Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
1Beni Oku -...Me.vbe
windows7-x64
1Beni Oku -...Me.vbe
windows10-2004-x64
1Ne ararsan...in.url
windows7-x64
1Ne ararsan...in.url
windows10-2004-x64
1homepage.url
windows7-x64
6homepage.url
windows10-2004-x64
3setup.exe
windows7-x64
8setup.exe
windows10-2004-x64
8setup64.exe
windows7-x64
8setup64.exe
windows10-2004-x64
8vac.chm
windows7-x64
1vac.chm
windows10-2004-x64
1x64/audiorepeater.exe
windows7-x64
1x64/audiorepeater.exe
windows10-2004-x64
1x64/audior...ks.exe
windows7-x64
1x64/audior...ks.exe
windows10-2004-x64
1x64/vcctlpan.exe
windows7-x64
1x64/vcctlpan.exe
windows10-2004-x64
1x64/vrtaucbl.sys
windows7-x64
1x64/vrtaucbl.sys
windows10-2004-x64
1x86/audiorepeater.exe
windows7-x64
1x86/audiorepeater.exe
windows10-2004-x64
1x86/audior...ks.exe
windows7-x64
1x86/audior...ks.exe
windows10-2004-x64
1x86/vcctlpan.exe
windows7-x64
1x86/vcctlpan.exe
windows10-2004-x64
1x86/vrtaucbl.sys
windows7-x64
1x86/vrtaucbl.sys
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 18:24
Static task
static1
Behavioral task
behavioral1
Sample
Beni Oku - Read Me.vbe
Resource
win7-20240508-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
Beni Oku - Read Me.vbe
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral3
Sample
Ne ararsanız mevcut tılayın--indirin.url
Resource
win7-20240508-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
Ne ararsanız mevcut tılayın--indirin.url
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
homepage.url
Resource
win7-20240419-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral6
Sample
homepage.url
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral7
Sample
setup.exe
Resource
win7-20240221-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral8
Sample
setup.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral9
Sample
setup64.exe
Resource
win7-20240221-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral10
Sample
setup64.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
14 signatures
150 seconds
Behavioral task
behavioral11
Sample
vac.chm
Resource
win7-20240419-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral12
Sample
vac.chm
Resource
win10v2004-20240426-en
windows10-2004-x64
1 signatures
150 seconds
Behavioral task
behavioral13
Sample
x64/audiorepeater.exe
Resource
win7-20240220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral14
Sample
x64/audiorepeater.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
x64/audiorepeater_ks.exe
Resource
win7-20240508-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral16
Sample
x64/audiorepeater_ks.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral17
Sample
x64/vcctlpan.exe
Resource
win7-20240508-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral18
Sample
x64/vcctlpan.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral19
Sample
x64/vrtaucbl.sys
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral20
Sample
x64/vrtaucbl.sys
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral21
Sample
x86/audiorepeater.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral22
Sample
x86/audiorepeater.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral23
Sample
x86/audiorepeater_ks.exe
Resource
win7-20240215-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral24
Sample
x86/audiorepeater_ks.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral25
Sample
x86/vcctlpan.exe
Resource
win7-20240508-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral26
Sample
x86/vcctlpan.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
0 signatures
150 seconds
Behavioral task
behavioral27
Sample
x86/vrtaucbl.sys
Resource
win7-20240220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral28
Sample
x86/vrtaucbl.sys
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
setup.exe
-
Size
82KB
-
MD5
39d9f87b6eac02adac83157f55a65e26
-
SHA1
67c7d19666939804e1d08261b915e49c8829be20
-
SHA256
19bde26e840546d79ac6930106c0edeae0b61412eeb1634dd7e2379618e9ee27
-
SHA512
75c15fcecb1829cf003b2c925337bd264da38307c0123c3ab1e34bf5f8723a9201836498437939a1caa69c8cd74fad70e8416404530895da784c028db1559818
-
SSDEEP
1536:9gagi9op3hsjWdC2Re3jeTSWpqyViZXseg:9gK9oZhsjWdCPKTSWpq4iJ5g
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\drmk.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\portcls.sys DrvInst.exe File created C:\Windows\System32\Drivers\vrtaucbl.sys setup64.exe File opened for modification C:\Windows\system32\drivers\SET438C.tmp DrvInst.exe File created C:\Windows\system32\drivers\SET438C.tmp DrvInst.exe File opened for modification C:\Windows\system32\drivers\vrtaucbl.sys DrvInst.exe -
Manipulates Digital Signatures 1 TTPs 1 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\4E77B804FF532214FE99C4FE28B5C9411BD5BA1B\Blob = 0300000001000000140000004e77b804ff532214fe99c4fe28b5c9411bd5ba1b040000000100000010000000c3b4f22b991bfed3b9c011dddcfaf8e319000000010000001000000077cdd5c77523b9127c811b08e6398d501400000001000000140000004b9c2ed991cb010cd989e84f206464ac3144ac970f0000000100000014000000f6c90619f2c8f3b20e095d534a9f5ed5704480452000000001000000a4040000308204a030820388a003020102021211216ab7186b1912d9356038c613bc28924a300d06092a864886f70d01010505003051310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361312730250603550403131e476c6f62616c5369676e20436f64655369676e696e67204341202d204732301e170d3133303531373138333231385a170d3136303531373138333231385a3036310b3009060355040613025255312730250603550403131e4d757a796368656e6b6f20457667656e69692056696b746f726f7669636830820122300d06092a864886f70d01010105000382010f003082010a0282010100a7892c93e6060ebc75cebb296a202f9a9c15dca960784cbf1bb04c21ecb4c483c82262b23a57a1e842bf74162d263e23bb84697984b07d2057a8c930dba5e32a8f8bf557d933ca41dc14a0a7d8318e5a70921ce99b90fdfbdf3fa685f3faac0b8633788802d7222fec77ce68203ca502f733300c366ca59915791f6f2a89c9cca959c057beca72ab5614acbecb045410fb0974de43ab1a62c2138094315c4edde88ac7a9cc968ca1577fb8419d6be980f360e42d6d1a6a778c4fe1bbf454c35417c8c5368229cc100a1e4975936fee9e36ea707c154a775de50576a222d7d456511b4a20956b5ed0a75618ba113c4ed6cf3872260c13dae400fb5f5fd2db480d0203010001a382018b30820187300e0603551d0f0101ff040403020780304c0603551d2004453043304106092b06010401a03201323034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f30090603551d130402300030130603551d25040c300a06082b06010505070303303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f67732f6773636f64657369676e67322e63726c30818606082b06010505070101047a3078304006082b060105050730028634687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f6773636f64657369676e67322e637274303406082b060105050730018628687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f6773636f64657369676e6732301d0603551d0e041604144b9c2ed991cb010cd989e84f206464ac3144ac97301f0603551d23041830168014086ed8b69c8abfed3ed7c3745dcc801fa82f507a300d06092a864886f70d0101050500038201010065ae4dda7652bf16f4de054114706d3652d931cada6b53e292cffd78a10578bf4344e48cef9630ef272987fccbfc6e7e3b1f7df3106ed781227b8d26787fe865f16c3dce86c811ac7354558158d8a4209e1e2c9739aded137b9edbb37d77a2b9f8831254d8d6f408cbe144335ae03f7970439d9ab531b1ec011ac916ea6e45cb5998b16914bdea2b2f936ec3a27592e6b56fcb3834a6bba9ee3057ef422445458c2d28cbe184af60c8c805abcb8e957beefca5038c42f5f3c1b85709e6e6d2623c8f6209b01b62cc5f9a1d722fd71beacaa41b02b63b20963efc5996162ec4c90985ed0ea18f6ccc981834e6f7388e39a48a190d765c40219b5c44d99e6b4454 DrvInst.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation setup.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: setup64.exe File opened (read-only) \??\W: setup64.exe File opened (read-only) \??\X: setup64.exe File opened (read-only) \??\Y: setup64.exe File opened (read-only) \??\Z: setup64.exe File opened (read-only) \??\E: setup64.exe File opened (read-only) \??\J: setup64.exe File opened (read-only) \??\S: setup64.exe File opened (read-only) \??\I: setup64.exe File opened (read-only) \??\K: setup64.exe File opened (read-only) \??\L: setup64.exe File opened (read-only) \??\M: setup64.exe File opened (read-only) \??\N: setup64.exe File opened (read-only) \??\A: setup64.exe File opened (read-only) \??\G: setup64.exe File opened (read-only) \??\H: setup64.exe File opened (read-only) \??\O: setup64.exe File opened (read-only) \??\R: setup64.exe File opened (read-only) \??\T: setup64.exe File opened (read-only) \??\P: setup64.exe File opened (read-only) \??\B: setup64.exe File opened (read-only) \??\Q: setup64.exe File opened (read-only) \??\U: setup64.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\SET3342.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vrtaucbl.inf_amd64_48e684fc19a40859\vrtaucbl.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vrtaucbl.inf_amd64_48e684fc19a40859\vrtaucbl.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\vrtaucbl.inf_amd64_48e684fc19a40859\vrtaucbl.PNF setup64.exe File created C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\x64\SET3330.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\vrtaucbl.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\vrtaucbl.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\vrtaucbl.inf_amd64_48e684fc19a40859\x64\vrtaucbl.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\SET3341.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\SET3342.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\SET3341.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\x64 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\x64\SET3330.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\x64\vrtaucbl.sys DrvInst.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\Virtual Audio Cable\homepage.url setup64.exe File created C:\Program Files\Virtual Audio Cable\license.txt setup64.exe File created C:\Program Files\Virtual Audio Cable\audiorepeater_ks.exe setup64.exe File created C:\Program Files\Virtual Audio Cable\setup64.exe setup64.exe File created C:\Program Files\Virtual Audio Cable\uninst.ini setup64.exe File opened for modification C:\Program Files\Virtual Audio Cable\uninst.ini setup64.exe File created C:\Program Files\Virtual Audio Cable\install.log setup64.exe File created C:\Program Files\Virtual Audio Cable\vac.chm setup64.exe File created C:\Program Files\Virtual Audio Cable\readme.txt setup64.exe File created C:\Program Files\Virtual Audio Cable\vcctlpan.exe setup64.exe File created C:\Program Files\Virtual Audio Cable\audiorepeater.exe setup64.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\c_media.PNF rundll32.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log setup64.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 42 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 setup64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID setup64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom setup64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs setup64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID setup64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags setup64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom setup64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 setup64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 setup64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID setup64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID setup64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs setup64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags setup64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs setup64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 setup64.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs setup64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeLoadDriverPrivilege 820 setup64.exe Token: SeShutdownPrivilege 820 setup64.exe Token: SeLoadDriverPrivilege 820 setup64.exe Token: SeAuditPrivilege 3408 svchost.exe Token: SeSecurityPrivilege 3408 svchost.exe Token: SeLoadDriverPrivilege 820 setup64.exe Token: SeRestorePrivilege 1784 DrvInst.exe Token: SeBackupPrivilege 1784 DrvInst.exe Token: SeRestorePrivilege 1784 DrvInst.exe Token: SeBackupPrivilege 1784 DrvInst.exe Token: SeRestorePrivilege 1784 DrvInst.exe Token: SeBackupPrivilege 1784 DrvInst.exe Token: SeLoadDriverPrivilege 1784 DrvInst.exe Token: SeLoadDriverPrivilege 1784 DrvInst.exe Token: SeLoadDriverPrivilege 1784 DrvInst.exe Token: SeLoadDriverPrivilege 820 setup64.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2832 wrote to memory of 820 2832 setup.exe 83 PID 2832 wrote to memory of 820 2832 setup.exe 83 PID 3408 wrote to memory of 396 3408 svchost.exe 98 PID 3408 wrote to memory of 396 3408 svchost.exe 98 PID 396 wrote to memory of 1444 396 DrvInst.exe 99 PID 396 wrote to memory of 1444 396 DrvInst.exe 99 PID 3408 wrote to memory of 1784 3408 svchost.exe 101 PID 3408 wrote to memory of 1784 3408 svchost.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\setup64.exe"C:\Users\Admin\AppData\Local\Temp\setup64.exe"2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{082ad56a-4aa5-e849-af69-7b0c64a561e3}\vrtaucbl.inf" "9" "468e82127" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\local\temp"2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{b3f36715-e21a-2840-a5fb-3e15bde0e3fb} Global\{82f6c8ba-bc8f-0f4a-a79e-eb5b9629a5a0} C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\vrtaucbl.inf C:\Windows\System32\DriverStore\Temp\{d18367ff-20a6-ec49-9b36-be9c3b456447}\vrtaucbl.cat3⤵
- Drops file in Windows directory
PID:1444
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "11" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73af0c48fa1f:DevInst:4.15.0.7314:eumusdesign_vac_wdm," "468e82127" "0000000000000148"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
111KB
MD5fa179e2c627478688aea97755be41e08
SHA17fadc17c026a0c2071d0f83363be1d739ceb4510
SHA25693f0e39029a802abb06115a89827a9a1d2a2eb28e0cacef16a59ed06c9d30113
SHA5123da57630cecfd6eab011df8820ca35f9a11cce770b8333b3ee9a74a2ee1cb105c5b036553666f77ffa78eee4f1d9605cdd69c2eba8757c13a2746466b683b3a4
-
Filesize
146KB
MD5cd284d30d5ec39f83b7c821613da2976
SHA15e3f1354c586c151707835862c6e5057452c0d98
SHA25699ef786db4ba2d50baafbe92f03260f54897dc6fba44690e167d80fb10d2553a
SHA512ee586d46bf046a7ff41e0aab2602de33f05eb91f4116981ca9afbd5ac8004ef8ff7b18f77470204607eedc8800abac7b348ebfef31069c87ca4229d7873680fa
-
Filesize
7KB
MD5a78e7c41c8db9704715878d3d8384228
SHA1e0f3380d8814cbf68bd058f2f0432ecfa290816d
SHA2565ad66cbffcd35c77516d47b99a96e0dad0c3eb76defc03eeb3357d904d30ea5d
SHA5122cc622f888d9653aca374639f0f41312d580877baba78f227fe4da2f0bea2f16605c620ce834066434695ff7e8f400ea786c83bfa647eae6d702ab351c5d426a