Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 23:55

General

  • Target

    $TEMP/VVSNInst.exe

  • Size

    104KB

  • MD5

    3e9c72f5b57307229d75fd5b8891593d

  • SHA1

    a7b7b6e51994d12e019783aadd6ff50f9a69946e

  • SHA256

    6b86ab399643aca6c8a519efd0feef4cae5c091ccc4d032c9f3b1d6a3e6df098

  • SHA512

    45fae09c4bdfcacbb94389f57dfd6ab6acef96c8c14af23b79ab525621e838b2fad583391385c229d751fe0396da0e97fd000d4415ce613f88174c8891655827

  • SSDEEP

    1536:CNEiWQnz7iuDuRLVy2z57NmWerZdDoLHSWIQeNIuGx4izmq6v0FhQf57XDgZu+QJ:Gny3UW0DorSWIQeNuU5AQfNDgZQKyUK

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\VVSNInst.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\VVSNInst.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Program Files (x86)\VVSN\VVSN.exe
      "C:\Program Files (x86)\VVSN\VVSN.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\WUSC2D3.bat "C:\Program Files (x86)\VVSN\VVSN.exe" "C:\Program Files (x86)\VVSN"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\VVSN\SETC208.tmp

    Filesize

    105KB

    MD5

    7ad334ca884ec3f530e74a9f65aa31d8

    SHA1

    002604de30046dc6ac584b33a0420b4a0243618a

    SHA256

    dc650ce050e5c46667914a5e458a20168581e187f10157ecf126326d6ac88b8e

    SHA512

    2c4b37189f94329b5a80adf5bafea837637f9e80a6526f46dd963bd483530a0944c70b1ae27ccadc0564f7744e1ea774d73021fa6cee229d0c152f93b64b5ce2

  • C:\Users\Admin\AppData\Local\Temp\WUSC2D3.bat

    Filesize

    60B

    MD5

    e66bf37298e45dd9199ab7b4accfdf98

    SHA1

    1ab55502b3b286433d856db395f0b868479be750

    SHA256

    d4b48799b640fe943ec361104f72f23eb80c0382ba3212474ed2afab512fc154

    SHA512

    90075c6a8791211ceb4aa2f72587b589290f9755bb8cdba5a268d03fafd4aea3064beeee1ea6d157a51e828028c1bed6b339bf9df00f012222d4ae53af2f4a34