eda533334f0690bfd96b796212c8331fd1c7fe16e24a42de9a2bdcbe30bad9a6

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

82KB
MD5

39d9f87b6eac02adac83157f55a65e26
SHA1

67c7d19666939804e1d08261b915e49c8829be20
SHA256

19bde26e840546d79ac6930106c0edeae0b61412eeb1634dd7e2379618e9ee27
SHA512

75c15fcecb1829cf003b2c925337bd264da38307c0123c3ab1e34bf5f8723a9201836498437939a1caa69c8cd74fad70e8416404530895da784c028db1559818
SSDEEP

1536:9gagi9op3hsjWdC2Re3jeTSWpqyViZXseg:9gK9oZhsjWdCPKTSWpq4iJ5g

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\vrtaucbl.sys	setup64.exe

Executes dropped EXE 1 IoCs

pid	Process
2908	vcctlpan.exe

Loads dropped DLL 8 IoCs

pid	Process
2896	setup64.exe
2896	setup64.exe
2896	setup64.exe
2896	setup64.exe
1324	Process not Found
1324	Process not Found
1324	Process not Found
1324	Process not Found

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	setup64.exe
File opened (read-only)	\??\L:	setup64.exe
File opened (read-only)	\??\U:	setup64.exe
File opened (read-only)	\??\T:	setup64.exe
File opened (read-only)	\??\Y:	setup64.exe
File opened (read-only)	\??\H:	setup64.exe
File opened (read-only)	\??\I:	setup64.exe
File opened (read-only)	\??\M:	setup64.exe
File opened (read-only)	\??\P:	setup64.exe
File opened (read-only)	\??\R:	setup64.exe
File opened (read-only)	\??\V:	setup64.exe
File opened (read-only)	\??\X:	setup64.exe
File opened (read-only)	\??\Z:	setup64.exe
File opened (read-only)	\??\A:	setup64.exe
File opened (read-only)	\??\B:	setup64.exe
File opened (read-only)	\??\G:	setup64.exe
File opened (read-only)	\??\N:	setup64.exe
File opened (read-only)	\??\Q:	setup64.exe
File opened (read-only)	\??\J:	setup64.exe
File opened (read-only)	\??\K:	setup64.exe
File opened (read-only)	\??\O:	setup64.exe
File opened (read-only)	\??\S:	setup64.exe
File opened (read-only)	\??\W:	setup64.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\x64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	setup64.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\SETC572.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\SETC572.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\SETC583.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	setup64.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\x64\SETC561.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\x64\vrtaucbl.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\vrtaucbl.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vrtaucbl.inf_amd64_neutral_48e684fc19a40859\vrtaucbl.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	setup64.exe
File created	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\x64\SETC561.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\SETC583.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vrtaucbl.inf_amd64_neutral_48e684fc19a40859\vrtaucbl.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\vrtaucbl.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Virtual Audio Cable\audiorepeater.exe	setup64.exe
File created	C:\Program Files\Virtual Audio Cable\audiorepeater_ks.exe	setup64.exe
File created	C:\Program Files\Virtual Audio Cable\setup64.exe	setup64.exe
File created	C:\Program Files\Virtual Audio Cable\uninst.ini	setup64.exe
File created	C:\Program Files\Virtual Audio Cable\install.log	setup64.exe
File created	C:\Program Files\Virtual Audio Cable\vac.chm	setup64.exe
File created	C:\Program Files\Virtual Audio Cable\license.txt	setup64.exe
File created	C:\Program Files\Virtual Audio Cable\vcctlpan.exe	setup64.exe
File opened for modification	C:\Program Files\Virtual Audio Cable\uninst.ini	setup64.exe
File created	C:\Program Files\Virtual Audio Cable\readme.txt	setup64.exe
File created	C:\Program Files\Virtual Audio Cable\homepage.url	setup64.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	setup64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	setup64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2896	setup64.exe
Token: SeShutdownPrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeLoadDriverPrivilege	2896	setup64.exe
Token: SeLoadDriverPrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2664	rundll32.exe
Token: SeRestorePrivilege	2664	rundll32.exe
Token: SeRestorePrivilege	2664	rundll32.exe
Token: SeRestorePrivilege	2664	rundll32.exe
Token: SeRestorePrivilege	2664	rundll32.exe
Token: SeRestorePrivilege	2664	rundll32.exe
Token: SeRestorePrivilege	2664	rundll32.exe
Token: SeBackupPrivilege	1976	vssvc.exe
Token: SeRestorePrivilege	1976	vssvc.exe
Token: SeAuditPrivilege	1976	vssvc.exe
Token: SeBackupPrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	2164	DrvInst.exe
Token: SeRestorePrivilege	592	DrvInst.exe
Token: SeRestorePrivilege	592	DrvInst.exe
Token: SeRestorePrivilege	592	DrvInst.exe
Token: SeRestorePrivilege	592	DrvInst.exe
Token: SeRestorePrivilege	592	DrvInst.exe
Token: SeRestorePrivilege	592	DrvInst.exe
Token: SeRestorePrivilege	592	DrvInst.exe
Token: SeLoadDriverPrivilege	592	DrvInst.exe
Token: SeLoadDriverPrivilege	592	DrvInst.exe
Token: SeLoadDriverPrivilege	592	DrvInst.exe
Token: SeRestorePrivilege	2896	setup64.exe
Token: SeLoadDriverPrivilege	2896	setup64.exe
Token: SeRestorePrivilege	976	DrvInst.exe
Token: SeRestorePrivilege	976	DrvInst.exe
Token: SeRestorePrivilege	976	DrvInst.exe
Token: SeRestorePrivilege	976	DrvInst.exe
Token: SeRestorePrivilege	976	DrvInst.exe
Token: SeRestorePrivilege	976	DrvInst.exe
Token: SeRestorePrivilege	976	DrvInst.exe
Token: SeRestorePrivilege	976	DrvInst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2896	setup64.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2896	2772	setup.exe	28
PID 2772 wrote to memory of 2896	2772	setup.exe	28
PID 2772 wrote to memory of 2896	2772	setup.exe	28
PID 2772 wrote to memory of 2896	2772	setup.exe	28
PID 2164 wrote to memory of 2664	2164	DrvInst.exe	30
PID 2164 wrote to memory of 2664	2164	DrvInst.exe	30
PID 2164 wrote to memory of 2664	2164	DrvInst.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\setup64.exe
  "C:\Users\Admin\AppData\Local\Temp\setup64.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2896

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{487b6ee0-9a40-0701-8b0e-3720dc6c391d}\vrtaucbl.inf" "9" "668e82127" "0000000000000540" "WinSta0\Default" "00000000000005AC" "208" "c:\users\admin\appdata\local\temp"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2994555b-6500-1d2c-4b4c-5612d262a96a} Global\{57a5c46c-d18a-31d1-5f1c-5428e10b221e} C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\vrtaucbl.inf C:\Windows\System32\DriverStore\Temp\{46efb712-ec12-479c-80f0-784b73434336}\vrtaucbl.cat
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "00000000000005B0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem2.inf" "vrtaucbl.inf:DevSection.NTamd64:DevInst:4.15.0.7314:eumusdesign_vac_wdm" "668e82127" "00000000000003B0" "00000000000005A8" "00000000000005D4"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Program Files\Virtual Audio Cable\vcctlpan.exe
"C:\Program Files\Virtual Audio Cable\vcctlpan.exe"
1⤵
- Executes dropped EXE
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Virtual Audio Cable\vac.chm

Filesize
205KB

MD5
9865dad49ca2a8e25a61b8e588d8e723

SHA1
abfe336a9104b6f87ca0141cf8703508d89b58ac

SHA256
9e14aab573e70f330c3ce37a3f5d6727caecdd1c9caa3855fdf7a05b75713ffb

SHA512
641fc3c69267b4f00f856c06e5f82d68fe4c9ee34b4125edbf268b31f1ff4c4732450a49032ce1b927e8f710ace1fed4961811ba809fc89c638406178ace4a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC15E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC19F.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\{487B6~1\x64\vrtaucbl.sys

Filesize
111KB

MD5
fa179e2c627478688aea97755be41e08

SHA1
7fadc17c026a0c2071d0f83363be1d739ceb4510

SHA256
93f0e39029a802abb06115a89827a9a1d2a2eb28e0cacef16a59ed06c9d30113

SHA512
3da57630cecfd6eab011df8820ca35f9a11cce770b8333b3ee9a74a2ee1cb105c5b036553666f77ffa78eee4f1d9605cdd69c2eba8757c13a2746466b683b3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{487b6ee0-9a40-0701-8b0e-3720dc6c391d}\vrtaucbl.cat

Filesize
7KB

MD5
a78e7c41c8db9704715878d3d8384228

SHA1
e0f3380d8814cbf68bd058f2f0432ecfa290816d

SHA256
5ad66cbffcd35c77516d47b99a96e0dad0c3eb76defc03eeb3357d904d30ea5d

SHA512
2cc622f888d9653aca374639f0f41312d580877baba78f227fe4da2f0bea2f16605c620ce834066434695ff7e8f400ea786c83bfa647eae6d702ab351c5d426a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{487b6ee0-9a40-0701-8b0e-3720dc6c391d}\vrtaucbl.inf

Filesize
146KB

MD5
cd284d30d5ec39f83b7c821613da2976

SHA1
5e3f1354c586c151707835862c6e5057452c0d98

SHA256
99ef786db4ba2d50baafbe92f03260f54897dc6fba44690e167d80fb10d2553a

SHA512
ee586d46bf046a7ff41e0aab2602de33f05eb91f4116981ca9afbd5ac8004ef8ff7b18f77470204607eedc8800abac7b348ebfef31069c87ca4229d7873680fa

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vrtaucbl.inf_amd64_neutral_48e684fc19a40859\vrtaucbl.PNF

Filesize
261KB

MD5
ea4955c35e077b3bf8fd376eaa93656d

SHA1
c01c8c836277de067737beec5d7a03dd34c52029

SHA256
c71655ad733b63ffba1b518cfffc185e2677bcd48b187ab5dfc9eafa14e2211a

SHA512
cdee06c6a21a5540b3cee9ac93744298781020cc5c722528e7b179fc6c64507156f1ced8629289f6745fa534c948196470007a7a8ae1e81718646fcb6c37e0cf

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
3d4b734d93fa701b7f15968b29feb1d2

SHA1
c3d9984156cf06457937c0819a552104d3923942

SHA256
e9bcb33fe9dfb892c52d8c62dd7f872aee13867a1f1197e4f488041833daf558

SHA512
e6bf4b6b9f357d7d463c851b2a593eea5a26244fe5192f5f91998e2d2138b22375c2dfaa638ee67cfd6cee57c10b07c67fc505beee9cc6d3feabe954acc960aa

Download Submit
C:\Windows\Temp\CabC737.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC7A8.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Program Files\Virtual Audio Cable\audiorepeater.exe

Filesize
43KB

MD5
083fe8d8ea14d13bbd7d397880a83f9c

SHA1
466ec02e7fb587e4e2d54982a6ecbd22aa576db3

SHA256
3fdab2a445aa7f66e55c623f12b5c00a2f589cf4b6bc6d322f7c9f1b949525d9

SHA512
2ef7b7f6747aa143f118fa7359d8e6adab7b6056301f0ea8ae568a6c48c106b611c8607ec5ffaf30538f97d2ebdd7cd6a7bf7af6fd9cc1a712784b578039724e

Download Submit
\Program Files\Virtual Audio Cable\audiorepeater_ks.exe

Filesize
69KB

MD5
df85436fb7df1fd4a42e09328a47f9c9

SHA1
5575195dfb181ec61a95d3b5ce9eb8be89f0e59c

SHA256
8ea0f046b5d8976371bbdf463a543d97caa1762dcc8b61dfd4ecc902cfe040a2

SHA512
8268ed58241edda2cc5d6e9020cbc0d9eb31bbb9346c6e920ed74a17c7c124f1db2807c9fb60fd2c94cf19ad7b35c7a988e05eb292633b4a5c56a3435bad5603

Download Submit
\Program Files\Virtual Audio Cable\setup64.exe

Filesize
94KB

MD5
2e20228c3c51a193037b6a26bda04d9c

SHA1
5e951af9dacaa49a298349552fbd98ff23660af5

SHA256
8ee7977bebe6286238ebeaee977b87dea0f2bc00f256f5ecae0bef6e6414573f

SHA512
b73f8cb39a1218b2438d31ed48429e2f67ad3e06133c0c6d79fe162ddaff12ec60f95a13d91a427b09af83f4ff46b21948dade14acd8bbb019d066fa310a8e25

Download Submit
\Program Files\Virtual Audio Cable\vcctlpan.exe

Filesize
79KB

MD5
2be1766707981ffd4113c7f0b55d4335

SHA1
988a06a7e758c0023e44581fe18cb762cb5b39e2

SHA256
e346a5b8e3ce5470dc3ebcc42597dcfb5e99df80efd75f7c3b01e899b4e66a24

SHA512
23c8ad6b212c47ecf623234611d62b8959f2541257758a777acd9aed3cd528479bf186b68c012fef7b28a5935225bed3803d6d207e58bc68e2e6f0420926a1ae

Download Submit