exe
924	VCDS-Release-23.3.0-Installer.exe
924	VCDS-Release-23.3.0-Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
592	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	592	taskmgr.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
924	VCDS-Release-23.3.0-Installer.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe
592	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2564	AcroRd32.exe
2564	AcroRd32.exe
2564	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2564	924	VCDS-Release-23.3.0-Installer.exe	28
PID 924 wrote to memory of 2564	924	VCDS-Release-23.3.0-Installer.exe	28
PID 924 wrote to memory of 2564	924	VCDS-Release-23.3.0-Installer.exe	28
PID 924 wrote to memory of 2564	924	VCDS-Release-23.3.0-Installer.exe	28

C:\Users\Admin\AppData\Local\Temp\EN\VCDS-Release-23.3.0-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\EN\VCDS-Release-23.3.0-Installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:924
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Installation-Instructions.pdf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2564

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:592

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Ross-Tech\VCDS\Labels\5Q0-907-376.clb

Filesize
40B

MD5
807642c966d7a43b5dcac6f5848c2787

SHA1
4e3349ff3b32c3de030106e44f4a89f36cf3192e

SHA256
4a6ccff9d4c3d6e8bd8f1b366ebb0cb0365b7b4c48de79bfafdba0221c92bb87

SHA512
660a00659ee972b7df96f8edfa02d1426030acb28d9af51583df1af718350bb94bb5acac099dcbb9433b8e3e2750e07b25976f382e8516a609a61d09c4cee8d6

Download Submit
C:\Ross-Tech\VCDS\Labels\8W0-035-MIB-STD2.clb

Filesize
152B

MD5
c322f2d52833652457bf43c98b5d7c5b

SHA1
51f5793cc20fde7ae9cf03ae1ac00d8e34e85462

SHA256
e78ad9f050b43f7353677fbc2a0a2d2d5514eb48b56219f75263ce9982aebe5f

SHA512
d93ea5a7cbef5ab2395ea9926a4c2108110074aca4950f8620a30f703cb88130a4b2cedd0cd105de5fd3d85e0de41b641dc026357c7fc1c02362faae65cc677c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installation-Instructions.pdf

Filesize
844KB

MD5
9f57d5c8bea7bb0c56f6feab5ec57d49

SHA1
fb5509772439aa89fad1194a7657ac9f8dadd9a0

SHA256
32f20c4168639d3544920705b1b563dced626bf506ed111729bf0fca7be20ef6

SHA512
aa33496b4def53a7a2e51102de2ddbdca237dba76b43ae6bc6cb70c76953ac1685592e997c9f5787195e67b8419ef06ce239f84b45ba4b07d93574550946994c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8567.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8567.tmp\ioSpecial.ini

Filesize
1KB

MD5
c32aa4cfebe6e7ab032d1d4df372a263

SHA1
2d630d88b23f8f43d024d12535fd7775e1559427

SHA256
675eedeb9dcb71dc44f03f8d33760c3e1047f729557a1904500c72602d60ee0f

SHA512
e021e1afc8a4998b2b77e09096f550b30d5849c7583a8cfaa016efdd8519c0fc5ad05bf4544a714022cdab1f96ae3192d66d235a9225f1245ca6fd6b5bc5d17e

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9999d75315ce5f2f51883cbcbb87a275

SHA1
e3ca93a630848ad76b5534709dcf125373c94871

SHA256
a3a60709e2181bb59e602cdbb21353be58a47d2a5e49ac3dd8a941ac64c53603

SHA512
536328daef876f9996ccb1780e6f7a2bdfd87abf841c1ae3ba3f905fe2eb74103aae813a99f696b37dd0c4b11a2c23be047f7caccc76552433e884c30167bcbb

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8567.tmp\InstallOptions.dll

Filesize
15KB

MD5
05bf02da51e717f79f6b5cbea7bc0710

SHA1
07471a64ef4dba9dc19ce68ae6cce683af7df86d

SHA256
ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5

SHA512
c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8567.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/592-1423-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/592-2586-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/592-1433-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/592-3549-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/592-3555-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/592-8206-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download