Analysis

  • max time kernel
    18s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 17:49

General

  • Target

    Vault Leaker/vault_leaker.py

  • Size

    6KB

  • MD5

    75b9b2d018480ce2ecf3293037751293

  • SHA1

    ecee1c99bcd910b80c363e5903d89fbea8469013

  • SHA256

    244aea56faa9f6d56533bf55d46b3012b6f11ea13b3a7ee11a97a1d9b3ce9a2f

  • SHA512

    81a9939bd885c31b2528c6cc17912b3de22bdf0af3e3d8d4fd3c91656d18f2e860d462088aab16505e6bef53e43e27d2915a3153ac59b9cac8c42918fbeed1ee

  • SSDEEP

    96:vScNZUv+WomIGhZkNhe2vD9AZ93okC0biw0uDxGaqg1K16MsDlKIwbaMGipM:cPI6GvrhW3oZ0bJd9GaqgFrDlKVGim

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Vault Leaker\vault_leaker.py"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Vault Leaker\vault_leaker.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Vault Leaker\vault_leaker.py"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    e5c13763a220257affc98160ccaadd77

    SHA1

    d79aa105cf6e011b095bd2b0ca048d1173e04dd7

    SHA256

    30ff2904d48105b9c9810bbb654249a0a3870ba7d63e62da7775cf63021914a4

    SHA512

    b2adb3d2426fc12b3859dd8452130786d78b25940bc805fbb4d3a1dab543c878b908aa2231d826eaeb3bdf468ecebb456467ad3aaaa7e5d1c8936a9f7ab4f7d7