e9b55ef2b2ed31a8fb742fe32cebce38a4a3d991b5028392b7d3bbef0e27a18f

General

Target

d5cb59fdd0eed8dd1391fc7d3fccd34a.exe
Size

6.1MB
MD5

d5cb59fdd0eed8dd1391fc7d3fccd34a
SHA1

59244144988dd83d0de0db464562b4e3ebc9b6e7
SHA256

e9b55ef2b2ed31a8fb742fe32cebce38a4a3d991b5028392b7d3bbef0e27a18f
SHA512

4fd2642f61a5a5058147943148871a04bcf528c5da91e313f19adfd3c4cc9e95cbde7408836dfb94267daca5ad504ea52b8eed5bb7907731bec5de9a4e45a9a2
SSDEEP

98304:21QTsHfgsazo2n9hpMU4M9cKbdY4YmdCQtjWdfnqKN0r4KQLwNYReF:6J4Bz1hoKbd6mgUazNieL5ReF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4100	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
4412	VeryToolboxLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Very Toolbox\is-VOB7K.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-3C5QO.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\VeryToolboxLauncher.exe	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\unins000.dat	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\prRarRecoveryToolboxLib5.dll	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-L66TG.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-51DEK.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-J3RU3.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-5C24I.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-D6GNF.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-B5EAG.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\prRarRecoveryToolboxLib.dll	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\ssleay32.dll	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\libeay32.dll	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-HCE18.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-EBSHU.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File created	C:\Program Files (x86)\Very Toolbox\is-3SBLA.tmp	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\unins000.dat	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\cc3260.dll	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
File opened for modification	C:\Program Files (x86)\Very Toolbox\RAR Recovery Toolbox.chm	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4100	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
4100	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4100	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4100	4668	d5cb59fdd0eed8dd1391fc7d3fccd34a.exe	96
PID 4668 wrote to memory of 4100	4668	d5cb59fdd0eed8dd1391fc7d3fccd34a.exe	96
PID 4668 wrote to memory of 4100	4668	d5cb59fdd0eed8dd1391fc7d3fccd34a.exe	96
PID 4100 wrote to memory of 4412	4100	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp	100
PID 4100 wrote to memory of 4412	4100	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp	100
PID 4100 wrote to memory of 4412	4100	d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp	100

C:\Users\Admin\AppData\Local\Temp\d5cb59fdd0eed8dd1391fc7d3fccd34a.exe
"C:\Users\Admin\AppData\Local\Temp\d5cb59fdd0eed8dd1391fc7d3fccd34a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\is-L5A9M.tmp\d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L5A9M.tmp\d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp" /SL5="$B003E,5657444,742400,C:\Users\Admin\AppData\Local\Temp\d5cb59fdd0eed8dd1391fc7d3fccd34a.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Program Files (x86)\Very Toolbox\VeryToolboxLauncher.exe
    "C:\Program Files (x86)\Very Toolbox\VeryToolboxLauncher.exe" d5cb59fdd0eed8dd1391fc7d3fccd34a.exe
    3⤵
    - Executes dropped EXE
    PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Very Toolbox\VeryToolboxLauncher.exe

Filesize
4.7MB

MD5
4c7fad60e590cdb5e0be9bbc5bfe0d63

SHA1
5af4e3e0b0f1cdc0873e659af4602f4b10d70fdf

SHA256
64991ef3655d382c70cb0219d7b1dff1826c6546092690b636b45dc45e4884c8

SHA512
2e620a54f8832d86f3732247f9240d83e2a77d8820d3ce2de5b66cd385cb6aed9417c0c393e5bc3ca5336ca95c4c3a8bea7459f4a9899fec49acd25db2993d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L5A9M.tmp\d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp

Filesize
792KB

MD5
91f9cec42efc700661f58efe32fe12ea

SHA1
7adf680c6c32f602087759e1804ac087a3948de2

SHA256
8bb298662b0c5001e110ea710451bd127ab204d68fbade95cd490b176098a8a4

SHA512
85fe70f3c7387c2e78ea49b79b596e485ae33380016235165a1d1aeaedbd09394c96b0ab04a66a5e829899aec582524f8a4bdfc61266350223e8840c3edcc86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L5A9M.tmp\d5cb59fdd0eed8dd1391fc7d3fccd34a.tmp

Filesize
2.4MB

MD5
a719a2e14b846d50a94c8b2f91f8a823

SHA1
89883c1e1855f6514094c88cd101fd0bacd9bf73

SHA256
f51624ea2094f8271cd71c557d90a695a274c851260b6c919644ed4d93b2d176

SHA512
a52fcda343f47175d15e2d2f454490be8badd7c17b462f5159823ed7ed5a6c8620d48bdcc2af76fb0cdbf2bb09888c4c8678f7f73fb384e32b9405e42037f68d

Download Submit
memory/4100-39-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/4100-5-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/4100-46-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/4412-42-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/4412-40-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/4412-41-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/4412-45-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/4412-55-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/4412-83-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/4668-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/4668-7-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download

Analysis

Sharing