Analysis
-
max time kernel
18s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 17:49
Static task
static1
Behavioral task
behavioral1
Sample
Vault Leaker/installrequirements.bat
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Vault Leaker/installrequirements.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Vault Leaker/vault_leaker.py
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
Vault Leaker/vault_leaker.py
Resource
win10v2004-20240508-en
General
-
Target
Vault Leaker/vault_leaker.py
-
Size
6KB
-
MD5
75b9b2d018480ce2ecf3293037751293
-
SHA1
ecee1c99bcd910b80c363e5903d89fbea8469013
-
SHA256
244aea56faa9f6d56533bf55d46b3012b6f11ea13b3a7ee11a97a1d9b3ce9a2f
-
SHA512
81a9939bd885c31b2528c6cc17912b3de22bdf0af3e3d8d4fd3c91656d18f2e860d462088aab16505e6bef53e43e27d2915a3153ac59b9cac8c42918fbeed1ee
-
SSDEEP
96:vScNZUv+WomIGhZkNhe2vD9AZ93okC0biw0uDxGaqg1K16MsDlKIwbaMGipM:cPI6GvrhW3oZ0bJd9GaqgFrDlKVGim
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\py_auto_file\shell\Read rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2692 AcroRd32.exe 2692 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2420 wrote to memory of 2152 2420 cmd.exe rundll32.exe PID 2420 wrote to memory of 2152 2420 cmd.exe rundll32.exe PID 2420 wrote to memory of 2152 2420 cmd.exe rundll32.exe PID 2152 wrote to memory of 2692 2152 rundll32.exe AcroRd32.exe PID 2152 wrote to memory of 2692 2152 rundll32.exe AcroRd32.exe PID 2152 wrote to memory of 2692 2152 rundll32.exe AcroRd32.exe PID 2152 wrote to memory of 2692 2152 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Vault Leaker\vault_leaker.py"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Vault Leaker\vault_leaker.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Vault Leaker\vault_leaker.py"3⤵
- Suspicious use of SetWindowsHookEx
PID:2692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5e5c13763a220257affc98160ccaadd77
SHA1d79aa105cf6e011b095bd2b0ca048d1173e04dd7
SHA25630ff2904d48105b9c9810bbb654249a0a3870ba7d63e62da7775cf63021914a4
SHA512b2adb3d2426fc12b3859dd8452130786d78b25940bc805fbb4d3a1dab543c878b908aa2231d826eaeb3bdf468ecebb456467ad3aaaa7e5d1c8936a9f7ab4f7d7