354aafdbc9a8adcbe4606bb69e423390990fcbabcc0aa5871b64a1f425719146

General

Target

vape v4 legacy.exe
Size

10.3MB
MD5

dcabccc273edfee0e0b1ce0bdf9c4ac1
SHA1

9eb68d706e55cd77a3006bedb3cba788d90e4a07
SHA256

354aafdbc9a8adcbe4606bb69e423390990fcbabcc0aa5871b64a1f425719146
SHA512

e76bc52e8ee9b6b4a987641a530bcf66485a724b5b1ff95659f57508e609a98243f3a3276894ffc1d67db1899fa43d4129281b3f1e2d06e299ac9055b8da013e
SSDEEP

196608:vgynrxTZ/xV6Kh0p6TKjdyR80llgwEgYEECfMdEH:vg4r5Z/xmrYgwEgYEEWMC

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6HkT3NUhDH.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6HkT3NUhDH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6HkT3NUhDH.exe

Executes dropped EXE 2 IoCs

pid	Process
2760	ins85A4.tmp
2668	6HkT3NUhDH.exe

Loads dropped DLL 3 IoCs

pid	Process
1760	vape v4 legacy.exe
1760	vape v4 legacy.exe
2152	Process not Found

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6HkT3NUhDH.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2668	6HkT3NUhDH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	6HkT3NUhDH.exe
Token: SeDebugPrivilege	2668	6HkT3NUhDH.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2760	1760	vape v4 legacy.exe	28
PID 1760 wrote to memory of 2760	1760	vape v4 legacy.exe	28
PID 1760 wrote to memory of 2760	1760	vape v4 legacy.exe	28
PID 1760 wrote to memory of 2668	1760	vape v4 legacy.exe	30
PID 1760 wrote to memory of 2668	1760	vape v4 legacy.exe	30
PID 1760 wrote to memory of 2668	1760	vape v4 legacy.exe	30

C:\Users\Admin\AppData\Local\Temp\vape v4 legacy.exe
"C:\Users\Admin\AppData\Local\Temp\vape v4 legacy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\ins85A4.tmp
  C:\Users\Admin\AppData\Local\Temp\ins85A4.tmp
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe
  C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe

Filesize
2.4MB

MD5
1eb1d6e4974cbe043a45da8cc3ef34ca

SHA1
7f6dee6c61d8d86da88550cbcea56541f5407c24

SHA256
e0da5b396fb80790c012f0a136a4d7d4534538dbb3f836ddaaa75676919d2e69

SHA512
d3037936f66d5793f0fb11bed7395948d3ed766846ed689753c8b0a7ebc412302a191ea8a257862b44b9ec4867bbb62f089396206b7cae0872d2b22d52c11fa8

Download Submit
\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe

Filesize
460KB

MD5
09a66559a5be93eae8af6de00547b09b

SHA1
4e31190d7c4925fcddab51a21f43da10070c58bd

SHA256
3a96c10a25807c6568185c5121e765306e9c5969e932a6b040759f0fa57426a3

SHA512
62e3fd8d853512e6098cdce071d32e857e98cb47b670792a67af1a613c9b4d34e0c383ace4545ff3bef93ebddd354f601ff152591afd5f1fecd84a95175c1706

Download Submit
\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe

Filesize
2.8MB

MD5
eb58303057e10f68e76921207597d3e0

SHA1
f9dbc1d267450a71c568a07405d03457f1ca9ab8

SHA256
dd0b04faf4855cec265a596e1ecdf487c5d70dbbfb1902a18d24b65e831deca6

SHA512
a6568817d5c76c53919b5743f58b440cd0f737b73210c78d6c65d5cecf53660fd89943b47a6e7449d6f67b24dc06856649b9d67bda002ea755bddfd0d75fe2af

Download Submit
\Users\Admin\AppData\Local\Temp\ins85A4.tmp

Filesize
2.3MB

MD5
ea9a5703925a9e9a5b099e643d3d1037

SHA1
06d0315228fb032c5bc8bf2ef6fc9b867bb598d7

SHA256
b08831dd2eb273d05a93ebe2945aa2cdd5abf96af8be5278963e8991aa38ec35

SHA512
ee42daf13b7455d8b41b4bbdcc95802c0fccbaed69b927038afcb497fab4b2b775649345d58984e1759bc67ee4ea6bc57885c85cd7d3ad1b92d8729f4d7eeac6

Download Submit
memory/2668-10-0x0000000076DF0000-0x0000000076F99000-memory.dmp

Filesize
1.7MB

Download
memory/2668-9-0x000000013F600000-0x0000000140976000-memory.dmp

Filesize
19.5MB

Download
memory/2668-11-0x000000013F600000-0x0000000140976000-memory.dmp

Filesize
19.5MB

Download
memory/2668-12-0x000000013F600000-0x0000000140976000-memory.dmp

Filesize
19.5MB

Download
memory/2668-13-0x000000013F600000-0x0000000140976000-memory.dmp

Filesize
19.5MB

Download
memory/2668-15-0x000000013F600000-0x0000000140976000-memory.dmp

Filesize
19.5MB

Download
memory/2668-17-0x0000000076DF0000-0x0000000076F99000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads