Overview
overview
5Static
static
4EN/VCDS-Re...er.exe
windows7-x64
4EN/VCDS-Re...er.exe
windows10-2004-x64
5$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$TEMP/Inst...ns.pdf
windows7-x64
1$TEMP/Inst...ns.pdf
windows10-2004-x64
1CSVConv-64.exe
windows7-x64
1CSVConv-64.exe
windows10-2004-x64
1CSVConv.exe
windows7-x64
1CSVConv.exe
windows10-2004-x64
1LCode-Classic.exe
windows7-x64
1LCode-Classic.exe
windows10-2004-x64
1LCode.exe
windows7-x64
1LCode.exe
windows10-2004-x64
1Labels/06J...AW.ps1
windows7-x64
1Labels/06J...AW.ps1
windows10-2004-x64
1License.rtf
windows7-x64
4License.rtf
windows10-2004-x64
1RT-USB.dll
windows7-x64
1RT-USB.dll
windows10-2004-x64
1RT-USB.sys
windows7-x64
1RT-USB.sys
windows10-2004-x64
1RT-USB64.sys
windows7-x64
1RT-USB64.sys
windows10-2004-x64
1RTUS64.dll
windows7-x64
1RTUS64.dll
windows10-2004-x64
1Resubmissions
24/02/2024, 16:45
240224-t9jsjsgg37 5Analysis
-
max time kernel
152s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 16:45
Behavioral task
behavioral1
Sample
EN/VCDS-Release-23.3.0-Installer.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
EN/VCDS-Release-23.3.0-Installer.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/liteFirewall.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/liteFirewall.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
$TEMP/Installation-Instructions.pdf
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$TEMP/Installation-Instructions.pdf
Resource
win10v2004-20240221-en
Behavioral task
behavioral13
Sample
CSVConv-64.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
CSVConv-64.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral15
Sample
CSVConv.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
CSVConv.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral17
Sample
LCode-Classic.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
LCode-Classic.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral19
Sample
LCode.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
LCode.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral21
Sample
Labels/06J-906-026-CAW.ps1
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
Labels/06J-906-026-CAW.ps1
Resource
win10v2004-20240221-en
Behavioral task
behavioral23
Sample
License.rtf
Resource
win7-20240215-en
Behavioral task
behavioral24
Sample
License.rtf
Resource
win10v2004-20240221-en
Behavioral task
behavioral25
Sample
RT-USB.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
RT-USB.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral27
Sample
RT-USB.sys
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
RT-USB.sys
Resource
win10v2004-20240221-en
Behavioral task
behavioral29
Sample
RT-USB64.sys
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
RT-USB64.sys
Resource
win10v2004-20240221-en
Behavioral task
behavioral31
Sample
RTUS64.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
RTUS64.dll
Resource
win10v2004-20240221-en
General
-
Target
EN/VCDS-Release-23.3.0-Installer.exe
-
Size
66.0MB
-
MD5
9473934cd9d76fd3db99e802447b5b49
-
SHA1
7c50c0406f61b4cb9c90f96a6c72224b30d7939c
-
SHA256
ba07a666c5655fca6da3e71336aa044b1fbdceecbbfe1bd2f0cc30bdae2ebd78
-
SHA512
c4c48b9bf53985abf7dca34c5e6988c672d9210687e30653eebe60ddc950132e83c5ae3cc8afb79b1ca0506e183525bc124c6bc07cec61671c9f30fb4d3ee95c
-
SSDEEP
1572864:PPX3xVVQkjW31Qg6+rH0fVI1rgYokRrVKL/HpBmy:P5VG3hRrU9IBgO3KLxT
Malware Config
Signatures
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral1/files/0x0037000000014286-95.dat pdf_with_link_action -
Loads dropped DLL 4 IoCs
pid Process 924 VCDS-Release-23.3.0-Installer.exe 924 VCDS-Release-23.3.0-Installer.exe 924 VCDS-Release-23.3.0-Installer.exe 924 VCDS-Release-23.3.0-Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 592 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 592 taskmgr.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
pid Process 924 VCDS-Release-23.3.0-Installer.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe 592 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2564 AcroRd32.exe 2564 AcroRd32.exe 2564 AcroRd32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 924 wrote to memory of 2564 924 VCDS-Release-23.3.0-Installer.exe 28 PID 924 wrote to memory of 2564 924 VCDS-Release-23.3.0-Installer.exe 28 PID 924 wrote to memory of 2564 924 VCDS-Release-23.3.0-Installer.exe 28 PID 924 wrote to memory of 2564 924 VCDS-Release-23.3.0-Installer.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\EN\VCDS-Release-23.3.0-Installer.exe"C:\Users\Admin\AppData\Local\Temp\EN\VCDS-Release-23.3.0-Installer.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Installation-Instructions.pdf"2⤵
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:592
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5807642c966d7a43b5dcac6f5848c2787
SHA14e3349ff3b32c3de030106e44f4a89f36cf3192e
SHA2564a6ccff9d4c3d6e8bd8f1b366ebb0cb0365b7b4c48de79bfafdba0221c92bb87
SHA512660a00659ee972b7df96f8edfa02d1426030acb28d9af51583df1af718350bb94bb5acac099dcbb9433b8e3e2750e07b25976f382e8516a609a61d09c4cee8d6
-
Filesize
152B
MD5c322f2d52833652457bf43c98b5d7c5b
SHA151f5793cc20fde7ae9cf03ae1ac00d8e34e85462
SHA256e78ad9f050b43f7353677fbc2a0a2d2d5514eb48b56219f75263ce9982aebe5f
SHA512d93ea5a7cbef5ab2395ea9926a4c2108110074aca4950f8620a30f703cb88130a4b2cedd0cd105de5fd3d85e0de41b641dc026357c7fc1c02362faae65cc677c
-
Filesize
844KB
MD59f57d5c8bea7bb0c56f6feab5ec57d49
SHA1fb5509772439aa89fad1194a7657ac9f8dadd9a0
SHA25632f20c4168639d3544920705b1b563dced626bf506ed111729bf0fca7be20ef6
SHA512aa33496b4def53a7a2e51102de2ddbdca237dba76b43ae6bc6cb70c76953ac1685592e997c9f5787195e67b8419ef06ce239f84b45ba4b07d93574550946994c
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
1KB
MD5c32aa4cfebe6e7ab032d1d4df372a263
SHA12d630d88b23f8f43d024d12535fd7775e1559427
SHA256675eedeb9dcb71dc44f03f8d33760c3e1047f729557a1904500c72602d60ee0f
SHA512e021e1afc8a4998b2b77e09096f550b30d5849c7583a8cfaa016efdd8519c0fc5ad05bf4544a714022cdab1f96ae3192d66d235a9225f1245ca6fd6b5bc5d17e
-
Filesize
3KB
MD59999d75315ce5f2f51883cbcbb87a275
SHA1e3ca93a630848ad76b5534709dcf125373c94871
SHA256a3a60709e2181bb59e602cdbb21353be58a47d2a5e49ac3dd8a941ac64c53603
SHA512536328daef876f9996ccb1780e6f7a2bdfd87abf841c1ae3ba3f905fe2eb74103aae813a99f696b37dd0c4b11a2c23be047f7caccc76552433e884c30167bcbb
-
Filesize
15KB
MD505bf02da51e717f79f6b5cbea7bc0710
SHA107471a64ef4dba9dc19ce68ae6cce683af7df86d
SHA256ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5
SHA512c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6
-
Filesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9