a0cbaa1d30c81051528609376fe68d782bed44d5ff2bc4bd17ae57ac77a18758

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EverVaccine.exe
Size

784KB
MD5

10df4a038e393878435f4c4079eefc17
SHA1

ebf933824c877e0405b5e9898293dfe5c74a38af
SHA256

537c56ff3dc2b369233a1d63b30e8aab281b0878be355d510e7ba51f2992330a
SHA512

b9ae0d4a18ce4373456a07a915ac008f9aef029501b607cad6a2133861dac81af90bcd6890ab3c0354d6ab667cb2123d3dea20feb570970e80b37be34308e32c
SSDEEP

12288:lr+W+3aqnugIvJkzZmVelG4129KIdkcu+fnDdbNj/W/MHsx:lqW+3aKeWzZmVelG45c1fnDdb

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1312	EverVaccine.exe
1312	EverVaccine.exe
1312	EverVaccine.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1312	EverVaccine.exe
1312	EverVaccine.exe
1132	EverVaccineReg.exe
1132	EverVaccineReg.exe
2628	EverVaccineUpdate.exe
2628	EverVaccineUpdate.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1132	1312	EverVaccine.exe	28
PID 1312 wrote to memory of 1132	1312	EverVaccine.exe	28
PID 1312 wrote to memory of 1132	1312	EverVaccine.exe	28
PID 1312 wrote to memory of 1132	1312	EverVaccine.exe	28
PID 1312 wrote to memory of 2628	1312	EverVaccine.exe	29
PID 1312 wrote to memory of 2628	1312	EverVaccine.exe	29
PID 1312 wrote to memory of 2628	1312	EverVaccine.exe	29
PID 1312 wrote to memory of 2628	1312	EverVaccine.exe	29
PID 1312 wrote to memory of 2628	1312	EverVaccine.exe	29
PID 1312 wrote to memory of 2628	1312	EverVaccine.exe	29
PID 1312 wrote to memory of 2628	1312	EverVaccine.exe	29

C:\Users\Admin\AppData\Local\Temp\EverVaccine.exe
"C:\Users\Admin\AppData\Local\Temp\EverVaccine.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\etc\EverVaccineReg.exe
  C:\Users\Admin\AppData\Local\Temp\etc\EverVaccineReg.exe /avscanpro /chk
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\EverVaccineUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\EverVaccineUpdate.exe" /b
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EverVaccine\btn_scan.bmp

Filesize
40KB

MD5
8acc9b03a34766471bb66e1bc758547b

SHA1
e8bafb101c92daf4b1f43d8044e40cfd74e55d15

SHA256
eadc0cc9ba8870eec32ea1c71596d96ee47ee550b697a86f50517bb8578b3a01

SHA512
8ca9c25fc239ec4910fffa5e166a83346462bad07a5fa428bb35032c4ab7e2ebb440b9015abff486d6b58b379c449bd58efd3821bbe254a90115a52141804432

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\list_control\HorizontalScrollBarLeftArrow.bmp

Filesize
728B

MD5
cce234a253b22709eeff1eb27627eb70

SHA1
9617f5523a1f0b1b439b689be38197e86a22c04f

SHA256
d35ba5bdfc8d4ab4dc1a92c436e29cd30ab66fd63fe970783daab7b177da9156

SHA512
f5fa6ec560e5090c5c90dd184de256dcdd3c27369e987d77027a40bc04e30070dc885dc2168beba01b6cc60f60e18b400655e400b24bbad1144fd8cb24f4d51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\list_control\HorizontalScrollBarRightArrow.bmp

Filesize
728B

MD5
4b836f7ce1d00463de54cf6e41ea6f85

SHA1
d20223209db0fecb8b79808f2130d103172b77bf

SHA256
5d2a7d9dac987fae6c0d3e2716c5dce8cc06e0e8ba63d974a71c5c26e718cc30

SHA512
6dc99fb85febe6eb61699890401dcbf680aac339d85e421fa4fef695fa0e03173a011b67de3e3a6b6af30f45a475fc18b4845d992641c1e35bf268fea116317e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\list_control\HorizontalScrollBarSpan.bmp

Filesize
840B

MD5
ad9ed7eb38f1be915ee8dde928ee5507

SHA1
7d093c2037fbe2f2bf49a516aa499c0358ebda2f

SHA256
f27d2b11e462dec99d1feb1255c5af76f7f5627153008d64f0f354897d1d240a

SHA512
cacb5ca60557ce72bc953cc869628a47e67026991fed021bbf29e31fc8c1ff94ca057324f83f9ae7a8884ece5f3eea9d1b0d53536550d7bd2870f0de578221a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\list_control\HorizontalScrollBarThumb.bmp

Filesize
840B

MD5
b3df2057f35ff9bb6ce4e00ddc7e9faa

SHA1
cc31aa8e17eb99aa6017dd4da428b8529e9c0a95

SHA256
2fa4097cf3e6f92362264c7e463144b992e8ec1c25b97a94217782a2938c231d

SHA512
1133a4a9a3546cc273b3757bb999d9ff18bb46c9d38ade4ac5a940d2fa72cb20ca00409ca3a17a1ed19a23ca32f4dd04c360c209400ae8b6dcd422ee3a36e3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\list_control\VerticleScrollBarDownArrow.bmp

Filesize
672B

MD5
87d9e9736eaeba05f5fa309f2c96a152

SHA1
e3c6ca90deb3a0f082ec640552f28153854ece9a

SHA256
c31e2c6efb7f32c0d9f525291acd7fe2ab5612c64f9b0bb6efd3f7819e8573d2

SHA512
305e5394dd3a1b5f74914dcce8417e12a7906a341a3c65a21975a8e9a0b8a06a79c7ce84df53f955e4f96f58eb594bdab54078785bc9d185225e8d30fbfb9550

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\list_control\VerticleScrollBarSpan.bmp

Filesize
276B

MD5
e811c204c42e03e0349f9a6ef6f56df7

SHA1
f49b3f3f8fd85961ff5b81366b0075d672000a08

SHA256
40cb66ca15c55dae3ef084c3693d1d173fd849d1fa1809635f1ece3cff4ed934

SHA512
d52023793f2637becc402736c9b77c87a777bc0adb5bc0de7f2db136ee4b64317b70f9f437d0b031822c4ff056b6ef7cee7b1485ffa62eadb305117cc8613c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\list_control\VerticleScrollBarThumb.bmp

Filesize
848B

MD5
8bac23ed8ad19acbf115336a29e08fcb

SHA1
291433de1a0b349f334579d9cf3fc90275daed1d

SHA256
8ff6355af6466c1ced23e38593e015061354d3cb915d3c7b58477968b9e14264

SHA512
d44f0a51c9dc345308fc5b2e4442ee2bfda15b6efc87cdee9ec2b9fb5c614115f9a74a6a62211e96dc221aa2aab75ce5919b9541151acc4b05a2c7a4bde02f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\list_control\VerticleScrollBarUpArrow.bmp

Filesize
716B

MD5
3e8d74634f6a1f21103ecdb340b73821

SHA1
865b3eec97c1b1a2260fa9ec68583f2006a5b12a

SHA256
19b26a8d5e2d3a988cf87a5cb182d18ee960691650269935c84e1841e3a91fe2

SHA512
d99a92d9ea7d9a60f07e506f4ebbabb807fe87284931abab00875827207ba64476d4773ceb3243f5346f6e6348aafdb12e6e3ac15c63a675a290e6ab873a353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\list_control\VerticleScrollbarBottom.bmp

Filesize
672B

MD5
893198a29458f9697dab732a40e93bba

SHA1
49a72ca331af9b3f04d68f9f4b408b619d435196

SHA256
46a609fb484cb0dd96ba17941baf155e192c0117954f38ac0a847c2c32bd9c63

SHA512
3da020cdc1dfcff95d1ddeda1f5facf4fa7184646aa7d4f6c75ce09207d743b4455e3024ec1a888f2daa8cc5f992b80bd86e17eda7998181ab8a08cbbdef3e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\EverVaccine\service_title.bmp

Filesize
33KB

MD5
bb3fa02ddcb611aafbfca1f5de08f435

SHA1
34bf19338236e7ddd85a42685862979f490ed250

SHA256
656d673ca59825e39b809194086c1f5609e0a9e8c52c3af7a2fc9265fc7a7a51

SHA512
db8b10f2ab34499778a0ca5879c98648197ab6a7e9e5a4d5df2d2b57eb0752c533b8af82c1dd35d0738e17f8bd1a767ad12fb05bd222f927cc8800698e0e6b1a

Download Submit