Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2024 20:09

General

  • Target

    MechvibesPlusPlus.Setup.2.4.0.exe

  • Size

    61.0MB

  • MD5

    ec192ff193117229ab7b9fec5a81e772

  • SHA1

    34f4e8d8b2d22fd589998d13a148b5e2c22c3b4a

  • SHA256

    b1091d37f3d5691e7bf8cbfc46970a9ed643075f07af750175d1a58e03029132

  • SHA512

    5357a64440522ee2c9227f75d3f95b59747ce0c87d7635a89dd36a10f99eeac9a824b343c02c0ab609cbcb6ed771a9c3e13f115d7062964f70e00d1e3d0de956

  • SSDEEP

    1572864:zzb4n3FnJiUkcWP/zKmSJIrlMGDDORT0OBqbSzltm+LA3i:zm3FHT5mSJ8DDgTdCSR4i

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MechvibesPlusPlus.Setup.2.4.0.exe
    "C:\Users\Admin\AppData\Local\Temp\MechvibesPlusPlus.Setup.2.4.0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Users\Admin\AppData\Local\Temp\mvpp-setup\vcppredist.exe
      C:\Users\Admin\AppData\Local\Temp\mvpp-setup\vcppredist.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\Temp\{C58B51F2-D4A0-4FD7-9624-07C189DC7389}\.cr\vcppredist.exe
        "C:\Windows\Temp\{C58B51F2-D4A0-4FD7-9624-07C189DC7389}\.cr\vcppredist.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\mvpp-setup\vcppredist.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\mvpp-setup\vcppredist.exe

    Filesize

    24.1MB

    MD5

    e091e9e5ede4161b45b880ccd6e140b0

    SHA1

    1a18b960482c2a242df0e891de9e3a125e439122

    SHA256

    cee28f29f904524b7f645bcec3dfdfe38f8269b001144cd909f5d9232890d33b

    SHA512

    fa8627055bbeb641f634b56059e7b5173e7c64faaa663e050c20d01d708a64877e71cd0b974282c70cb448e877313b1cf0519cf6128c733129b045f2b961a09b

  • C:\Users\Admin\AppData\Local\Temp\nsu9F1F.tmp\INetC.dll

    Filesize

    238KB

    MD5

    38caa11a462b16538e0a3daeb2fc0eaf

    SHA1

    c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

    SHA256

    ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

    SHA512

    777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

  • C:\Users\Admin\AppData\Local\Temp\nsu9F1F.tmp\StdUtils.dll

    Filesize

    100KB

    MD5

    c6a6e03f77c313b267498515488c5740

    SHA1

    3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    SHA256

    b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    SHA512

    9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

  • C:\Users\Admin\AppData\Local\Temp\nsu9F1F.tmp\System.dll

    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

  • C:\Users\Admin\AppData\Local\Temp\nsu9F1F.tmp\UAC.dll

    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • C:\Windows\Temp\{ABC8B3CA-55FE-4E7C-BDB6-55788835E66C}\.ba\logo.png

    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

  • C:\Windows\Temp\{ABC8B3CA-55FE-4E7C-BDB6-55788835E66C}\.ba\wixstdba.dll

    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

  • C:\Windows\Temp\{C58B51F2-D4A0-4FD7-9624-07C189DC7389}\.cr\vcppredist.exe

    Filesize

    634KB

    MD5

    cb264f7d256b42a54b2129b7a02c1ce3

    SHA1

    d71459e24185f70b0c8647758663b1116a898412

    SHA256

    d6aaee30c9b7edeac6939f78f4a55683c6358d9cc03dac487880d01f18700e83

    SHA512

    4f623f5d21bc216f3dd040e6d0c663a8ea37efe5d0ce5f4aeb1ef5c1f7c873e19d1abc979d3e40d4dc70e2e4f0fc9a1b114b17d9eb852ea9a41d0f84356cd7cb