Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24/08/2024, 03:14
Behavioral task
behavioral1
Sample
VANTA private.exe
Resource
win7-20240705-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
VANTA private.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
VANTA private.exe
-
Size
2.7MB
-
MD5
df31ea01796208c0dceb8a5cf56ffbae
-
SHA1
634007f056d056b6a87e9d776591f5c899090576
-
SHA256
d448511350e143ce0ee7df4cc015c6e4b62fe41fc0eb14ac8eded0440e736866
-
SHA512
d6b551b497f2037ef96ae8fa50f2bd0d9f65539fe140469b7d936c2508feaa9fd0176c6a582338fc411052c1462c21d71f4717e80e1f50d877873a93598baafe
-
SSDEEP
49152:WXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVIkRW:WXzhW148Pd+Tf1mpcOldJQ3/V6
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VANTA private.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VANTA private.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VANTA private.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 5 IoCs
pid Process 3496 icsys.icn.exe 2904 explorer.exe 1072 spoolsv.exe 3708 svchost.exe 3856 spoolsv.exe -
resource yara_rule behavioral2/memory/3120-0-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/files/0x00070000000234c9-9.dat themida behavioral2/files/0x00080000000234cc-16.dat themida behavioral2/memory/2904-18-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/files/0x00080000000234ce-26.dat themida behavioral2/memory/1072-28-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/files/0x00080000000234d0-35.dat themida behavioral2/memory/3708-37-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3856-46-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3496-51-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3120-52-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/1072-49-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/2904-53-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3708-55-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/2904-78-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/3708-79-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/2904-80-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral2/memory/2904-88-0x0000000000400000-0x0000000000A16000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VANTA private.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 3120 VANTA private.exe 3496 icsys.icn.exe 2904 explorer.exe 1072 spoolsv.exe 3708 svchost.exe 3856 spoolsv.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe VANTA private.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VANTA private.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3120 VANTA private.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 3496 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2904 explorer.exe 3708 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2512 taskmgr.exe Token: SeSystemProfilePrivilege 2512 taskmgr.exe Token: SeCreateGlobalPrivilege 2512 taskmgr.exe Token: 33 2512 taskmgr.exe Token: SeIncBasePriorityPrivilege 2512 taskmgr.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe -
Suspicious use of SendNotifyMessage 47 IoCs
pid Process 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe 2512 taskmgr.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3120 VANTA private.exe 3120 VANTA private.exe 3496 icsys.icn.exe 3496 icsys.icn.exe 2904 explorer.exe 2904 explorer.exe 1072 spoolsv.exe 1072 spoolsv.exe 3708 svchost.exe 3708 svchost.exe 3856 spoolsv.exe 3856 spoolsv.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3120 wrote to memory of 3496 3120 VANTA private.exe 86 PID 3120 wrote to memory of 3496 3120 VANTA private.exe 86 PID 3120 wrote to memory of 3496 3120 VANTA private.exe 86 PID 3496 wrote to memory of 2904 3496 icsys.icn.exe 90 PID 3496 wrote to memory of 2904 3496 icsys.icn.exe 90 PID 3496 wrote to memory of 2904 3496 icsys.icn.exe 90 PID 2904 wrote to memory of 1072 2904 explorer.exe 91 PID 2904 wrote to memory of 1072 2904 explorer.exe 91 PID 2904 wrote to memory of 1072 2904 explorer.exe 91 PID 1072 wrote to memory of 3708 1072 spoolsv.exe 92 PID 1072 wrote to memory of 3708 1072 spoolsv.exe 92 PID 1072 wrote to memory of 3708 1072 spoolsv.exe 92 PID 3708 wrote to memory of 3856 3708 svchost.exe 93 PID 3708 wrote to memory of 3856 3708 svchost.exe 93 PID 3708 wrote to memory of 3856 3708 svchost.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\VANTA private.exe"C:\Users\Admin\AppData\Local\Temp\VANTA private.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3856
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2512
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5bfc60beb9c3172499479b56c56e4deb3
SHA1f239a5480f83594deeeae72871a0ff94f4d2aa0c
SHA256d53f1948b3d79d97ac738fa3dbcfeefa301c77c99691e1902a80b009f89ab792
SHA51294603c670cbe80c360987eb9012b49a40261cf24f9339b2655e70d45f401bd803cf616275b7ba0f014885b7ee6c5f774a88661d5bd3c524e9954e99858cd52cb
-
Filesize
2.6MB
MD5d74d80fb13174ab7f44bae29f16a7ce9
SHA17e2a7b26523bdb70df50ca924e8ae348a08cc168
SHA256be7cb333ce60a4e5d3cc325dd52e14e43277bc8ec874be6bc414dc7995e04787
SHA512beb01a47787f02b72e56ae35a5973dabdf72c98b401b9bb714a84498707b987a0f5f6feb521081fdeed2f0d8daf38b3a6b7a718c772ddde8d43351611d4664ef
-
Filesize
2.6MB
MD5045689eaa51f9aff14d2c42ac5cedb2c
SHA1a6adb544a2568c38dbdf0b62119cab1f4e2e6d39
SHA25626333178c3e6bd50cb7b49ba86c76a76272bf5ddf0c0eec17c33da991e386775
SHA5128176d231b80b9808ee03a55ec4c1c42a7ac840fd9ab438ba73045864be88be8275832197fe68c4a5292960fc82a58ecb27435448a03e18d47915632f875f7bf0
-
Filesize
2.6MB
MD5462bdfa07d9f74e38f78ff0088d0f531
SHA19268ca5eae7a2a5dd9b6191a540ff7c84794e5e1
SHA25689cfe016451d5d1ffc172282ed6237d30792f8040a54f035fc91dca67ea00e24
SHA512052212e4320b066e512a575d619a7a356f3ebac3fc2fb94ec03ebcecf41ea065a3f6f165c89e12d41e498c3b3fb50e9a320d88f2795467ad62de4fbb2f2fd8e2