056ba75fd3fc5153ab2a92654591dc4ad0a78ddb676c0baf88e36d9bc374d425

General

Target

cvery.com/vnc_manager.exe
Size

12.4MB
MD5

eceac44b43df588080fda269c2433426
SHA1

ca5b4f6ab0c5132da5ae12f1cbadfd89e8afb195
SHA256

ae9bb9f6fcc16ee8aa9ab83d75f30e0bb63fd716779e7fd2942b2f8a79b10676
SHA512

f814b3057022228f6db7dfcecb95d0ac816b2301eaa3562f874d46e3bbfc5a325d5145ddd978697caa4c4371d2342829a41093ae554cfd382b7b202101df8f76
SSDEEP

393216:2sOMPLxrf4bygwTtRtBHXN1/nZVIjXpc7C:3BPLdoUzt99dbIj5c7C

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vnc_manager.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	vnc_manager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	vnc_manager.exe

C:\Users\Admin\AppData\Local\Temp\cvery.com\vnc_manager.exe
"C:\Users\Admin\AppData\Local\Temp\cvery.com\vnc_manager.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_FD86D1AAAEAD155A62F601F343714ED5

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is8E17\0x0409.ini

Filesize
5KB

MD5
9f58efec8728c055771284ff8ed08d1f

SHA1
afc5cdd023539612f9e333353b05daa7c52529be

SHA256
e3bbb08ad52ba0222ab56edf8d2650cf6b1cbdf7c002aba0b6274c9329257b01

SHA512
eda026cf7939a015513b0b18b426704927d53db08152f608fdacf6c851227b039fafa0138c88c7c8915d6614b07fcc86becf17d70ffc7d9b4ef48f5d93c11134

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is8E17\Setup.INI

Filesize
2KB

MD5
f1fca97653bfbb0fcae1fc34bff01efe

SHA1
128524e60c60dede107cd025769fab1d86bffe8a

SHA256
aa07a9b4de65728c3c80e1cd7a2da4625fd0e7cfab92a7d29bd71ed5ed62dd2d

SHA512
58ff9df3dca2903ee23ec433e9dbb0b16501bde4f5b5b84a629af1a9521b13766b396c6a1a3df770fe516f7069a53d8a577714c3c8c9e307ade0092281ffd67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is8E17\_ISMSIDEL.INI

Filesize
208B

MD5
dc747f8700787189fc89a25e874f4a72

SHA1
2e526a5756171426cd1bb9537ab30c33a5f757c8

SHA256
f5418ac932dd0a73bdf1614d426e9b97413a017e642431029defb490d368c31a

SHA512
624dc4b11fa7a032e0d490453a487ecb5f205c1ab7e1c2f6ff59884d0606d7da6d700c962855eed74148121c6ea6e7b8b6eb3f97ae8886fbfa1b0c17454e060f

Download Submit

Analysis

Sharing