Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16/04/2024, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
VAT PO 24000042.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VAT PO 24000042.exe
Resource
win10v2004-20240226-en
General
-
Target
VAT PO 24000042.exe
-
Size
720KB
-
MD5
ed034b758fc815e198193c3520cfd3f2
-
SHA1
6b40208375622792e49f35bb3e7ea2f8e8a498b1
-
SHA256
e19db8a23b082c6f48e261d911e577b3c80617caaab197b539bc315485b5fa29
-
SHA512
4bba99100c54aef4ac52f8013561d0164f9818a35f2560f50391335ed12758044234c8c8cf215a2890348d55231c270bfe44e2549c5f5864d3787a3f382f7d32
-
SSDEEP
12288:Ydpp5wjz3z3Op8D+ZBmOI0nbCe5BmIuTnBxaFv8Kbr09nB8odAgWY:YdBiv3qfnbC6QrxaFvFr0r8axWY
Malware Config
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1176 set thread context of 2356 1176 VAT PO 24000042.exe 34 PID 2356 set thread context of 1216 2356 VAT PO 24000042.exe 21 PID 2356 set thread context of 2236 2356 VAT PO 24000042.exe 37 PID 2236 set thread context of 1216 2236 cttune.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2364 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1176 VAT PO 24000042.exe 1176 VAT PO 24000042.exe 2580 powershell.exe 2512 powershell.exe 2356 VAT PO 24000042.exe 2356 VAT PO 24000042.exe 2356 VAT PO 24000042.exe 2356 VAT PO 24000042.exe 2356 VAT PO 24000042.exe 2356 VAT PO 24000042.exe 2356 VAT PO 24000042.exe 2356 VAT PO 24000042.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe 2236 cttune.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2356 VAT PO 24000042.exe 1216 Explorer.EXE 1216 Explorer.EXE 2236 cttune.exe 2236 cttune.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1176 VAT PO 24000042.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1176 wrote to memory of 2580 1176 VAT PO 24000042.exe 28 PID 1176 wrote to memory of 2580 1176 VAT PO 24000042.exe 28 PID 1176 wrote to memory of 2580 1176 VAT PO 24000042.exe 28 PID 1176 wrote to memory of 2580 1176 VAT PO 24000042.exe 28 PID 1176 wrote to memory of 2512 1176 VAT PO 24000042.exe 30 PID 1176 wrote to memory of 2512 1176 VAT PO 24000042.exe 30 PID 1176 wrote to memory of 2512 1176 VAT PO 24000042.exe 30 PID 1176 wrote to memory of 2512 1176 VAT PO 24000042.exe 30 PID 1176 wrote to memory of 2364 1176 VAT PO 24000042.exe 32 PID 1176 wrote to memory of 2364 1176 VAT PO 24000042.exe 32 PID 1176 wrote to memory of 2364 1176 VAT PO 24000042.exe 32 PID 1176 wrote to memory of 2364 1176 VAT PO 24000042.exe 32 PID 1176 wrote to memory of 2356 1176 VAT PO 24000042.exe 34 PID 1176 wrote to memory of 2356 1176 VAT PO 24000042.exe 34 PID 1176 wrote to memory of 2356 1176 VAT PO 24000042.exe 34 PID 1176 wrote to memory of 2356 1176 VAT PO 24000042.exe 34 PID 1176 wrote to memory of 2356 1176 VAT PO 24000042.exe 34 PID 1176 wrote to memory of 2356 1176 VAT PO 24000042.exe 34 PID 1176 wrote to memory of 2356 1176 VAT PO 24000042.exe 34 PID 1216 wrote to memory of 2236 1216 Explorer.EXE 37 PID 1216 wrote to memory of 2236 1216 Explorer.EXE 37 PID 1216 wrote to memory of 2236 1216 Explorer.EXE 37 PID 1216 wrote to memory of 2236 1216 Explorer.EXE 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe"C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LXnRntjIrew.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LXnRntjIrew" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1F8.tmp"3⤵
- Creates scheduled task(s)
PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe"C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2356
-
-
-
C:\Windows\SysWOW64\cttune.exe"C:\Windows\SysWOW64\cttune.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2236
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d005acaba2b17c6508080dac40d20fde
SHA1ff16df068067d3cdfcaea198f9a8383e95b31fae
SHA256fd66385e7e5df741c102957a8fb99b46db5fae7a67a693e6b951779a3e5c8c93
SHA5123704cb8c8213b859e81c41bf4e761eba48447ccac5658e30ecaa81f5e1b218c27cb84344caa0ce79f5e0df975ce9f1754527782fa3ecbc126a1ed396227c8367
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b02eab5b7a5c36f870910446e813cc88
SHA12d3a6f12bace4f5b5571f1a4394cd01992a6f881
SHA2568fa51e2e389e5f0f052cd1e2d3d294fc6391a48b31c7538f6128c6873faa81ad
SHA512b136349ca54432feaa8c508e1820d6767ddd21fdab455f81245a5818d9b59367fb7aa2a209ca8394312a2494069a7e70f9bbb567bc225bf6cd3cfa5adf45b961