f9006c1ef7c3d7ddec0e35d2e3faab0fe706e28b166bdc153676d5e71ed520eb

General

Target

b493d1c9dd3f410c6ca4a1de2a79bbb5.exe
Size

5.9MB
MD5

b493d1c9dd3f410c6ca4a1de2a79bbb5
SHA1

395734ae34624aa44bd06f1ecc45de14357dfe10
SHA256

f9006c1ef7c3d7ddec0e35d2e3faab0fe706e28b166bdc153676d5e71ed520eb
SHA512

817c7ffa8f24032cbbac196f35aac7ed114e789715308eadc4252b35eacc580277ee4304ecf36a1824c7cfed6099932d5b31fe8203ec5826065da8072a1cb316
SSDEEP

98304:21QTsHfgsazo2n9hpMWBYOPekwbKJuXc/k66CyIZsq9TMeyVstPUww/8fNYReF:6Z4Bz1h3Cdkus/k66RDqbtPUww/8OReF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
2528	VeryToolboxLauncher.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	b493d1c9dd3f410c6ca4a1de2a79bbb5.exe
2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Very Toolbox\is-0KRI9.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-U4BE7.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-O9IRD.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-H2BLO.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\libeay32.dll	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-7HN7T.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-51KNE.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-31QMR.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-I3135.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\RAR Recovery Toolbox.chm	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\ssleay32.dll	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\cc3260.dll	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\prRarRecoveryToolboxLib5.dll	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\unins000.dat	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\prRarRecoveryToolboxLib.dll	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\unins000.dat	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-RF9H0.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-SM5F6.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-61JD0.tmp	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\VeryToolboxLauncher.exe	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2612	2716	b493d1c9dd3f410c6ca4a1de2a79bbb5.exe	28
PID 2716 wrote to memory of 2612	2716	b493d1c9dd3f410c6ca4a1de2a79bbb5.exe	28
PID 2716 wrote to memory of 2612	2716	b493d1c9dd3f410c6ca4a1de2a79bbb5.exe	28
PID 2716 wrote to memory of 2612	2716	b493d1c9dd3f410c6ca4a1de2a79bbb5.exe	28
PID 2716 wrote to memory of 2612	2716	b493d1c9dd3f410c6ca4a1de2a79bbb5.exe	28
PID 2716 wrote to memory of 2612	2716	b493d1c9dd3f410c6ca4a1de2a79bbb5.exe	28
PID 2716 wrote to memory of 2612	2716	b493d1c9dd3f410c6ca4a1de2a79bbb5.exe	28
PID 2612 wrote to memory of 2528	2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp	29
PID 2612 wrote to memory of 2528	2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp	29
PID 2612 wrote to memory of 2528	2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp	29
PID 2612 wrote to memory of 2528	2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp	29
PID 2612 wrote to memory of 2528	2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp	29
PID 2612 wrote to memory of 2528	2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp	29
PID 2612 wrote to memory of 2528	2612	b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp	29

C:\Users\Admin\AppData\Local\Temp\b493d1c9dd3f410c6ca4a1de2a79bbb5.exe
"C:\Users\Admin\AppData\Local\Temp\b493d1c9dd3f410c6ca4a1de2a79bbb5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\is-RCR87.tmp\b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RCR87.tmp\b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp" /SL5="$40108,5523857,742400,C:\Users\Admin\AppData\Local\Temp\b493d1c9dd3f410c6ca4a1de2a79bbb5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Program Files (x86)\Very Toolbox\VeryToolboxLauncher.exe
    "C:\Program Files (x86)\Very Toolbox\VeryToolboxLauncher.exe" b493d1c9dd3f410c6ca4a1de2a79bbb5.exe
    3⤵
    - Executes dropped EXE
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Very Toolbox\VeryToolboxLauncher.exe

Filesize
4.5MB

MD5
adcbf4cf8b02c2b427b4e2c2c5ba80a2

SHA1
d6c126d4018d6f711ab2621bbbdc258a66822190

SHA256
c124a514e1a10ba14173945daaf098930931d72b517b9e6ba5e9d476c35799e5

SHA512
4cd98603fa88b950fc6ea487ef40230ff85bc972a9f221e0a8b43279e57d1146cde93430cff9b4c3b7e5127a1924972c98463b5d7efe2b1442a3cacee3ff9f02

Download Submit
\Users\Admin\AppData\Local\Temp\is-RCR87.tmp\b493d1c9dd3f410c6ca4a1de2a79bbb5.tmp

Filesize
2.4MB

MD5
a719a2e14b846d50a94c8b2f91f8a823

SHA1
89883c1e1855f6514094c88cd101fd0bacd9bf73

SHA256
f51624ea2094f8271cd71c557d90a695a274c851260b6c919644ed4d93b2d176

SHA512
a52fcda343f47175d15e2d2f454490be8badd7c17b462f5159823ed7ed5a6c8620d48bdcc2af76fb0cdbf2bb09888c4c8678f7f73fb384e32b9405e42037f68d

Download Submit
memory/2528-44-0x0000000000400000-0x00000000016A0000-memory.dmp

Filesize
18.6MB

Download
memory/2528-45-0x0000000000400000-0x00000000016A0000-memory.dmp

Filesize
18.6MB

Download
memory/2528-46-0x0000000000400000-0x00000000016A0000-memory.dmp

Filesize
18.6MB

Download
memory/2528-87-0x0000000000400000-0x00000000016A0000-memory.dmp

Filesize
18.6MB

Download
memory/2612-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2612-43-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2612-49-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2716-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2716-42-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing