Overview
overview
7Static
static
323c707f9cc...1N.exe
windows7-x64
723c707f9cc...1N.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMP/VVSNInst.exe
windows7-x64
7$TEMP/VVSNInst.exe
windows10-2004-x64
7$WINDIR/Sy...ms.dll
windows7-x64
3$WINDIR/Sy...ms.dll
windows10-2004-x64
3$WINDIR/Sy...ax.dll
windows7-x64
3$WINDIR/Sy...ax.dll
windows10-2004-x64
3Arcade!.exe
windows7-x64
3Arcade!.exe
windows10-2004-x64
3uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 23:55
Static task
static1
Behavioral task
behavioral1
Sample
23c707f9cc1a222d593738b5fcaf9d06da19104b83be91788c879f134800a851N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
23c707f9cc1a222d593738b5fcaf9d06da19104b83be91788c879f134800a851N.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$TEMP/VVSNInst.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
$TEMP/VVSNInst.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$WINDIR/System32/dsaoms.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$WINDIR/System32/dsaoms.dll
Resource
win10v2004-20240910-en
Behavioral task
behavioral11
Sample
$WINDIR/System32/wkcajax.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$WINDIR/System32/wkcajax.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Arcade!.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Arcade!.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
uninst.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
uninst.exe
Resource
win10v2004-20240802-en
General
-
Target
$TEMP/VVSNInst.exe
-
Size
104KB
-
MD5
3e9c72f5b57307229d75fd5b8891593d
-
SHA1
a7b7b6e51994d12e019783aadd6ff50f9a69946e
-
SHA256
6b86ab399643aca6c8a519efd0feef4cae5c091ccc4d032c9f3b1d6a3e6df098
-
SHA512
45fae09c4bdfcacbb94389f57dfd6ab6acef96c8c14af23b79ab525621e838b2fad583391385c229d751fe0396da0e97fd000d4415ce613f88174c8891655827
-
SSDEEP
1536:CNEiWQnz7iuDuRLVy2z57NmWerZdDoLHSWIQeNIuGx4izmq6v0FhQf57XDgZu+QJ:Gny3UW0DorSWIQeNuU5AQfNDgZQKyUK
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation VVSNInst.exe -
Executes dropped EXE 1 IoCs
pid Process 3600 VVSN.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\VVSN\VVSN.exe VVSNInst.exe File opened for modification C:\Program Files (x86)\VVSN\vvsn.cfg VVSN.exe File opened for modification C:\Program Files (x86)\VVSN\SETC208.tmp VVSNInst.exe File opened for modification C:\Program Files (x86)\VVSN\SETC209.tmp VVSNInst.exe File created C:\Program Files (x86)\VVSN\SETC209.tmp VVSNInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VVSNInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VVSN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2888 wrote to memory of 3600 2888 VVSNInst.exe 82 PID 2888 wrote to memory of 3600 2888 VVSNInst.exe 82 PID 2888 wrote to memory of 3600 2888 VVSNInst.exe 82 PID 3600 wrote to memory of 1304 3600 VVSN.exe 83 PID 3600 wrote to memory of 1304 3600 VVSN.exe 83 PID 3600 wrote to memory of 1304 3600 VVSN.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\VVSNInst.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\VVSNInst.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Program Files (x86)\VVSN\VVSN.exe"C:\Program Files (x86)\VVSN\VVSN.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\WUSC2D3.bat "C:\Program Files (x86)\VVSN\VVSN.exe" "C:\Program Files (x86)\VVSN"3⤵
- System Location Discovery: System Language Discovery
PID:1304
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD57ad334ca884ec3f530e74a9f65aa31d8
SHA1002604de30046dc6ac584b33a0420b4a0243618a
SHA256dc650ce050e5c46667914a5e458a20168581e187f10157ecf126326d6ac88b8e
SHA5122c4b37189f94329b5a80adf5bafea837637f9e80a6526f46dd963bd483530a0944c70b1ae27ccadc0564f7744e1ea774d73021fa6cee229d0c152f93b64b5ce2
-
Filesize
60B
MD5e66bf37298e45dd9199ab7b4accfdf98
SHA11ab55502b3b286433d856db395f0b868479be750
SHA256d4b48799b640fe943ec361104f72f23eb80c0382ba3212474ed2afab512fc154
SHA51290075c6a8791211ceb4aa2f72587b589290f9755bb8cdba5a268d03fafd4aea3064beeee1ea6d157a51e828028c1bed6b339bf9df00f012222d4ae53af2f4a34