Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 21:56
Behavioral task
behavioral1
Sample
Vapecracked_by_decends.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Vapecracked_by_decends.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Vapecracked_by_decends.pyc
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Vapecracked_by_decends.pyc
Resource
win10v2004-20240426-en
General
-
Target
Vapecracked_by_decends.pyc
-
Size
44KB
-
MD5
afb2faeba2b569735b846f69cb6ead22
-
SHA1
a689e4e63790e6abc2d192a96c669c8efa90dd97
-
SHA256
4ab8d7afcd37d089249ed9843ee5e39b7a888bdb8c6fb6c6b6008c6c899b42af
-
SHA512
85ba8c076b6d83246c5f6546beb312203cdb4a511a021d26da0f5f7eeba43a572012c2245c98f8cd23ea9f53e6dafa0e101d3177728685de7a46279abe263b46
-
SSDEEP
768:n9JW5Lk8biiNW6Qh7i2kHHvxNMHEAN/3HiPcpV3k40GQ7bhksvQZwATDlhLx3Vpb:n9JW9siATRi22vxNsEAN8kKlp7bOs27t
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2708 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2708 AcroRd32.exe 2708 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2660 2928 cmd.exe 29 PID 2928 wrote to memory of 2660 2928 cmd.exe 29 PID 2928 wrote to memory of 2660 2928 cmd.exe 29 PID 2660 wrote to memory of 2708 2660 rundll32.exe 30 PID 2660 wrote to memory of 2708 2660 rundll32.exe 30 PID 2660 wrote to memory of 2708 2660 rundll32.exe 30 PID 2660 wrote to memory of 2708 2660 rundll32.exe 30
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Vapecracked_by_decends.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Vapecracked_by_decends.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Vapecracked_by_decends.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b212f8132f895adacc150098c46ea1be
SHA136eb6a21ab9ae246de906191882c085800c30ea2
SHA256fff06ef2519711620d6b04606b6aeef192005ed560e541f0254348db926bc997
SHA512333e22ec5b418070555a0498f04e6f7df6460b8a9ebca508c5ee61fd5b76b38025cab985a0f209e50c247420bf3856c345caa9bbfa6f0246f265a49712c3fb23