Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2024 14:28

General

  • Target

    VLAutoPro7.28.exe

  • Size

    598KB

  • MD5

    5e8364be5015b6be61696b456fbf12b7

  • SHA1

    172ac4d67cc13b6edbe2808f3527538ece6c0efd

  • SHA256

    43b86a3049543ecee5ed74dd5d852e2d46e0ffc189a2227c6d2b65467b130b00

  • SHA512

    99075f2070600f79c3b934133dd74924d9455675c592a79cd1a69df4a3acac50cfc1dd4f5b4b30b828c679b3ee5cec73d535b31b305b430e2396ea2a859e83f7

  • SSDEEP

    12288:l9OpSuHG0cqvNhHhbdlDeqq/vQg10TxD5XzA6okk9o1Cx1o5YWVK9l2n:6pSuHzbhBdlDeqq/H10TxDtM6+y1CSYW

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 47 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe
    "C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SysWOW64\svshort.exe
        C:\Windows\system32\svshort.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4628
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4016
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3336

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VLAutoPro7.28.zip

        Filesize

        360KB

        MD5

        daaa30ecf65403e41466d86215522bcf

        SHA1

        774194c0778c10e2d9272f2d36fe24758fa6ed9b

        SHA256

        7b664388183968fc36261475cf1bcdd75633c406ee532e4e83bfaf5cb8a4a84f

        SHA512

        ba8fb80c37d30226b0dfc545161d438beb42b87d177f54f972fc7063eb44b59b33ea9372bf6cd1f424db2a9029461e5f7da14ed43b2cda43713b451bf9a7f615

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

        Filesize

        996B

        MD5

        7a9803f989525a1374ed887518c91c01

        SHA1

        0582b8bd77829ed3b9fc2a1a58ffea8a0f03c80a

        SHA256

        550ec97e47c5eceb7a2eb6e35d1951a8d0ed1815e5ecf5b1461a98e78134d39a

        SHA512

        e1e191c4494d76d31e2e9cfb75624d77d5b21bab179315ca912c334f133625dd1044f915c6746fe9087a7224ff2ee8d7fb96e178b1b897c93fcb7ce7bd7f0c73

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mc.dat

        Filesize

        38B

        MD5

        786df1745a46be0beb31a717d4d219ac

        SHA1

        ff144f89e6b1b4357ec957ad24a8078f30ef14f4

        SHA256

        5be4f914b383dbc464215981549063bd3f23ad1833a75bdf682f001c0b622559

        SHA512

        03cad375391576167e3e2dba7cc8d7ff558f9055270aa90012568ea8fdb2526f2d7bf23d57aa5b6e37e221bfd370f17fac63d26f869d6464c44a233336898c60

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

        Filesize

        4KB

        MD5

        61022a2265fce6d7158c46b8a48e0e37

        SHA1

        47410c7c2b0a7073ea47bc8756e97162e0cde163

        SHA256

        3d4f1282beec16cfc8b14f7aaf21b951086faac3d89249a619f955ae1f05b0b6

        SHA512

        f7f56b9add45e7b5d3c5884a8c4e86c4bb5536785870714cace5340fb439af90a1adbcc09f4c65da481336f3bbe1c49585d876e012f84f570f7e0a41a292bc23

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

        Filesize

        7KB

        MD5

        a455ca431e66975d886f1a8cfee8cb9f

        SHA1

        95868529973c77199b76ec593a686d9b324dee8b

        SHA256

        6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056

        SHA512

        53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshort.exe

        Filesize

        428KB

        MD5

        4f2598e0335a8785a7777b76714c0a50

        SHA1

        06ea320b04d8bc2d1349fd53dbfefc24a6c870d7

        SHA256

        bf5146235bdb90045174c9604ae938982251ac39840782b4dd02f3064f474660

        SHA512

        bdf99154fdd7b1d4ca2adef99f03affcaa342b361cab571cb24c01f5a0d85e47a43a55cf0ab793c74d16523ff3beb6c65c7c7eb1a5a58378c3518da3adce4c20

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshorthk.dll

        Filesize

        24KB

        MD5

        0dd68b8930c9e39a6d794ab4544a08b3

        SHA1

        fde93e99a3caa68da6a779a5ec29fd37fdd0c7d1

        SHA256

        6d9ae822a254d96cddd8e13114e5be9caf9faa57655696bb5c7211dd96b11ad1

        SHA512

        dcdd233ed41cbe91f13f5daf4a4bdf51fc8a070afbd594f755ee52205aee0dc44c609206e1615e18aab512e9ca2a572116e6b0214ec0d13118ae2fd4e1003437

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\svshortwb.dll

        Filesize

        40KB

        MD5

        0a062bf81e9c6150e207cb68ab69bb7a

        SHA1

        ed147ea3f2605a5913b6b7ff87cf70ab10d2d68d

        SHA256

        34922769f5b4512bb9d66c36c1b6ad218d272ff23f41ded0462df2b330e9a5b1

        SHA512

        b87fc0512f0ec4b2a8991e1f27c65b440ef1fb223449ac7f971a738987ca09948c4860a3bbcd07098281c3c2247434448234cc8765a8222fa5db4b17db63e066

      • C:\Windows\SysWOW64\mc.dat

        Filesize

        38B

        MD5

        6ef573039518dd1b935d5f90575acfc1

        SHA1

        fa76137f023c90ab85dd0d8376d58135d526d218

        SHA256

        29855077d58666babb14e533019c1f75dc2280263f04e4d3b5014aba8df4bfb3

        SHA512

        55c9e7567efbb02453a7a4add946a66447ea6d5444c5605a6d913ea7247e52354142092d339964ddce0921f688f070eae5492d596dec664c1eccd4dfbdd5cf87

      • C:\Windows\SysWOW64\pk.bin

        Filesize

        4KB

        MD5

        7bafaa547b6763a866796dd76a748511

        SHA1

        7eb671e7fc9d41c270b9d2bc8e3d6526b62766f3

        SHA256

        08eed37fdaf682ca23bd4b2ccfe3d0c61019209f35d0df20da406a76acc72fd0

        SHA512

        8818d57cacf95e090985ec913ecd3f4ef4c67e7a8586f395d62076d4bc49fc95e9a9e006fa003d5a9b0d24302622bca3861d69cd17ea1b98bc7f542fd5ace36b

      • C:\Windows\SysWOW64\svshort.exe

        Filesize

        428KB

        MD5

        bae0fb25bcf05a5da7fde8dce759ee0d

        SHA1

        bc74b07d14a63ce572755c70ceb796136d129e20

        SHA256

        b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d

        SHA512

        74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929

      • C:\Windows\SysWOW64\svshorthk.dll

        Filesize

        24KB

        MD5

        58129986fa29f6dacd99ab45f60bcb3c

        SHA1

        7f21995794a060fc8629e0d113cf568de14c509e

        SHA256

        525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a

        SHA512

        62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a

      • C:\Windows\SysWOW64\svshortwb.dll

        Filesize

        40KB

        MD5

        2e6016325548ab79e2d636640c6ec473

        SHA1

        586e2b84d46ef00e26c1686033def28e8a9995a5

        SHA256

        62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e

        SHA512

        1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86

      • memory/3952-52-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

      • memory/3952-53-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB