Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 14:28
Static task
static1
Behavioral task
behavioral1
Sample
VLAutoPro7.28.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
VLAutoPro7.28.exe
Resource
win10v2004-20240226-en
General
-
Target
VLAutoPro7.28.exe
-
Size
598KB
-
MD5
5e8364be5015b6be61696b456fbf12b7
-
SHA1
172ac4d67cc13b6edbe2808f3527538ece6c0efd
-
SHA256
43b86a3049543ecee5ed74dd5d852e2d46e0ffc189a2227c6d2b65467b130b00
-
SHA512
99075f2070600f79c3b934133dd74924d9455675c592a79cd1a69df4a3acac50cfc1dd4f5b4b30b828c679b3ee5cec73d535b31b305b430e2396ea2a859e83f7
-
SSDEEP
12288:l9OpSuHG0cqvNhHhbdlDeqq/vQg10TxD5XzA6okk9o1Cx1o5YWVK9l2n:6pSuHzbhBdlDeqq/H10TxDtM6+y1CSYW
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation VLAutoPro7.28.exe -
Executes dropped EXE 2 IoCs
pid Process 2424 rinst.exe 4628 svshort.exe -
Loads dropped DLL 4 IoCs
pid Process 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 3952 VLAutoPro7.28.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svshort = "C:\\Windows\\SysWOW64\\svshort.exe" svshort.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" svshort.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\svshorthk.dll rinst.exe File created C:\Windows\SysWOW64\mc.dat rinst.exe File created C:\Windows\SysWOW64\svshortwb.dll rinst.exe File created C:\Windows\SysWOW64\inst.dat rinst.exe File created C:\Windows\SysWOW64\rinst.exe rinst.exe File opened for modification C:\Windows\SysWOW64\pk.bin svshort.exe File created C:\Windows\SysWOW64\pk.bin rinst.exe File created C:\Windows\SysWOW64\svshort.exe rinst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 47 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" svshort.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings rinst.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\svshortwb.dll" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\svshortwb.dll" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 svshort.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} svshort.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable svshort.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4628 svshort.exe 4628 svshort.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe 4628 svshort.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3952 wrote to memory of 2424 3952 VLAutoPro7.28.exe 97 PID 3952 wrote to memory of 2424 3952 VLAutoPro7.28.exe 97 PID 3952 wrote to memory of 2424 3952 VLAutoPro7.28.exe 97 PID 2424 wrote to memory of 4628 2424 rinst.exe 99 PID 2424 wrote to memory of 4628 2424 rinst.exe 99 PID 2424 wrote to memory of 4628 2424 rinst.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe"C:\Users\Admin\AppData\Local\Temp\VLAutoPro7.28.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\svshort.exeC:\Windows\system32\svshort.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4628
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4172 --field-trial-handle=2280,i,8281149332300504990,9122875031903898779,262144 --variations-seed-version /prefetch:81⤵PID:3336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD5daaa30ecf65403e41466d86215522bcf
SHA1774194c0778c10e2d9272f2d36fe24758fa6ed9b
SHA2567b664388183968fc36261475cf1bcdd75633c406ee532e4e83bfaf5cb8a4a84f
SHA512ba8fb80c37d30226b0dfc545161d438beb42b87d177f54f972fc7063eb44b59b33ea9372bf6cd1f424db2a9029461e5f7da14ed43b2cda43713b451bf9a7f615
-
Filesize
996B
MD57a9803f989525a1374ed887518c91c01
SHA10582b8bd77829ed3b9fc2a1a58ffea8a0f03c80a
SHA256550ec97e47c5eceb7a2eb6e35d1951a8d0ed1815e5ecf5b1461a98e78134d39a
SHA512e1e191c4494d76d31e2e9cfb75624d77d5b21bab179315ca912c334f133625dd1044f915c6746fe9087a7224ff2ee8d7fb96e178b1b897c93fcb7ce7bd7f0c73
-
Filesize
38B
MD5786df1745a46be0beb31a717d4d219ac
SHA1ff144f89e6b1b4357ec957ad24a8078f30ef14f4
SHA2565be4f914b383dbc464215981549063bd3f23ad1833a75bdf682f001c0b622559
SHA51203cad375391576167e3e2dba7cc8d7ff558f9055270aa90012568ea8fdb2526f2d7bf23d57aa5b6e37e221bfd370f17fac63d26f869d6464c44a233336898c60
-
Filesize
4KB
MD561022a2265fce6d7158c46b8a48e0e37
SHA147410c7c2b0a7073ea47bc8756e97162e0cde163
SHA2563d4f1282beec16cfc8b14f7aaf21b951086faac3d89249a619f955ae1f05b0b6
SHA512f7f56b9add45e7b5d3c5884a8c4e86c4bb5536785870714cace5340fb439af90a1adbcc09f4c65da481336f3bbe1c49585d876e012f84f570f7e0a41a292bc23
-
Filesize
7KB
MD5a455ca431e66975d886f1a8cfee8cb9f
SHA195868529973c77199b76ec593a686d9b324dee8b
SHA2566bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056
SHA51253e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531
-
Filesize
428KB
MD54f2598e0335a8785a7777b76714c0a50
SHA106ea320b04d8bc2d1349fd53dbfefc24a6c870d7
SHA256bf5146235bdb90045174c9604ae938982251ac39840782b4dd02f3064f474660
SHA512bdf99154fdd7b1d4ca2adef99f03affcaa342b361cab571cb24c01f5a0d85e47a43a55cf0ab793c74d16523ff3beb6c65c7c7eb1a5a58378c3518da3adce4c20
-
Filesize
24KB
MD50dd68b8930c9e39a6d794ab4544a08b3
SHA1fde93e99a3caa68da6a779a5ec29fd37fdd0c7d1
SHA2566d9ae822a254d96cddd8e13114e5be9caf9faa57655696bb5c7211dd96b11ad1
SHA512dcdd233ed41cbe91f13f5daf4a4bdf51fc8a070afbd594f755ee52205aee0dc44c609206e1615e18aab512e9ca2a572116e6b0214ec0d13118ae2fd4e1003437
-
Filesize
40KB
MD50a062bf81e9c6150e207cb68ab69bb7a
SHA1ed147ea3f2605a5913b6b7ff87cf70ab10d2d68d
SHA25634922769f5b4512bb9d66c36c1b6ad218d272ff23f41ded0462df2b330e9a5b1
SHA512b87fc0512f0ec4b2a8991e1f27c65b440ef1fb223449ac7f971a738987ca09948c4860a3bbcd07098281c3c2247434448234cc8765a8222fa5db4b17db63e066
-
Filesize
38B
MD56ef573039518dd1b935d5f90575acfc1
SHA1fa76137f023c90ab85dd0d8376d58135d526d218
SHA25629855077d58666babb14e533019c1f75dc2280263f04e4d3b5014aba8df4bfb3
SHA51255c9e7567efbb02453a7a4add946a66447ea6d5444c5605a6d913ea7247e52354142092d339964ddce0921f688f070eae5492d596dec664c1eccd4dfbdd5cf87
-
Filesize
4KB
MD57bafaa547b6763a866796dd76a748511
SHA17eb671e7fc9d41c270b9d2bc8e3d6526b62766f3
SHA25608eed37fdaf682ca23bd4b2ccfe3d0c61019209f35d0df20da406a76acc72fd0
SHA5128818d57cacf95e090985ec913ecd3f4ef4c67e7a8586f395d62076d4bc49fc95e9a9e006fa003d5a9b0d24302622bca3861d69cd17ea1b98bc7f542fd5ace36b
-
Filesize
428KB
MD5bae0fb25bcf05a5da7fde8dce759ee0d
SHA1bc74b07d14a63ce572755c70ceb796136d129e20
SHA256b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d
SHA51274a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929
-
Filesize
24KB
MD558129986fa29f6dacd99ab45f60bcb3c
SHA17f21995794a060fc8629e0d113cf568de14c509e
SHA256525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a
SHA51262ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a
-
Filesize
40KB
MD52e6016325548ab79e2d636640c6ec473
SHA1586e2b84d46ef00e26c1686033def28e8a9995a5
SHA25662e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e
SHA5121dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86