354aafdbc9a8adcbe4606bb69e423390990fcbabcc0aa5871b64a1f425719146

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vape v4 legacy.exe
Size

10.3MB
MD5

dcabccc273edfee0e0b1ce0bdf9c4ac1
SHA1

9eb68d706e55cd77a3006bedb3cba788d90e4a07
SHA256

354aafdbc9a8adcbe4606bb69e423390990fcbabcc0aa5871b64a1f425719146
SHA512

e76bc52e8ee9b6b4a987641a530bcf66485a724b5b1ff95659f57508e609a98243f3a3276894ffc1d67db1899fa43d4129281b3f1e2d06e299ac9055b8da013e
SSDEEP

196608:vgynrxTZ/xV6Kh0p6TKjdyR80llgwEgYEECfMdEH:vg4r5Z/xmrYgwEgYEEWMC

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6HkT3NUhDH.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6HkT3NUhDH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6HkT3NUhDH.exe

Executes dropped EXE 2 IoCs

pid	Process
3032	insBCD8.tmp
5032	6HkT3NUhDH.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6HkT3NUhDH.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5032	6HkT3NUhDH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	6HkT3NUhDH.exe
Token: SeDebugPrivilege	5032	6HkT3NUhDH.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 3032	3880	vape v4 legacy.exe	94
PID 3880 wrote to memory of 3032	3880	vape v4 legacy.exe	94
PID 3880 wrote to memory of 5032	3880	vape v4 legacy.exe	95
PID 3880 wrote to memory of 5032	3880	vape v4 legacy.exe	95

C:\Users\Admin\AppData\Local\Temp\vape v4 legacy.exe
"C:\Users\Admin\AppData\Local\Temp\vape v4 legacy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\insBCD8.tmp
  C:\Users\Admin\AppData\Local\Temp\insBCD8.tmp
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe
  C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2268,i,4334050275411101233,11484630688883830558,262144 --variations-seed-version /prefetch:8
1⤵
PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe

Filesize
5.4MB

MD5
e4fe17d8d94e8fd75f16c8639cdea5cd

SHA1
00ee04d12ada449d125589c8f31ddde1db0b0df2

SHA256
b187b41239815a20fef1959e810206826d0579110e06e1440d4b04841085e1c0

SHA512
1560d674ec0a2abc64c823799ca43ae0a34979236d8f05d0fa927e5e61bbcfe7515f7dffafbc4eb9e4847fac3c9abae1b93efa848a0cbb9c0b354e02ed38ad32

Download Submit
C:\Users\Admin\AppData\Local\Temp\6HkT3NUhDH.exe

Filesize
5.0MB

MD5
15828be790dab54e4d3b74737e5ab136

SHA1
451b8bdb1ec84503f4ba449f5487e455e3bdf5ea

SHA256
f4fd81d6ede50eeb2e81bd0ede56e624e138bf3f501204c17c8f0779d50663b0

SHA512
efd1a3b4753756bf9c2726dbebb8006baf9276732ec0e1fc4371585de7f720dd223838f53e23a5906d2f829570094b918aa017c9f76006aa01745733c2a3a0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\insBCD8.tmp

Filesize
2.3MB

MD5
ea9a5703925a9e9a5b099e643d3d1037

SHA1
06d0315228fb032c5bc8bf2ef6fc9b867bb598d7

SHA256
b08831dd2eb273d05a93ebe2945aa2cdd5abf96af8be5278963e8991aa38ec35

SHA512
ee42daf13b7455d8b41b4bbdcc95802c0fccbaed69b927038afcb497fab4b2b775649345d58984e1759bc67ee4ea6bc57885c85cd7d3ad1b92d8729f4d7eeac6

Download Submit
memory/5032-9-0x00007FFE22050000-0x00007FFE22245000-memory.dmp

Filesize
2.0MB

Download
memory/5032-10-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

Filesize
19.5MB

Download
memory/5032-11-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

Filesize
19.5MB

Download
memory/5032-12-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

Filesize
19.5MB

Download
memory/5032-13-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

Filesize
19.5MB

Download
memory/5032-14-0x00007FF782B00000-0x00007FF783E76000-memory.dmp

Filesize
19.5MB

Download
memory/5032-16-0x00007FFE22050000-0x00007FFE22245000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads