Overview

overview

7

Static

static

3

Vedani-Cry...er.exe

windows7-x64

7

Vedani-Cry...er.exe

windows10-2004-x64

7

Vedani-Cry...UI.dll

windows7-x64

1

Vedani-Cry...UI.dll

windows10-2004-x64

1

Vedani-Cry...on.exe

windows7-x64

7

Vedani-Cry...on.exe

windows10-2004-x64

7

Vedani-Cry...ce.exe

windows7-x64

1

Vedani-Cry...ce.exe

windows10-2004-x64

1

Resubmissions

19-04-2024 17:02

240419-vkeb7saa45 7

Analysis

  • max time kernel
    181s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vedani-Crypter-Vedani-Crypter/Vedani-Crypter/Vedani-Crypter.exe

  • Size

    6.2MB

  • MD5

    f982e40c831cac8ad143723b49990772

  • SHA1

    e50f97163936e22cf9012b883f73a0eeaf4d90ad

  • SHA256

    13a169db433164fda1023703b80b6dba5fbd1bb1b2fa37a71a0749024f783c2b

  • SHA512

    6c1de77ae2e5376515ad278abdd2d539e9200b3bf1640174e721fef9a9bb2e8f87766b1d62e54917aaea331b839bcba798ca50ba06fa4f0602f12a75bcd63cc7

  • SSDEEP

    98304:RM3epzb71QGQCPDbZfHayCb7BJ5mjwNwwMeZYobSr+v+Z5OwXbJ:RMsdQmRfaycBIGpEogMwXb

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Vedani-Crypter\Vedani-Crypter\Vedani-Crypter.exe
    "C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Vedani-Crypter\Vedani-Crypter\Vedani-Crypter.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Vedani-Crypter\Vedani-Crypter\Vedani-Crypter.exe
      "C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Vedani-Crypter\Vedani-Crypter\Vedani-Crypter.exe"
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Users\Admin\AppData\Roaming\vedani\VedaniCrypter.exe
        "C:\Users\Admin\AppData\Roaming\vedani\VedaniCrypter.exe"
        3⤵
        • Executes dropped EXE
        PID:3536
      • C:\Users\Admin\AppData\Roaming\registerCash\MkHelper.exe
        "C:\Users\Admin\AppData\Roaming\registerCash\MkHelper.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3604
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Vedani-Crypter\Vedani-Crypter\MkHelper.exe /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4504
          • C:\Windows\system32\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdater /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\Vedani-Crypter-Vedani-Crypter\Vedani-Crypter\MkHelper.exe /f
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:3112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll
    Filesize

    1.7MB

    MD5

    65ccd6ecb99899083d43f7c24eb8f869

    SHA1

    27037a9470cc5ed177c0b6688495f3a51996a023

    SHA256

    aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

    SHA512

    533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI34802\VCRUNTIME140.dll
    Filesize

    106KB

    MD5

    870fea4e961e2fbd00110d3783e529be

    SHA1

    a948e65c6f73d7da4ffde4e8533c098a00cc7311

    SHA256

    76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

    SHA512

    0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI34802\_bz2.pyd
    Filesize

    81KB

    MD5

    bbe89cf70b64f38c67b7bf23c0ea8a48

    SHA1

    44577016e9c7b463a79b966b67c3ecc868957470

    SHA256

    775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723

    SHA512

    3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI34802\_lzma.pyd
    Filesize

    153KB

    MD5

    0a94c9f3d7728cf96326db3ab3646d40

    SHA1

    8081df1dca4a8520604e134672c4be79eb202d14

    SHA256

    0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31

    SHA512

    6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI34802\base_library.zip
    Filesize

    812KB

    MD5

    fbd6be906ac7cd45f1d98f5cb05f8275

    SHA1

    5d563877a549f493da805b4d049641604a6a0408

    SHA256

    ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

    SHA512

    1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI34802\python310.dll
    Filesize

    4.3MB

    MD5

    deaf0c0cc3369363b800d2e8e756a402

    SHA1

    3085778735dd8badad4e39df688139f4eed5f954

    SHA256

    156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

    SHA512

    5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

    Download Submit
  • C:\Users\Admin\AppData\Roaming\registerCash\MkHelper.exe
    Filesize

    5.6MB

    MD5

    620286e072bfad6fab129ae7ab9d3c0d

    SHA1

    ff5f624806599ad7f13723de79cfc26655e71088

    SHA256

    59e748cf4cd7a88bd67c2d0a76ec797150ae317a288fb95c0eb648fa45ae8496

    SHA512

    73aa3e44853cd1573e9fc33a102d4e13de339d4b120b2967ef20de6ef523ff9340ec64a9fdb0b935bf1d83da5b702746fc01408058d9fd08d5830b5bbe39c49b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\vedani\VedaniCrypter.exe
    Filesize

    5.2MB

    MD5

    e7b448f71bfabbcf84fc5f7c8cc219a6

    SHA1

    fe5f861a03207da4fe6b4093bbdc5588e6a0fe07

    SHA256

    522497cf6abdb91e9d64e0bc2f0ddedab87f74eefccb43a9fe222cf4bba570f0

    SHA512

    c1a5f8008b5a421db803447d7b443c99bf081920347be1fa417279b3c1857362e262d32bab1b893684daa0cbb8a26735090d28efb188f81351889b7f56a48b06

    Download Submit
  • C:\Users\Admin\AppData\Roaming\vedani\XanderUI.dll
    Filesize

    185KB

    MD5

    b7498196f0a200cc729703e6127eb3cb

    SHA1

    1fb5e3127987b38c1e9309f7a65dd2f45a5f5754

    SHA256

    cdf2ff8c0970f4144500c81c5678055ded70c05285ba3d3ff04e44fa78d9ce64

    SHA512

    0922ebc190c7af93655c833b8e3ba3f98d49011dbbc822f633813d2e47db8b7f1a6a22fbfcb08d5fcebc11bd90a9d3392fe1c40af7391048c70d273ef17a86f1

    Download Submit
  • memory/3536-95-0x000001F078110000-0x000001F078120000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3536-62-0x000001F078F70000-0x000001F078FA4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/3536-93-0x000001F078110000-0x000001F078120000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3536-35-0x000001F078110000-0x000001F078120000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3536-92-0x00007FFD00430000-0x00007FFD00EF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3536-33-0x00007FFD00430000-0x00007FFD00EF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3536-63-0x000001F078110000-0x000001F078120000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3536-34-0x000001F075480000-0x000001F0759C2000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/3604-59-0x00000260D2C50000-0x00000260D2C60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3604-60-0x00000260D2C90000-0x00000260D2CAE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3604-64-0x00000260D30E0000-0x00000260D30EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3604-65-0x00000260D3160000-0x00000260D31CA000-memory.dmp
    Filesize

    424KB

    Download
  • memory/3604-68-0x00000260D3210000-0x00000260D324A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3604-69-0x00000260D31D0000-0x00000260D31F6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/3604-87-0x00000260D4080000-0x00000260D4092000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3604-90-0x00000260D2C50000-0x00000260D2C60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3604-58-0x00000260D2CF0000-0x00000260D2D66000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3604-47-0x00000260B8300000-0x00000260B88A0000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3604-94-0x00007FFD00430000-0x00007FFD00EF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3604-46-0x00007FFD00430000-0x00007FFD00EF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3604-96-0x00000260D2C50000-0x00000260D2C60000-memory.dmp
    Filesize

    64KB

    Download