Overview

overview

8

Static

static

1

Beni Oku -...Me.vbe

windows7-x64

1

Beni Oku -...Me.vbe

windows10-2004-x64

1

Ne ararsan...in.url

windows7-x64

1

Ne ararsan...in.url

windows10-2004-x64

1

homepage.url

windows7-x64

6

homepage.url

windows10-2004-x64

3

setup.exe

windows7-x64

8

setup.exe

windows10-2004-x64

8

setup64.exe

windows7-x64

8

setup64.exe

windows10-2004-x64

8

vac.chm

windows7-x64

1

vac.chm

windows10-2004-x64

1

x64/audiorepeater.exe

windows7-x64

1

x64/audiorepeater.exe

windows10-2004-x64

1

x64/audior...ks.exe

windows7-x64

1

x64/audior...ks.exe

windows10-2004-x64

1

x64/vcctlpan.exe

windows7-x64

1

x64/vcctlpan.exe

windows10-2004-x64

1

x64/vrtaucbl.sys

windows7-x64

1

x64/vrtaucbl.sys

windows10-2004-x64

1

x86/audiorepeater.exe

windows7-x64

1

x86/audiorepeater.exe

windows10-2004-x64

1

x86/audior...ks.exe

windows7-x64

1

x86/audior...ks.exe

windows10-2004-x64

1

x86/vcctlpan.exe

windows7-x64

1

x86/vcctlpan.exe

windows10-2004-x64

1

x86/vrtaucbl.sys

windows7-x64

1

x86/vrtaucbl.sys

windows10-2004-x64

1

Analysis

  • max time kernel
    107s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 18:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup64.exe

  • Size

    94KB

  • MD5

    2e20228c3c51a193037b6a26bda04d9c

  • SHA1

    5e951af9dacaa49a298349552fbd98ff23660af5

  • SHA256

    8ee7977bebe6286238ebeaee977b87dea0f2bc00f256f5ecae0bef6e6414573f

  • SHA512

    b73f8cb39a1218b2438d31ed48429e2f67ad3e06133c0c6d79fe162ddaff12ec60f95a13d91a427b09af83f4ff46b21948dade14acd8bbb019d066fa310a8e25

  • SSDEEP

    1536:d7uAINjpg5osxzMU4uqvC2tmO/tfIw64XyZaVArSGz:d7ENj/azr4uqvC2tmOtIt4X35Gz

Score
8/10
discovery

Malware Config

Signatures

  • Drops file in Drivers directory 6 IoCs
  • Manipulates Digital Signatures 1 TTPs 1 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 42 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup64.exe
    "C:\Users\Admin\AppData\Local\Temp\setup64.exe"
    1⤵
    • Drops file in Drivers directory
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    PID:4032
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{b034c4a5-2326-9e48-b0aa-b0c9d53c0ddc}\vrtaucbl.inf" "9" "468e82127" "0000000000000148" "WinSta0\Default" "000000000000015C" "208" "c:\users\admin\appdata\local\temp"
      2⤵
      • Manipulates Digital Signatures
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{743e7ea7-bf19-7f4f-b5e9-c0fcabf3cc5a} Global\{13fb571a-f0a0-7949-9d8a-cbc873fc2eff} C:\Windows\System32\DriverStore\Temp\{40fadae2-d430-4242-8d64-b7a1e5f41179}\vrtaucbl.inf C:\Windows\System32\DriverStore\Temp\{40fadae2-d430-4242-8d64-b7a1e5f41179}\vrtaucbl.cat
        3⤵
        • Drops file in Windows directory
        PID:4856
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "11" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73af0c48fa1f:DevInst:4.15.0.7314:eumusdesign_vac_wdm," "468e82127" "0000000000000148"
      2⤵
      • Drops file in Drivers directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
  • C:\Program Files\Virtual Audio Cable\vcctlpan.exe
    "C:\Program Files\Virtual Audio Cable\vcctlpan.exe"
    1⤵
    • Executes dropped EXE
    PID:4596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Virtual Audio Cable\vac.chm
    Filesize

    205KB

    MD5

    9865dad49ca2a8e25a61b8e588d8e723

    SHA1

    abfe336a9104b6f87ca0141cf8703508d89b58ac

    SHA256

    9e14aab573e70f330c3ce37a3f5d6727caecdd1c9caa3855fdf7a05b75713ffb

    SHA512

    641fc3c69267b4f00f856c06e5f82d68fe4c9ee34b4125edbf268b31f1ff4c4732450a49032ce1b927e8f710ace1fed4961811ba809fc89c638406178ace4a60

    Download Submit

  • C:\Program Files\Virtual Audio Cable\vcctlpan.exe
    Filesize

    79KB

    MD5

    2be1766707981ffd4113c7f0b55d4335

    SHA1

    988a06a7e758c0023e44581fe18cb762cb5b39e2

    SHA256

    e346a5b8e3ce5470dc3ebcc42597dcfb5e99df80efd75f7c3b01e899b4e66a24

    SHA512

    23c8ad6b212c47ecf623234611d62b8959f2541257758a777acd9aed3cd528479bf186b68c012fef7b28a5935225bed3803d6d207e58bc68e2e6f0420926a1ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{B034C~1\x64\vrtaucbl.sys
    Filesize

    111KB

    MD5

    fa179e2c627478688aea97755be41e08

    SHA1

    7fadc17c026a0c2071d0f83363be1d739ceb4510

    SHA256

    93f0e39029a802abb06115a89827a9a1d2a2eb28e0cacef16a59ed06c9d30113

    SHA512

    3da57630cecfd6eab011df8820ca35f9a11cce770b8333b3ee9a74a2ee1cb105c5b036553666f77ffa78eee4f1d9605cdd69c2eba8757c13a2746466b683b3a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{b034c4a5-2326-9e48-b0aa-b0c9d53c0ddc}\vrtaucbl.inf
    Filesize

    146KB

    MD5

    cd284d30d5ec39f83b7c821613da2976

    SHA1

    5e3f1354c586c151707835862c6e5057452c0d98

    SHA256

    99ef786db4ba2d50baafbe92f03260f54897dc6fba44690e167d80fb10d2553a

    SHA512

    ee586d46bf046a7ff41e0aab2602de33f05eb91f4116981ca9afbd5ac8004ef8ff7b18f77470204607eedc8800abac7b348ebfef31069c87ca4229d7873680fa

    Download Submit

  • C:\Windows\System32\DriverStore\Temp\{40fadae2-d430-4242-8d64-b7a1e5f41179}\SETAC3A.tmp
    Filesize

    7KB

    MD5

    a78e7c41c8db9704715878d3d8384228

    SHA1

    e0f3380d8814cbf68bd058f2f0432ecfa290816d

    SHA256

    5ad66cbffcd35c77516d47b99a96e0dad0c3eb76defc03eeb3357d904d30ea5d

    SHA512

    2cc622f888d9653aca374639f0f41312d580877baba78f227fe4da2f0bea2f16605c620ce834066434695ff7e8f400ea786c83bfa647eae6d702ab351c5d426a

    Download Submit