General
-
Target
VTRL_2.1.8_x64_en-US.msi.zip
-
Size
3.3MB
-
Sample
240817-scvywa1gjh
-
MD5
a27975f80147b92aa948fe97f0048f17
-
SHA1
b9c21faa4fa9a51d51eeb7b50a90180a78a1f1cd
-
SHA256
4843c07c144fd8975ebf73ab7ea110c36ba0207d15444e0dae041aea01fc0187
-
SHA512
fe7965f8d3522b2781d82f1614a4ceec69087e442223d9ecf42c72862967bf5b4054a6481fa66eadff70e610be53f25a677baf54c26a6a418dac74df7ba129e0
-
SSDEEP
98304:2TowL4svUiw2pwngDZMZntWJtvUmpv8mL:KzL4ow2KnPZ0vUo
Static task
static1
Behavioral task
behavioral1
Sample
VTRL_2.1.8_x64_en-US.msi
Resource
win10v2004-20240802-en
Malware Config
Targets
-
-
Target
VTRL_2.1.8_x64_en-US.msi
-
Size
3.3MB
-
MD5
782cc6839587559457932619a853681f
-
SHA1
3be67bb5c011d4cc9d893a21021751b8c29ff012
-
SHA256
7ad28e6c71df60dc5c8271e23370a7f8090c09a989286944d0e40ff2cad31ba9
-
SHA512
4dc4c17457410ba9addb222763b683a3de1663bb4d640a06c373b20717f0c7ac934e7f48fb426a7b14a3fce68bd292ac38e1d391727f6132b48e3a736a65b794
-
SSDEEP
98304:rTowL4svUiw2pwngDZMZntWJtvUmpv8m:nzL4ow2KnPZ0vU
-
Clears Windows event logs
-
Blocklisted process makes network request
-
Possible privilege escalation attempt
-
Modifies file permissions
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Image File Execution Options Injection
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Installer Packages
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Installer Packages
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Ignore Process Interrupts
1Indicator Removal
2Clear Windows Event Logs
1File Deletion
1Modify Registry
5System Binary Proxy Execution
1Msiexec
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
2Query Registry
7System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1