Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2024 14:28

General

  • Target

    VLAutoPro7.28.exe

  • Size

    598KB

  • MD5

    5e8364be5015b6be61696b456fbf12b7

  • SHA1

    172ac4d67cc13b6edbe2808f3527538ece6c0efd

  • SHA256

    43b86a3049543ecee5ed74dd5d852e2d46e0ffc189a2227c6d2b65467b130b00

  • SHA512

    99075f2070600f79c3b934133dd74924d9455675c592a79cd1a69df4a3acac50cfc1dd4f5b4b30b828c679b3ee5cec73d535b31b305b430e2396ea2a859e83f7

  • SSDEEP

    12288:l9OpSuHG0cqvNhHhbdlDeqq/vQg10TxD5XzA6okk9o1Cx1o5YWVK9l2n:6pSuHzbhBdlDeqq/H10TxDtM6+y1CSYW

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe
    "C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\svshort.exe
        C:\Windows\system32\svshort.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

    Filesize

    996B

    MD5

    7a9803f989525a1374ed887518c91c01

    SHA1

    0582b8bd77829ed3b9fc2a1a58ffea8a0f03c80a

    SHA256

    550ec97e47c5eceb7a2eb6e35d1951a8d0ed1815e5ecf5b1461a98e78134d39a

    SHA512

    e1e191c4494d76d31e2e9cfb75624d77d5b21bab179315ca912c334f133625dd1044f915c6746fe9087a7224ff2ee8d7fb96e178b1b897c93fcb7ce7bd7f0c73

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mc.dat

    Filesize

    38B

    MD5

    786df1745a46be0beb31a717d4d219ac

    SHA1

    ff144f89e6b1b4357ec957ad24a8078f30ef14f4

    SHA256

    5be4f914b383dbc464215981549063bd3f23ad1833a75bdf682f001c0b622559

    SHA512

    03cad375391576167e3e2dba7cc8d7ff558f9055270aa90012568ea8fdb2526f2d7bf23d57aa5b6e37e221bfd370f17fac63d26f869d6464c44a233336898c60

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

    Filesize

    4KB

    MD5

    61022a2265fce6d7158c46b8a48e0e37

    SHA1

    47410c7c2b0a7073ea47bc8756e97162e0cde163

    SHA256

    3d4f1282beec16cfc8b14f7aaf21b951086faac3d89249a619f955ae1f05b0b6

    SHA512

    f7f56b9add45e7b5d3c5884a8c4e86c4bb5536785870714cace5340fb439af90a1adbcc09f4c65da481336f3bbe1c49585d876e012f84f570f7e0a41a292bc23

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshort.exe

    Filesize

    428KB

    MD5

    4f2598e0335a8785a7777b76714c0a50

    SHA1

    06ea320b04d8bc2d1349fd53dbfefc24a6c870d7

    SHA256

    bf5146235bdb90045174c9604ae938982251ac39840782b4dd02f3064f474660

    SHA512

    bdf99154fdd7b1d4ca2adef99f03affcaa342b361cab571cb24c01f5a0d85e47a43a55cf0ab793c74d16523ff3beb6c65c7c7eb1a5a58378c3518da3adce4c20

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshorthk.dll

    Filesize

    24KB

    MD5

    0dd68b8930c9e39a6d794ab4544a08b3

    SHA1

    fde93e99a3caa68da6a779a5ec29fd37fdd0c7d1

    SHA256

    6d9ae822a254d96cddd8e13114e5be9caf9faa57655696bb5c7211dd96b11ad1

    SHA512

    dcdd233ed41cbe91f13f5daf4a4bdf51fc8a070afbd594f755ee52205aee0dc44c609206e1615e18aab512e9ca2a572116e6b0214ec0d13118ae2fd4e1003437

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshortwb.dll

    Filesize

    40KB

    MD5

    0a062bf81e9c6150e207cb68ab69bb7a

    SHA1

    ed147ea3f2605a5913b6b7ff87cf70ab10d2d68d

    SHA256

    34922769f5b4512bb9d66c36c1b6ad218d272ff23f41ded0462df2b330e9a5b1

    SHA512

    b87fc0512f0ec4b2a8991e1f27c65b440ef1fb223449ac7f971a738987ca09948c4860a3bbcd07098281c3c2247434448234cc8765a8222fa5db4b17db63e066

  • C:\Windows\SysWOW64\mc.dat

    Filesize

    38B

    MD5

    6ef573039518dd1b935d5f90575acfc1

    SHA1

    fa76137f023c90ab85dd0d8376d58135d526d218

    SHA256

    29855077d58666babb14e533019c1f75dc2280263f04e4d3b5014aba8df4bfb3

    SHA512

    55c9e7567efbb02453a7a4add946a66447ea6d5444c5605a6d913ea7247e52354142092d339964ddce0921f688f070eae5492d596dec664c1eccd4dfbdd5cf87

  • C:\Windows\SysWOW64\pk.bin

    Filesize

    4KB

    MD5

    7bafaa547b6763a866796dd76a748511

    SHA1

    7eb671e7fc9d41c270b9d2bc8e3d6526b62766f3

    SHA256

    08eed37fdaf682ca23bd4b2ccfe3d0c61019209f35d0df20da406a76acc72fd0

    SHA512

    8818d57cacf95e090985ec913ecd3f4ef4c67e7a8586f395d62076d4bc49fc95e9a9e006fa003d5a9b0d24302622bca3861d69cd17ea1b98bc7f542fd5ace36b

  • C:\Windows\SysWOW64\svshorthk.dll

    Filesize

    24KB

    MD5

    58129986fa29f6dacd99ab45f60bcb3c

    SHA1

    7f21995794a060fc8629e0d113cf568de14c509e

    SHA256

    525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

    SHA512

    62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

  • C:\Windows\SysWOW64\svshortwb.dll

    Filesize

    40KB

    MD5

    2e6016325548ab79e2d636640c6ec473

    SHA1

    586e2b84d46ef00e26c1686033def28e8a9995a5

    SHA256

    62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

    SHA512

    1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

  • \Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

    Filesize

    7KB

    MD5

    a455ca431e66975d886f1a8cfee8cb9f

    SHA1

    95868529973c77199b76ec593a686d9b324dee8b

    SHA256

    6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

    SHA512

    53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

  • \Windows\SysWOW64\svshort.exe

    Filesize

    428KB

    MD5

    bae0fb25bcf05a5da7fde8dce759ee0d

    SHA1

    bc74b07d14a63ce572755c70ceb796136d129e20

    SHA256

    b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

    SHA512

    74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

  • memory/3040-62-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB