Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

VirtualTab...up.exe

windows10-1703-x64

8

Resubmissions

30/09/2024, 12:01

240930-n68dvaycja 8

30/09/2024, 11:54

240930-n2219stenl 8

30/09/2024, 11:44

240930-nwdfqatcjj 7

Analysis

  • max time kernel
    383s
  • max time network
    390s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30/09/2024, 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirtualTabletServer_v3.1.3_setup.exe

  • Size

    29.4MB

  • MD5

    a8e73dd218f4e724f1ba4215d0d8e1f7

  • SHA1

    999190ea75801c292d04a16cdc91f119989fa98e

  • SHA256

    0310ad0d2c0dc62100055c5e96add680cc0426b259af77cf4e0dd80664cf48c2

  • SHA512

    fa38fd150ca9341500a316cb7adea24f74c6df30309d1766338374ce08ec6d1bbf80d6c8b1bafbe97e33e3c0395cca2ef97a141af979f56746d6d2bb30ce2a23

  • SSDEEP

    393216:8BkqKoRZ4QZ2RCV+5XPw6VBb26k1Tn/BnrBXRt1euiY6SnadV+mgG1MKcibQSIpU:qZ4Jc0X7x3yBr9RtriYdnKMiY8ubFC

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Manipulates Digital Signatures 1 TTPs 1 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Program Files directory 40 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 38 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirtualTabletServer_v3.1.3_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\VirtualTabletServer_v3.1.3_setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5088
    • C:\Windows\TEMP\{99C4E754-D33F-4249-B911-8570EC8AE147}\.cr\VirtualTabletServer_v3.1.3_setup.exe
      "C:\Windows\TEMP\{99C4E754-D33F-4249-B911-8570EC8AE147}\.cr\VirtualTabletServer_v3.1.3_setup.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\VirtualTabletServer_v3.1.3_setup.exe" -burn.filehandle.attached=504 -burn.filehandle.self=500
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\TEMP\{7D0B6928-CAE4-4298-8BEC-C8758A46DF37}\.be\VirtualTabletServer_v3.1.3_setup.exe
        "C:\Windows\TEMP\{7D0B6928-CAE4-4298-8BEC-C8758A46DF37}\.be\VirtualTabletServer_v3.1.3_setup.exe" -q -burn.elevated BurnPipe.{7C56EACB-5A4F-4047-9C1E-8FA09E7D9A46} {82C69605-6957-4F06-B8C3-AA1F863287F5} 4460
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\system32\srtasks.exe
          C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:356
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2144
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
    1⤵
    • Checks SCSI registry key(s)
    PID:3584
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Program Files\VirtualTablet Server\Drivers\DrvInst.exe
      "C:\Program Files\VirtualTablet Server\Drivers\DrvInst.exe" install vmulti.inf djpnewton\vmulti
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      PID:1220
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "1" "c:\program files\virtualtablet server\drivers\vmulti.inf" "9" "4b03c492f" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "c:\program files\virtualtablet server\drivers"
      2⤵
      • Manipulates Digital Signatures
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c5c7731f-396c-6d4a-b41d-3de87d26d906} Global\{0d74509b-662e-bd4c-8710-2040ec10ab82} C:\Windows\System32\DriverStore\Temp\{f372a1da-f271-3940-af4b-f2b0c727b3d0}\vmulti.inf C:\Windows\System32\DriverStore\Temp\{f372a1da-f271-3940-af4b-f2b0c727b3d0}\vmulti.cat
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        PID:4564
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem3.inf" "vmulti.inf:c14ce884b67bbc5d:vmulti.Inst:16.53.52.383:djpnewton\vmulti," "4b03c492f" "0000000000000178"
      2⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e58b9b9.rbs
    Filesize

    16KB

    MD5

    77f66d384b111d62a81f19bcfbc64030

    SHA1

    6f33721dc4647be2821399d89cdd77fd80d05489

    SHA256

    f6e3a8319c91c70d117757644dd92095147129816138309b07bf68f16dae66e9

    SHA512

    0e186c7653aac60e86c4cb0dbe6e4e3bdd537d5f512c729e5c6a37c1da33549f7e1b54cf2118c1644ce750062d3f2f185856cc994317c0a522547cc4c7a81cfa

    Download Submit

  • C:\Program Files\VirtualTablet Server\Drivers\DrvInst.exe
    Filesize

    554KB

    MD5

    4733136b4866c29a1f6cb077449917c3

    SHA1

    bf6eb11f32fefc93f4c5c6fece060aca18f38156

    SHA256

    a5979e5320bc93e0c862b465b6442eae3a9bf93b46fdf196dde7909f331fe47c

    SHA512

    4bc8f380c5328ddeee4a2b0f0dd8ec857ec14726764a8f03134f649ee0df07141f316162c1299fda8c35fb5181d8f264e159d2a6e9aa73e1198f51533542a202

    Download Submit

  • C:\Program Files\VirtualTablet Server\Drivers\vmulti.inf
    Filesize

    2KB

    MD5

    72f61f9b84dd54dc761d9a40c49ffdc3

    SHA1

    d97de8e3b2b7722009933fbf64a9376243bf7f22

    SHA256

    a752ed816ab1259da2e3c9a1ccfd55af86b11c1638b7f8ed76b4c8749bccb07d

    SHA512

    ca52bf508a445e4f1ebb8c8429db07f7aaf17b8445fe02604d6512e9daaf6aaceee713c7194891729d121291e140b6b93e8517cfe9c6e29ac34a34dc7b5f223b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\VirtualTablet_Server_20240930115913_000_AppInstaller.msi.log
    Filesize

    1KB

    MD5

    9c1dce361d28bf08b010ba7982d78ab6

    SHA1

    32ce0219c18747368a551db8f939bac9f66044c3

    SHA256

    da5d4b7c7178475985b7c4cb2e4e946e9529bb612cabd77b990b59f93c5a9ed0

    SHA512

    36572e4bb3f2371d1bf855eca124aaffec68760fb2f40130e25e3ea5494fa5da36e25d66333d0242a34adcfca19a89cfb403de92488ecde47dbd97fb9673d176

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{7D0B6928-CAE4-4298-8BEC-C8758A46DF37}\AppInstaller.msi
    Filesize

    29.5MB

    MD5

    8b8fb0b409bc8b50abd8f55c10130590

    SHA1

    40819fe7b0c258edaa8be6a65bcabdb245e7d6af

    SHA256

    ce21efe9ec03f5799de9fb2edbb75c92261176a0ff34b124dcce3750764c7470

    SHA512

    17a3007afe108720930c686d374c042c8b17e513d12e9f2c0240a96211075ad3d4b05a1696037620ea9acb55ccaa8df7cd6465bdd5979fa8119eeb7a97daf09d

    Download Submit

  • C:\Windows\INF\oem3.PNF
    Filesize

    10KB

    MD5

    620d82e53682bfcceca8e0f2b50f357e

    SHA1

    e34cdce860816f337fa1f349077c2aaf8e44b7d9

    SHA256

    39d106bd9a8502cf7ae409ade2a82bd1228874c93db697e90eb1be1929fa25bc

    SHA512

    ecc17691804a4ffeb3bbfef17e13f007d8694a0fae02f50f01092ba8d5cf03827a721c39b026353f9298a2db8782188d5f33aca8c3502885e57b1436488f98da

    Download Submit

  • C:\Windows\System32\DriverStore\FileRepository\vmulti.inf_amd64_8055adba11dd5eee\vmulti.PNF
    Filesize

    10KB

    MD5

    2935310a6a5c7908245e063d9367c5b8

    SHA1

    0291c39bc7b227489ba79228114166c1fc9ca040

    SHA256

    238825c7061c310015b36991d068fde2ababc991e9a8288d4550f684715c3a04

    SHA512

    672f88b93826528e609615e4a603481e9f11edcd0cf9b9b0ddd137115251fb71eb59e1837fea51706c5176b060d4f66d7bf0b92154b4ff725169150fb3bd06c6

    Download Submit

  • C:\Windows\Temp\{7D0B6928-CAE4-4298-8BEC-C8758A46DF37}\.ba\logo.png
    Filesize

    4KB

    MD5

    c4b419eb2db55b63793791f008996449

    SHA1

    8e3e3fd449dafe6231bfd2ca5a511e8a3a497b92

    SHA256

    05a28f83ccdd456177a35213a83a1d78a1fd563fa88eb4dd17f612fc32b92437

    SHA512

    0fe00d342f15ba5ed1636f56e5e20a936f5abe99d1ffae517922dbfdd6a662117f6d67ae801bc9a7058af5219daf5537fe7c324cd429e9a89fc1779c38f0c8e0

    Download Submit

  • C:\Windows\Temp\{99C4E754-D33F-4249-B911-8570EC8AE147}\.cr\VirtualTabletServer_v3.1.3_setup.exe
    Filesize

    1.3MB

    MD5

    69a542c2422f4f539ac40ce9397c9935

    SHA1

    5d58ec90b036e9945bdff1bf4fbb52a92ede0e00

    SHA256

    253bf36a09e7f5c4bc7d5dfade9e3f544b9a6e352b917bc3929c49024bdf9dd2

    SHA512

    2e4023ad4faa30677d231432864d9205ee5fd9634803bedb08dca51bf86e95255d172c5f296072ff908349032f593abe3a659813ffa5543dc5b212b747921131

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    26.0MB

    MD5

    79fa4650b0869439af977a5a5c660aa5

    SHA1

    f970fc5f3b41281566a74217f81ec8a0dac95457

    SHA256

    34e49abb26d00ad46c5300efc5a9e7d8c8eb90fa611ac4fa16d65c84e466efb8

    SHA512

    ebb46942cd07716534d0739435c011cdebc426976624bdddf3c16036e52c2a9eee25f6bf05689e5a130202983df9e160485a87d60fb110abfa7db3d6bfa3962f

    Download Submit

  • \??\Volume{4f38e779-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5116cbb4-2324-4ccd-8f4e-6709cb566d4b}_OnDiskSnapshotProp
    Filesize

    5KB

    MD5

    300b720ce650f9b5155c8a1924fd05c3

    SHA1

    14723269d98a4510a0bfcd08daba0a305f329435

    SHA256

    5039120ee0d6e67203078ef8b5e2b9b6c17517b0628f5878560405a4ce104e41

    SHA512

    021ad5f9d3941bb63701712b72381b89ebc8944ecf583236525bf721dae33940ff977b0823ad2258bef3144e3f0c2b49b89472fbc2da3c4257c9980cf74926d1

    Download Submit

  • \??\c:\PROGRA~1\VIRTUA~1\drivers\WdfCoInstaller01011.dll
    Filesize

    1.7MB

    MD5

    d10864c1730172780c2d4be633b9220a

    SHA1

    b85d02ba0e8de4aeded1a2f5679505cd403bd201

    SHA256

    f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2

    SHA512

    c161bfa9118e04eb60a885bf99758843c4b1349ac58d2e501dabbd7efc0480ec902ac9a2be16f850b218e97b022a90fcc44925d7b6e5113766621f7ade38b040

    Download Submit

  • \??\c:\PROGRA~1\VIRTUA~1\drivers\vmulti.sys
    Filesize

    9KB

    MD5

    73f306df9e8525b23600b6f00cd41392

    SHA1

    4a5c5fc5da4857bbe0a2e9fe3ed41516b85ccba5

    SHA256

    73902926ef3ce9c8f6b337284c90956e2e4717309f8aef4d0c7ba0394eab3664

    SHA512

    a0018cef5bf77290a4b69a51939deab4a0f685a849b07b769d9fea43ebd9bb5eeffd7d8b8a7042d4436fe5ba6439e8ba8d33dd55d4257d15c19e3eb6f2aa8049

    Download Submit

  • \??\c:\program files\virtualtablet server\drivers\vmulti.cat
    Filesize

    8KB

    MD5

    84977b85e9e1d90d5c9dc3dbca70a75b

    SHA1

    eb0b57fb397b557f2ef15893137632ebffe95fee

    SHA256

    77d6367bd52f307fdef58b7246c944423ef6c7d136676acc651d5bee0f3d7d1e

    SHA512

    5886c3570b55ebe874ce6c1cc6fc59241ae06f934ff26ad4c61a9e4d4197c4164d8ce78ea1ef7a72d37284ccbcfecd2ba35a6896dd0a34299dce95ab3b4cde27

    Download Submit

  • \Windows\Temp\{7D0B6928-CAE4-4298-8BEC-C8758A46DF37}\.ba\wixstdba.dll
    Filesize

    366KB

    MD5

    ae30aef6b62a24b80c560773264c7f47

    SHA1

    fc1befa879bc5c1d43440830c7155f51103d7a59

    SHA256

    64ae3ecfb170f00f83e7ca4dee61a23023d48b22b79d0a28f13c52c133172cca

    SHA512

    994e3052a30e91f6731a0bae3bd20395dd648cfa9bfcb4283c4c7bb4539161e3c8cb67f355cfef5c2172cb0c7692f8acfbdca1cb185ab20148120c67d89dd53c

    Download Submit

  • memory/5000-212-0x00007FF6EA960000-0x00007FF6EAA81000-memory.dmp

    Filesize

    1.1MB

    Download