Analysis
-
max time kernel
117s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 20:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef57a4d074b6e37051ce9317cc2d06f0N.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
ef57a4d074b6e37051ce9317cc2d06f0N.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
11 signatures
120 seconds
General
-
Target
ef57a4d074b6e37051ce9317cc2d06f0N.exe
-
Size
82KB
-
MD5
ef57a4d074b6e37051ce9317cc2d06f0
-
SHA1
d0a9697d4f48c0387b5e73d1d3bf3400a88d172f
-
SHA256
1bdf993e05d10e0e18dbacda4135f247600802acd2800fc712f179146660584b
-
SHA512
86b3654e3c63d647e81d05f335b18185826b02dd5a4b3a00cf60b1a56f3c58a38b957c419137d86c414b05477485f6dcc4d191656692755c0b7b35c68780d4e3
-
SSDEEP
768:rZVy+DZ4mV+RMO2rhgFwuqCbxTGy/BBGg4NKhLU4dhbDW2+Kv00dX0vN0TlT+Xy5:Bamlu3hbBGy3G8nhMpHKvw816C
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vcw.exe -
Executes dropped EXE 1 IoCs
pid Process 1664 vcw.exe -
Loads dropped DLL 4 IoCs
pid Process 2204 ef57a4d074b6e37051ce9317cc2d06f0N.exe 1664 vcw.exe 1664 vcw.exe 1664 vcw.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt vcw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" vcw.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: vcw.exe File opened (read-only) \??\I: vcw.exe File opened (read-only) \??\J: vcw.exe File opened (read-only) \??\N: vcw.exe File opened (read-only) \??\Q: vcw.exe File opened (read-only) \??\R: vcw.exe File opened (read-only) \??\W: vcw.exe File opened (read-only) \??\X: vcw.exe File opened (read-only) \??\B: vcw.exe File opened (read-only) \??\G: vcw.exe File opened (read-only) \??\H: vcw.exe File opened (read-only) \??\K: vcw.exe File opened (read-only) \??\L: vcw.exe File opened (read-only) \??\P: vcw.exe File opened (read-only) \??\S: vcw.exe File opened (read-only) \??\T: vcw.exe File opened (read-only) \??\U: vcw.exe File opened (read-only) \??\Y: vcw.exe File opened (read-only) \??\V: vcw.exe File opened (read-only) \??\M: vcw.exe File opened (read-only) \??\O: vcw.exe File opened (read-only) \??\Z: vcw.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\maxtrox.txt ef57a4d074b6e37051ce9317cc2d06f0N.exe File created \??\c:\windows\SysWOW64\Windows 3D.scr ef57a4d074b6e37051ce9317cc2d06f0N.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt vcw.exe File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr vcw.exe File created \??\c:\windows\SysWOW64\Desktop.sysm vcw.exe File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm vcw.exe -
Drops file in Program Files directory 34 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpenc.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe vcw.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe vcw.exe File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe vcw.exe File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Journal\PDIALOG.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Sidebar\sidebar.exe vcw.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\WMPDMC.exe vcw.exe File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Defender\MpCmdRun.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Mail\wab.exe vcw.exe File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe vcw.exe File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe vcw.exe File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Defender\MSASCui.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe vcw.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ef57a4d074b6e37051ce9317cc2d06f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcw.exe -
Modifies registry class 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt ef57a4d074b6e37051ce9317cc2d06f0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command ef57a4d074b6e37051ce9317cc2d06f0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile vcw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2204 ef57a4d074b6e37051ce9317cc2d06f0N.exe 1664 vcw.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1664 2204 ef57a4d074b6e37051ce9317cc2d06f0N.exe 29 PID 2204 wrote to memory of 1664 2204 ef57a4d074b6e37051ce9317cc2d06f0N.exe 29 PID 2204 wrote to memory of 1664 2204 ef57a4d074b6e37051ce9317cc2d06f0N.exe 29 PID 2204 wrote to memory of 1664 2204 ef57a4d074b6e37051ce9317cc2d06f0N.exe 29 PID 2204 wrote to memory of 1664 2204 ef57a4d074b6e37051ce9317cc2d06f0N.exe 29 PID 2204 wrote to memory of 1664 2204 ef57a4d074b6e37051ce9317cc2d06f0N.exe 29 PID 2204 wrote to memory of 1664 2204 ef57a4d074b6e37051ce9317cc2d06f0N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef57a4d074b6e37051ce9317cc2d06f0N.exe"C:\Users\Admin\AppData\Local\Temp\ef57a4d074b6e37051ce9317cc2d06f0N.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe" ef57a4d074b6e37051ce9317cc2d06f0N2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1664
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD554221861a485666acdc1f50abc7695c6
SHA1256f7c6f8a0bc717c84b683dfd57887c602ea049
SHA256f8c83464071770b4253f42a3a9adadc26eb60162b2f95fa74fcf698f8cfdf4c9
SHA512ab7399353f181411c23ea71d844ebb9e789e6d26ec88dcecc95c911ac738b01f1c842a6f0a7ff225aabbbf754d0fcf27a27430cfd95209765390017b624c5e9e
-
Filesize
82KB
MD5fa796eb44a6a4a4d0dde400abc6610a9
SHA13468b25f951537a147d00590a2829b0e6eb86d97
SHA256341cf0740f3dc0ccd6ab647631b7ea0e9263db5f086113e7fdbfdb4549b9d553
SHA512578ae0cbda320183e0aa207af1ae24349eb85a8dda3a698fee76903cba1c5b77e4d1f5a1a1eefd968f864ec0fc43a9ef2a12996bb2808b629c505fb3ca9ee3f0
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062