23c707f9cc1a222d593738b5fcaf9d06da19104b83be91788c879f134800a851

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/VVSNInst.exe
Size

104KB
MD5

3e9c72f5b57307229d75fd5b8891593d
SHA1

a7b7b6e51994d12e019783aadd6ff50f9a69946e
SHA256

6b86ab399643aca6c8a519efd0feef4cae5c091ccc4d032c9f3b1d6a3e6df098
SHA512

45fae09c4bdfcacbb94389f57dfd6ab6acef96c8c14af23b79ab525621e838b2fad583391385c229d751fe0396da0e97fd000d4415ce613f88174c8891655827
SSDEEP

1536:CNEiWQnz7iuDuRLVy2z57NmWerZdDoLHSWIQeNIuGx4izmq6v0FhQf57XDgZu+QJ:Gny3UW0DorSWIQeNuU5AQfNDgZQKyUK

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2928	VVSN.exe

Loads dropped DLL 5 IoCs

pid	Process
2680	VVSNInst.exe
2680	VVSNInst.exe
2928	VVSN.exe
2928	VVSN.exe
2928	VVSN.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\VVSN\VVSN.exe	VVSNInst.exe
File opened for modification	C:\Program Files (x86)\VVSN\vvsn.cfg	VVSN.exe
File opened for modification	C:\Program Files (x86)\VVSN\SET62C8.tmp	VVSNInst.exe
File opened for modification	C:\Program Files (x86)\VVSN\SET62C9.tmp	VVSNInst.exe
File created	C:\Program Files (x86)\VVSN\SET62C9.tmp	VVSNInst.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	VVSNInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VVSNInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VVSN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2680	VVSNInst.exe
Token: SeRestorePrivilege	2680	VVSNInst.exe
Token: SeRestorePrivilege	2680	VVSNInst.exe
Token: SeRestorePrivilege	2680	VVSNInst.exe
Token: SeRestorePrivilege	2680	VVSNInst.exe
Token: SeRestorePrivilege	2680	VVSNInst.exe
Token: SeRestorePrivilege	2680	VVSNInst.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2928	2680	VVSNInst.exe	30
PID 2680 wrote to memory of 2928	2680	VVSNInst.exe	30
PID 2680 wrote to memory of 2928	2680	VVSNInst.exe	30
PID 2680 wrote to memory of 2928	2680	VVSNInst.exe	30
PID 2680 wrote to memory of 2928	2680	VVSNInst.exe	30
PID 2680 wrote to memory of 2928	2680	VVSNInst.exe	30
PID 2680 wrote to memory of 2928	2680	VVSNInst.exe	30
PID 2928 wrote to memory of 2828	2928	VVSN.exe	31
PID 2928 wrote to memory of 2828	2928	VVSN.exe	31
PID 2928 wrote to memory of 2828	2928	VVSN.exe	31
PID 2928 wrote to memory of 2828	2928	VVSN.exe	31
PID 2928 wrote to memory of 2828	2928	VVSN.exe	31
PID 2928 wrote to memory of 2828	2928	VVSN.exe	31
PID 2928 wrote to memory of 2828	2928	VVSN.exe	31

C:\Users\Admin\AppData\Local\Temp\$TEMP\VVSNInst.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\VVSNInst.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files (x86)\VVSN\VVSN.exe
  "C:\Program Files (x86)\VVSN\VVSN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\WUS6336.bat "C:\Program Files (x86)\VVSN\VVSN.exe" "C:\Program Files (x86)\VVSN"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\VVSN\SET62C8.tmp

Filesize
105KB

MD5
7ad334ca884ec3f530e74a9f65aa31d8

SHA1
002604de30046dc6ac584b33a0420b4a0243618a

SHA256
dc650ce050e5c46667914a5e458a20168581e187f10157ecf126326d6ac88b8e

SHA512
2c4b37189f94329b5a80adf5bafea837637f9e80a6526f46dd963bd483530a0944c70b1ae27ccadc0564f7744e1ea774d73021fa6cee229d0c152f93b64b5ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUS6336.bat

Filesize
60B

MD5
e66bf37298e45dd9199ab7b4accfdf98

SHA1
1ab55502b3b286433d856db395f0b868479be750

SHA256
d4b48799b640fe943ec361104f72f23eb80c0382ba3212474ed2afab512fc154

SHA512
90075c6a8791211ceb4aa2f72587b589290f9755bb8cdba5a268d03fafd4aea3064beeee1ea6d157a51e828028c1bed6b339bf9df00f012222d4ae53af2f4a34

Download Submit