f280816d87d2bd3b47b04050700837f37348f2378585b632c845656682ff4990

Analysis

max time kernel
138s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TokenVault3.7.exe
Size

4.1MB
MD5

a678dd6b55bf07b1f1be062e74052dbf
SHA1

adde954059ab53a6a4892c2c7c6a42f2cd2fea22
SHA256

f280816d87d2bd3b47b04050700837f37348f2378585b632c845656682ff4990
SHA512

f459f6ffe87e9cc341773f8bc4b13780504a81bb91cc5f60f8a5651e194d6cb2bf235af6720f32c288d9a4ae29dfc7f862cf3737c0a97ef091b6f622ddfff528
SSDEEP

98304:ilqC6O0ae/SCTN4pt5I2Np7N9qLinqr+cCD+EANa:Iix/rN4pECpUiCi+4

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	_is7465.exe

Executes dropped EXE 4 IoCs

pid	Process
2440	_is7465.exe
3512	setup64.exe
2236	_is7465.exe
4636	ISBEW64.exe

Loads dropped DLL 6 IoCs

pid	Process
2440	_is7465.exe
2440	_is7465.exe
2236	_is7465.exe
2236	_is7465.exe
2236	_is7465.exe
2236	_is7465.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2440	3592	TokenVault3.7.exe	82
PID 3592 wrote to memory of 2440	3592	TokenVault3.7.exe	82
PID 3592 wrote to memory of 2440	3592	TokenVault3.7.exe	82
PID 2440 wrote to memory of 3512	2440	_is7465.exe	83
PID 2440 wrote to memory of 3512	2440	_is7465.exe	83
PID 2440 wrote to memory of 2236	2440	_is7465.exe	87
PID 2440 wrote to memory of 2236	2440	_is7465.exe	87
PID 2440 wrote to memory of 2236	2440	_is7465.exe	87
PID 2236 wrote to memory of 4636	2236	_is7465.exe	91
PID 2236 wrote to memory of 4636	2236	_is7465.exe	91
PID 2440 wrote to memory of 2976	2440	_is7465.exe	92
PID 2440 wrote to memory of 2976	2440	_is7465.exe	92
PID 2440 wrote to memory of 2976	2440	_is7465.exe	92

C:\Users\Admin\AppData\Local\Temp\TokenVault3.7.exe
"C:\Users\Admin\AppData\Local\Temp\TokenVault3.7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\{5C91E797-FF69-470A-BF45-29EAD0DB4C72}\_is7465.exe
  "C:\Users\Admin\AppData\Local\Temp\{5C91E797-FF69-470A-BF45-29EAD0DB4C72}\_is7465.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" ORIGINALSETUPEXENAME="TokenVault3.7.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\setup64.exe
    "C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\setup64.exe" -embedded:1AC79338-670D-4255-9067-767B106A220C -IS_temp
    3⤵
    - Executes dropped EXE
    PID:3512
- - C:\Users\Admin\AppData\Local\Temp\{5C91E797-FF69-470A-BF45-29EAD0DB4C72}\_is7465.exe
    "C:\Users\Admin\AppData\Local\Temp\{5C91E797-FF69-470A-BF45-29EAD0DB4C72}\_is7465.exe" -embedded:B7A223D9-5105-4554-A7A3-F305A42B5FBA -IS_temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\ISBEW64.exe
      C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{57EED466-55E1-4186-80A9-F314B892778E}
      4⤵
      Executes dropped EXE
      PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\{5C91E797-FF69-470A-BF45-29EAD0DB4C72}\_is7465.exe"
    3⤵
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{5C91E797-FF69-470A-BF45-29EAD0DB4C72}\SuiteSetup.ini

Filesize
129B

MD5
f9682bffda21cbf58cad4e189a0fd369

SHA1
da6a03e8d6b5312dad2890b706c7caf70de4450e

SHA256
f653696b1234dc7cc866aaff9e758155ba05bf58c4045b30ef34f2ba88ef46d7

SHA512
4a7a49ee680f36959c5a99d66be0d73b049af40612e67f9320e67ee29994c92e3714eaf510f39de09a7aacd75d3f3099ff2340222ec40132fa9c166a657e4b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5C91E797-FF69-470A-BF45-29EAD0DB4C72}\_is7465.exe

Filesize
4.1MB

MD5
a678dd6b55bf07b1f1be062e74052dbf

SHA1
adde954059ab53a6a4892c2c7c6a42f2cd2fea22

SHA256
f280816d87d2bd3b47b04050700837f37348f2378585b632c845656682ff4990

SHA512
f459f6ffe87e9cc341773f8bc4b13780504a81bb91cc5f60f8a5651e194d6cb2bf235af6720f32c288d9a4ae29dfc7f862cf3737c0a97ef091b6f622ddfff528

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\1036\EULA.rtf

Filesize
202KB

MD5
97e67e7ff018312f79a8d081786e3743

SHA1
11a6568307ad7992d439b480c6e605e87036d7ee

SHA256
76d7670b9bdb971545603bd010712e44c010e02d66b44d6bae36af626480c37e

SHA512
ca31e177048ab510f3b9f714e6733ec479f11b6ed8776f3ea4b7f7975b3aa1961b8ff77d33fb3e89ba99f71c93bc67b3f70a816cdfd6126cf360fa7aa5d0f841

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\ISBEW64.exe

Filesize
179KB

MD5
7a1c100df8065815dc34c05abc0c13de

SHA1
3c23414ae545d2087e5462a8994d2b87d3e6d9e2

SHA256
e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

SHA512
bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\ISRT.dll

Filesize
427KB

MD5
85315ad538fa5af8162f1cd2fce1c99d

SHA1
31c177c28a05fa3de5e1f934b96b9d01a8969bba

SHA256
70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

SHA512
877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\ISSetup.dll

Filesize
1.6MB

MD5
e34c74fce9bf3bd429200f83feb5fc80

SHA1
a37ff5589b8ddbbdffaad8c18c89fd038cd18edd

SHA256
3e3cdf8d4e40efab8039d2677cc785292d00d0ebd8030860ec6bfc1ece842549

SHA512
1f82dcb82de40272a906b5468b5bddfa9393a69efb26ded9c36e537d5861be124831198aaf52f847b4b8ee3eee6db22b0c1ebba168a630ad170a4e01f3ed2da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\LogoSmall.png

Filesize
5KB

MD5
087ee3aa734a620f0f9e0c232954724e

SHA1
381420c05d2774ee25de08a28bc6699813bd4561

SHA256
17aa34c879f245b11bc6ff343c24478f703dbd811234a0657b60ec85a217bc52

SHA512
5f2e3d285e1722003a07e754d89d1e30d6d518af3ddd160f138f3b00d0ae5934a83e17fdfffeb4541955b292220c559559dde1abf2e44b6df6c5933270f879f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\Setup_UI.dll

Filesize
913KB

MD5
b8293704fda9bbb5c8492b626ba1a5ca

SHA1
a9929695fef628f7befa1b1431f4f04c07dd00f3

SHA256
2898e70d50d53b4c3ccd8ecfafe8a89fa99cf98bf7ab4bdf156e19cb19c08e81

SHA512
9d0c7b2e4eba7a3c47c0d41aa0f40eaac034c2b830362e7634dde5736696df69ba39670ada05723bb058c07b6adb60859cb2fcb48d60e103b94fe56170d281af

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\SuiteCustomActions.dll

Filesize
853KB

MD5
92308e44da957b756e0f7fabf8a5fb4f

SHA1
28c58fe59006202535a4cbc578d02b3814e31dec

SHA256
e54fac161d1101f861e6d2a416cda4c5c991234b92e2d731fe253e6a4ba3c705

SHA512
18c322c25546ec4f24f8a5a4f7bd118212e232b00eda101b469f9e1a0101b8bf67e4ee2d9ccde59cc9a033229fa48c2f5f4b61f468ebfb0bb5ad8e95a494ff36

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\setup.inx

Filesize
97KB

MD5
0d4940c3950b1d09d3a52ee5ebab9226

SHA1
c78cf87289e4a013d2d166efdfba3b9350c94056

SHA256
37136385ad99c9b0851aa373ef4d63f425b678335b8c9e8c743f33169fa4e10a

SHA512
b7a5aae1b00a2906c5e5ba566e3c01b6d6c63e1fdeaa8f85e6d90514443a4d69fee3cc3fe1e78d8e0bcde32a10093381abb96863237e46ee99343d577fd47285

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C5B9B9AA-5C74-40E8-97B1-BFC56A370579}\setup64.exe

Filesize
280KB

MD5
e2b0321dfc504ed241804322e10be9c4

SHA1
6ca43b9248d4b500b0904b8a4546d0d87dadcea2

SHA256
8cfb7f682ffeb6388981e587048fd7d336bc73b73e7d25e33558da297d9c481c

SHA512
49ed051673addab41d6df47d6175650da2fdb34ffe69d2b5df23bfe9c0f2f7484f41c8f950f7e81ddd3cd1ad0b14d1d71a91a6a1a2d1394c9a6bb0a795c75fb7

Download Submit
memory/2236-71-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download