d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Size

234KB
MD5

183046f592877106cc353e1b9ee1d354
SHA1

bdb0f3001c1cbd686a4fe25d55d77a76703a03c1
SHA256

d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e
SHA512

6d8e410f1016fb8319a6046b38dd6eef66944cdb1a05a23b11ed131d3829e89172032c0e3045bc21097d0bf7119bbcabad6e65dbb4181ff64229002491ed79e7
SSDEEP

1536:DPQc0IiI+7vAIIzuQ8Tr15WUkTdIOzq0ZDFtnJvx/lJRaCAd1uhNR:rQc01zAf6QGkBIO20ZRfvH

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dvm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe

Executes dropped EXE 6 IoCs

pid	Process
2936	dvm.exe
2928	dvm.exe
2480	dvm.exe
2496	vspmng.exe
1732	dvm.exe
640	vspconsole.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmcsp = "c:\\windows\\system32\\wmcsp.exe"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winvsp = "c:\\windows\\system32\\winvsp.exe"	dvm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmcsp = "c:\\windows\\system32\\wmcsp.exe"	dvm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcvsp = "c:\\windows\\system32\\svcvsp.exe"	dvm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vspmem = "c:\\windows\\system32\\vspmem.exe"	dvm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winvsp = "c:\\windows\\system32\\winvsp.exe"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vspmem = "c:\\windows\\system32\\vspmem.exe"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcvsp = "c:\\windows\\system32\\svcvsp.exe"	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vspmem = "c:\\windows\\system32\\vspmem.exe"	dvm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmcsp = "c:\\windows\\system32\\wmcsp.exe"	dvm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svcvsp = "c:\\windows\\system32\\svcvsp.exe"	dvm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winvsp = "c:\\windows\\system32\\winvsp.exe"	dvm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\dvm.exe	dvm.exe
File opened for modification	C:\Windows\system32\dvm.exe	dvm.exe
File created	\??\c:\windows\system32\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\system32\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX86B3.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX86B4.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX8A24.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX9615.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX86B1.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\system32\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\winvsp.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\svcvsp.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9613.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\winvsp.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\vspmem.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\vspconsole.exe	dvm.exe
File created	\??\c:\windows\system32\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX869F.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX8A22.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\vspconsole.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\wmcsp.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX8AC1.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX95F9.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\dvm.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX8A21.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	C:\Windows\system32\winvsp.exe	dvm.exe
File opened for modification	C:\Windows\system32\vspmng.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX95FA.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX95FB.tmp	dvm.exe
File created	\??\c:\windows\system32\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX960D.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9611.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9629.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX965B.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX868F.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX8A1F.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\vspmng.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9614.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX8A23.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\wmcsp.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\svcvsp.exe	dvm.exe
File opened for modification	C:\Windows\system32\svcvsp.exe	dvm.exe
File created	\??\c:\windows\system32\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\vspmng.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9612.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9616.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX960F.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9610.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9627.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9628.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX9639.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\system32\RCX86B2.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	C:\Windows\system32\vspmem.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\vspmem.exe	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX960E.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX95FD.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX963A.tmp	dvm.exe
File opened for modification	\??\c:\windows\system32\RCX866F.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe

Drops file in Program Files directory 62 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX945B.tmp	dvm.exe
File opened for modification	\??\c:\program files\wmcsp.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX9771.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX945E.tmp	dvm.exe
File opened for modification	\??\c:\program files\vspmem.exe	dvm.exe
File created	\??\c:\program files\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\vspmem.exe	dvm.exe
File opened for modification	\??\c:\program files\vspconsole.exe	dvm.exe
File created	\??\c:\program files\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9449.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX974C.tmp	dvm.exe
File opened for modification	\??\c:\program files\svcvsp.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX9773.tmp	dvm.exe
File opened for modification	\??\c:\program files\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\program files\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX976E.tmp	dvm.exe
File created	\??\c:\program files\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX8EBF.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\wmcsp.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX9460.tmp	dvm.exe
File opened for modification	\??\c:\program files\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\program files\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9772.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX8EAD.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX944B.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX945D.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX9463.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX976D.tmp	dvm.exe
File opened for modification	\??\c:\program files\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\winvsp.exe	dvm.exe
File opened for modification	\??\c:\program files\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\winvsp.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX9437.tmp	dvm.exe
File opened for modification	\??\c:\program files\svcvsp.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX945C.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX945F.tmp	dvm.exe
File opened for modification	\??\c:\program files\vspmng.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX8EC0.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX975D.tmp	dvm.exe
File created	\??\c:\program files\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9448.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX944A.tmp	dvm.exe
File opened for modification	\??\c:\program files\dvm.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX974B.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX9770.tmp	dvm.exe
File created	\??\c:\program files\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9461.tmp	dvm.exe
File opened for modification	\??\c:\program files\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX8EC1.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\vspconsole.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX8EBE.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9738.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX9749.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX974A.tmp	dvm.exe
File opened for modification	\??\c:\program files\RCX976F.tmp	dvm.exe
File opened for modification	\??\c:\program files\vspmng.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX8EC2.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\program files\RCX9462.tmp	dvm.exe
File opened for modification	\??\c:\program files\dvm.exe	dvm.exe
File opened for modification	\??\c:\program files\RCX9793.tmp	dvm.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\RCX8AC7.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8E39.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\svcvsp.exe	dvm.exe
File opened for modification	\??\c:\windows\RCX96FD.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX8AC2.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8AD9.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8E38.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX93E8.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX96E9.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX970E.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX970F.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX8AC3.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX93E6.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX8AC4.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspconsole.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\winvsp.exe	dvm.exe
File opened for modification	\??\c:\windows\wmcsp.exe	dvm.exe
File opened for modification	\??\c:\windows\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8AD8.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\winvsp.exe	dvm.exe
File opened for modification	\??\c:\windows\RCX96FE.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX9723.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX9726.tmp	dvm.exe
File opened for modification	\??\c:\windows\wmcsp.exe	dvm.exe
File opened for modification	\??\c:\windows\RCX9725.tmp	dvm.exe
File created	\??\c:\windows\winvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8AD7.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8E36.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8E3A.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8E3C.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8E3E.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX96E8.tmp	dvm.exe
File opened for modification	\??\c:\windows\vspconsole.exe	dvm.exe
File opened for modification	\??\c:\windows\dvm.exe	dvm.exe
File opened for modification	\??\c:\windows\RCX9737.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX8AC5.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspmng.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspmem.exe	dvm.exe
File opened for modification	\??\c:\windows\RCX93E7.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX96EA.tmp	dvm.exe
File opened for modification	\??\c:\windows\RCX9711.tmp	dvm.exe
File opened for modification	\??\c:\windows\svcvsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\dvm.exe	dvm.exe
File opened for modification	\??\c:\windows\RCX8E37.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspmng.exe	dvm.exe
File opened for modification	\??\c:\windows\vspmng.exe	dvm.exe
File created	\??\c:\windows\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File created	\??\c:\windows\dvm.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX9727.tmp	dvm.exe
File created	\??\c:\windows\vspmem.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8E3B.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\vspmem.exe	dvm.exe
File created	\??\c:\windows\dvm.exe	dvm.exe
File opened for modification	\??\c:\windows\RCX8EAC.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX96FC.tmp	dvm.exe
File opened for modification	\??\c:\windows\wmcsp.exe	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8ADA.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8E35.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
File opened for modification	\??\c:\windows\RCX8E3D.tmp	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	dvm.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000050937e49d3eada01	dvm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	dvm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dvm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = "2"	dvm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dvm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	dvm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	dvm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2496	vspmng.exe
2496	vspmng.exe
640	vspconsole.exe
640	vspconsole.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2936	dvm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	vspmng.exe
Token: SeDebugPrivilege	640	vspconsole.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1796	1968	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	30
PID 1968 wrote to memory of 1796	1968	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	30
PID 1968 wrote to memory of 1796	1968	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	30
PID 1968 wrote to memory of 2936	1968	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	31
PID 1968 wrote to memory of 2936	1968	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	31
PID 1968 wrote to memory of 2936	1968	d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe	31
PID 2928 wrote to memory of 2480	2928	dvm.exe	33
PID 2928 wrote to memory of 2480	2928	dvm.exe	33
PID 2928 wrote to memory of 2480	2928	dvm.exe	33
PID 2928 wrote to memory of 2496	2928	dvm.exe	34
PID 2928 wrote to memory of 2496	2928	dvm.exe	34
PID 2928 wrote to memory of 2496	2928	dvm.exe	34
PID 2936 wrote to memory of 1732	2936	dvm.exe	36
PID 2936 wrote to memory of 1732	2936	dvm.exe	36
PID 2936 wrote to memory of 1732	2936	dvm.exe	36
PID 2936 wrote to memory of 640	2936	dvm.exe	37
PID 2936 wrote to memory of 640	2936	dvm.exe	37
PID 2936 wrote to memory of 640	2936	dvm.exe	37

C:\Users\Admin\AppData\Local\Temp\d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
"C:\Users\Admin\AppData\Local\Temp\d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe
  "C:\Users\Admin\AppData\Local\Temp\d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e.exe" rg
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Adds Run key to start application
  PID:1796
- C:\windows\dvm.exe
  "C:\windows\dvm.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\windows\dvm.exe
    "C:\windows\dvm.exe" rg
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    PID:1732
- - C:\windows\system32\vspconsole.exe
    "C:\windows\system32\vspconsole.exe" wm 2936
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:640

C:\windows\dvm.exe
"C:\windows\dvm.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2928
- C:\windows\dvm.exe
  "C:\windows\dvm.exe" rg
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies data under HKEY_USERS
  PID:2480
- C:\programdata\vspmng.exe
  "C:\programdata\vspmng.exe" ws 2928 winvsp
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\RCXD04D.tmp

Filesize
233KB

MD5
555d14422aee35a3f64e534fef428d45

SHA1
077d797ae8f8147e5c705874f70d2285a72af978

SHA256
0b717be1c3ec6581db450cf6a592c685aaaf3844d8b9ccad94fe5da466d8290b

SHA512
4fc557dde59d4ce507bef8902e8b706724f1b1ef3bd04633430798da26039b5fdea2fdbde0c7100a0ed2195603d135b503203fa26bfc183c1c40b8a97a3cad15

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
234KB

MD5
d85a75a6a123cb313bd4bf013c80447b

SHA1
cc2615c51fc16c6da94692d430d6a45809f164d1

SHA256
57dc79eb271bb7d23e90dd914f29c15565a879033741713d580faedef04de31f

SHA512
9b90fad8d3a7d38145b4b0fe0596a776807b58e76da3b938b61ab8ca3b64f086895feebbf66c5c88b41cae135a380efbc879b33ab582ffb3dc76c762f62dd2ca

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\RCXE1FC.tmp

Filesize
235KB

MD5
ef3f49bfae3953ed9ade8b5defdddc1d

SHA1
93e07620e09bbc6c6b50628f475339414f0ca46b

SHA256
be293243e608f4a92b7f8fed75eab21bd618e6853f59083c2a3d2d5b631c1945

SHA512
c07033a52c89bc3d12f697c95928bc789c547051003da1ff7f15218db67f43413db0063e1fd11509618b9f70b533ea772398fa532caef6736eea5929b8623b23

Download Submit
C:\Windows\System32\RCX8A1F.tmp

Filesize
233KB

MD5
244569fd6100ba4f1281eacd07b9c901

SHA1
4e11cf30ae7f785db0958bcaf0299e363fb4394f

SHA256
0999259a208c782ae96d692cc841dfd3c1697f2bc0603d0ea6ff8cc5d11c6fe5

SHA512
3ba46d83a0a0c302ad4e533f84738d3f07457c73f4eb224d1454f13c6aa5cbe25438233ac5652c2da8c171f51f6bcdab89f1721398e8dab28d20682fd03059db

Download Submit
C:\Windows\System32\RCX8A20.tmp

Filesize
234KB

MD5
c7493a0bc7fb4b47e46cd9bc7cf79741

SHA1
0077de692ab09914f5c3ea58278d3dc145f59f6f

SHA256
d48ad1de7882ee2b6c055c14a17a190f4d45371f67e970808ce421aa1b64262a

SHA512
7e3fbddf8cd0cf5d6615f7d5b71b033b8476224dfd02bc042e4b97f9743cf7a64c31dc96ac63b03b731a5fba5a820f6e1b7dc645d58ad07990ad665f0a159c1f

Download Submit
C:\Windows\System32\winvsp.exe

Filesize
234KB

MD5
183046f592877106cc353e1b9ee1d354

SHA1
bdb0f3001c1cbd686a4fe25d55d77a76703a03c1

SHA256
d5a15ee6caf431c2d70b895d92ba7d8b5631e096377ccd5b3efb0706350a193e

SHA512
6d8e410f1016fb8319a6046b38dd6eef66944cdb1a05a23b11ed131d3829e89172032c0e3045bc21097d0bf7119bbcabad6e65dbb4181ff64229002491ed79e7

Download Submit
\??\c:\program files\vspmem.exe

Filesize
234KB

MD5
bcb8067d6356b66c43cd28a322b93240

SHA1
484a9c5ddc4d7075cee963f11aa7bf887cc00713

SHA256
038e076af4101e1c2bc071e72df8628d714b264bb10f11fd5c9da6b1e12c6c66

SHA512
e16f59014bce890c5dd5660a2dca7d74b72c2535072f3a0669f8fb64e59deacf25c40357dfb847a2ef55eeed67d644320cbe93bd069b5c34808ccec61fcc41b1

Download Submit
\??\c:\program files\wmcsp.exe

Filesize
234KB

MD5
0012424221bd3fc1e6e86b3ee89f0537

SHA1
72a49ac9196fc2dda1bdec17f4ef687eb2265941

SHA256
9b4d44e380ce5bea926a36b2d07f747e6ab888a5e2f97d573cf8a319893c5cce

SHA512
668dbe7250eff400764e810763c7b1c6ace530c5c3dd0925bd90cbf203f5e40d4ca951eb2757f9f541cdc0052d68af230fbb19c76c855d4ca730d247fec39d39

Download Submit
\??\c:\programdata\vspmem.exe

Filesize
234KB

MD5
8f66a888620d9ba8188c06a4474d5a25

SHA1
add923a0b218e74a5cb419ed675de780347cbbce

SHA256
318f1d432f6467f78662705486e37e47ee898de53f57c1497aa2bb4385d5aae9

SHA512
0879a2afde76bd30d58155586e3c018a1ec55ee5999c7442bd924980620e22966d75e32b240f9bf871eab3d29a8184626958c3ec21ccbcb68ca9d3abfe9740bb

Download Submit
memory/1796-556-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1796-554-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-548-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-88-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-419-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-321-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-551-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-555-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-503-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-160-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-0-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

Filesize
4KB

Download
memory/1968-159-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-320-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-56-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-15-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-4-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1968-2-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download