e19db8a23b082c6f48e261d911e577b3c80617caaab197b539bc315485b5fa29

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VAT PO 24000042.exe
Size

720KB
MD5

ed034b758fc815e198193c3520cfd3f2
SHA1

6b40208375622792e49f35bb3e7ea2f8e8a498b1
SHA256

e19db8a23b082c6f48e261d911e577b3c80617caaab197b539bc315485b5fa29
SHA512

4bba99100c54aef4ac52f8013561d0164f9818a35f2560f50391335ed12758044234c8c8cf215a2890348d55231c270bfe44e2549c5f5864d3787a3f382f7d32
SSDEEP

12288:Ydpp5wjz3z3Op8D+ZBmOI0nbCe5BmIuTnBxaFv8Kbr09nB8odAgWY:YdBiv3qfnbC6QrxaFvFr0r8axWY

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 2356	1176	VAT PO 24000042.exe	34
PID 2356 set thread context of 1216	2356	VAT PO 24000042.exe	21
PID 2356 set thread context of 2236	2356	VAT PO 24000042.exe	37
PID 2236 set thread context of 1216	2236	cttune.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1176	VAT PO 24000042.exe
1176	VAT PO 24000042.exe
2580	powershell.exe
2512	powershell.exe
2356	VAT PO 24000042.exe
2356	VAT PO 24000042.exe
2356	VAT PO 24000042.exe
2356	VAT PO 24000042.exe
2356	VAT PO 24000042.exe
2356	VAT PO 24000042.exe
2356	VAT PO 24000042.exe
2356	VAT PO 24000042.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe
2236	cttune.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2356	VAT PO 24000042.exe
1216	Explorer.EXE
1216	Explorer.EXE
2236	cttune.exe
2236	cttune.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	VAT PO 24000042.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2580	1176	VAT PO 24000042.exe	28
PID 1176 wrote to memory of 2580	1176	VAT PO 24000042.exe	28
PID 1176 wrote to memory of 2580	1176	VAT PO 24000042.exe	28
PID 1176 wrote to memory of 2580	1176	VAT PO 24000042.exe	28
PID 1176 wrote to memory of 2512	1176	VAT PO 24000042.exe	30
PID 1176 wrote to memory of 2512	1176	VAT PO 24000042.exe	30
PID 1176 wrote to memory of 2512	1176	VAT PO 24000042.exe	30
PID 1176 wrote to memory of 2512	1176	VAT PO 24000042.exe	30
PID 1176 wrote to memory of 2364	1176	VAT PO 24000042.exe	32
PID 1176 wrote to memory of 2364	1176	VAT PO 24000042.exe	32
PID 1176 wrote to memory of 2364	1176	VAT PO 24000042.exe	32
PID 1176 wrote to memory of 2364	1176	VAT PO 24000042.exe	32
PID 1176 wrote to memory of 2356	1176	VAT PO 24000042.exe	34
PID 1176 wrote to memory of 2356	1176	VAT PO 24000042.exe	34
PID 1176 wrote to memory of 2356	1176	VAT PO 24000042.exe	34
PID 1176 wrote to memory of 2356	1176	VAT PO 24000042.exe	34
PID 1176 wrote to memory of 2356	1176	VAT PO 24000042.exe	34
PID 1176 wrote to memory of 2356	1176	VAT PO 24000042.exe	34
PID 1176 wrote to memory of 2356	1176	VAT PO 24000042.exe	34
PID 1216 wrote to memory of 2236	1216	Explorer.EXE	37
PID 1216 wrote to memory of 2236	1216	Explorer.EXE	37
PID 1216 wrote to memory of 2236	1216	Explorer.EXE	37
PID 1216 wrote to memory of 2236	1216	Explorer.EXE	37

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe
  "C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LXnRntjIrew.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LXnRntjIrew" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1F8.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2364
- - C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe
    "C:\Users\Admin\AppData\Local\Temp\VAT PO 24000042.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2356
- C:\Windows\SysWOW64\cttune.exe
  "C:\Windows\SysWOW64\cttune.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC1F8.tmp

Filesize
1KB

MD5
d005acaba2b17c6508080dac40d20fde

SHA1
ff16df068067d3cdfcaea198f9a8383e95b31fae

SHA256
fd66385e7e5df741c102957a8fb99b46db5fae7a67a693e6b951779a3e5c8c93

SHA512
3704cb8c8213b859e81c41bf4e761eba48447ccac5658e30ecaa81f5e1b218c27cb84344caa0ce79f5e0df975ce9f1754527782fa3ecbc126a1ed396227c8367

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b02eab5b7a5c36f870910446e813cc88

SHA1
2d3a6f12bace4f5b5571f1a4394cd01992a6f881

SHA256
8fa51e2e389e5f0f052cd1e2d3d294fc6391a48b31c7538f6128c6873faa81ad

SHA512
b136349ca54432feaa8c508e1820d6767ddd21fdab455f81245a5818d9b59367fb7aa2a209ca8394312a2494069a7e70f9bbb567bc225bf6cd3cfa5adf45b961

Download Submit
memory/1176-4-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1176-27-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1176-0-0x0000000000F40000-0x0000000000FFA000-memory.dmp

Filesize
744KB

Download
memory/1176-5-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1176-6-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1176-7-0x00000000048A0000-0x000000000492A000-memory.dmp

Filesize
552KB

Download
memory/1176-2-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/1176-1-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1176-3-0x0000000004400000-0x00000000044A6000-memory.dmp

Filesize
664KB

Download
memory/1216-45-0x00000000029A0000-0x0000000002AA0000-memory.dmp

Filesize
1024KB

Download
memory/2236-53-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2236-51-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2236-52-0x00000000009E0000-0x0000000000A7D000-memory.dmp

Filesize
628KB

Download
memory/2236-50-0x0000000001FF0000-0x00000000022F3000-memory.dmp

Filesize
3.0MB

Download
memory/2236-47-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2236-46-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2236-54-0x00000000009E0000-0x0000000000A7D000-memory.dmp

Filesize
628KB

Download
memory/2356-43-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-41-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/2356-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-44-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2356-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-49-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/2356-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2512-31-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2512-39-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-33-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2512-29-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-36-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2580-38-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-28-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-30-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-32-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/2580-37-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/2580-35-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download