cfac663ce6d6b69fa74c1e5dda175f82b4d3e83d4a52da8b0777fa707689211f

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

启动VK.exe
Size

44KB
MD5

b9d83695fd09784e44213c62a5f350fc
SHA1

e4d822e72d30badae5116263360c6d2ae1aaa819
SHA256

e6697e51280e96d33ca7cd8bef7d8590f30e8d01420e4666c5e7a8de8bb3093a
SHA512

610fa68978ae298e852e469f31c90038107a170e936c5461f35c658ff2edbe29e4fad89219e0603210ccf7dacc989722842d340495178615b30e93c70b181e8d
SSDEEP

384:lBdQaH8DN3lFWqSsToP1lyU0hmtHEL0hmEoP1ly+FWqSsCdQaH8DN3:lBdLcp1gsov9vHELaovJgpdLcp

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
316	1597908629.exe
10716	1597908629.exe

Loads dropped DLL 4 IoCs

pid	Process
2912	启动VK.exe
2912	启动VK.exe
316	1597908629.exe
316	1597908629.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	启动VK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1597908629.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	1597908629.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	1597908629.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1597908629.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	1597908629.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	1597908629.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
316	1597908629.exe
316	1597908629.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	316	1597908629.exe
Token: SeIncBasePriorityPrivilege	316	1597908629.exe
Token: 33	316	1597908629.exe
Token: SeIncBasePriorityPrivilege	316	1597908629.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2912	启动VK.exe
316	1597908629.exe
316	1597908629.exe
316	1597908629.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 316	2912	启动VK.exe	28
PID 2912 wrote to memory of 316	2912	启动VK.exe	28
PID 2912 wrote to memory of 316	2912	启动VK.exe	28
PID 2912 wrote to memory of 316	2912	启动VK.exe	28
PID 316 wrote to memory of 10716	316	1597908629.exe	29
PID 316 wrote to memory of 10716	316	1597908629.exe	29
PID 316 wrote to memory of 10716	316	1597908629.exe	29
PID 316 wrote to memory of 10716	316	1597908629.exe	29

C:\Users\Admin\AppData\Local\Temp\启动VK.exe
"C:\Users\Admin\AppData\Local\Temp\启动VK.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\v\1597908629.exe
  C:\Users\Admin\AppData\Local\Temp\v\1597908629.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\AppData\Local\Temp\v\1597908629.exe
    "C:\Users\Admin\AppData\Local\Temp\v\1597908629.exe"
    3⤵
    - Executes dropped EXE
    PID:10716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa6f4e6f15175d29ea2aaeaccc680dd1

SHA1
e20f2f177f48bc128a872105362c625354db9f20

SHA256
822e9e52b3839fa64b94ac3f5483e25ebe0e663f283860e603611bd20a8ed237

SHA512
2647b32b6faf9c472feda806754abe836cb0de455b8f275495d986c337b211bc6c464b243b9c43ba0a721fa93d2b2c1b9b06dd6db9c677600f27d1352eddadce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38e236e3041e524ba71a75ddb705d44f

SHA1
a3e9914ede6f787d506e46553c7a40f3417922fb

SHA256
93420b106e9619a243ec75c5962f91b99e1c8d4e865ae07a305988a39d3ca2b8

SHA512
eb3f973b56b7325c89f125ecdfea17dc805b44c35a6b4ba15a3a21a0d34cb5e15644e6b06cc8e41167656372c438febb0b5e0c7c20b37973d38b9f331402ff9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA5B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDA7D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\SEBDE3.tmp

Filesize
1024B

MD5
12871388b682b159ddd85545302a289d

SHA1
76b47377da188fcfddeefa0f940287f1cce9885d

SHA256
cc033f00e96cae1829e3a5c15150fe68a62f65440f1b158d9257370fbc488a9b

SHA512
d60953b62d08e52fa2860db257e2bdbaa97e7eff7007617857f7b30a76f7c7ba81f8444d313a6ad496adbbaede5af1661e72522046789bb9aee1340f7ac12c7d

Download Submit
\Users\Admin\AppData\Local\Temp\v\1597908629.exe

Filesize
2.1MB

MD5
9258e953a69effc9dfcfeafd537f628a

SHA1
cc790128e9c33d8c477431145493fdfe1121c930

SHA256
8026cdcce789155e7bb0b56dc8027f78775363e4c3dd6b5d2dc182dda85f7edd

SHA512
88a4f2c1044654cb1ebf50e9de0215111813527199fc5954627173032bbbce5300e5826a1f62f216634cf1c3109cc858f52e75277f45c52b0d12fedeef4a44fa

Download Submit
memory/316-518-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-578-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-546-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-544-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-542-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-540-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-538-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-536-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-534-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-532-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-530-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-528-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-526-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-524-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-522-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-520-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-556-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-517-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-15-0x0000000075D60000-0x0000000075DA7000-memory.dmp

Filesize
284KB

Download
memory/316-548-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-576-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-2253-0x00000000028F0000-0x0000000002A71000-memory.dmp

Filesize
1.5MB

Download
memory/316-574-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-572-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-570-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-564-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-562-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-560-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-558-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-554-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-552-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-550-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-566-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-7597-0x00000000030D0000-0x00000000032DE000-memory.dmp

Filesize
2.1MB

Download
memory/316-568-0x0000000002BA0000-0x0000000002CB1000-memory.dmp

Filesize
1.1MB

Download
memory/316-8124-0x00000000030D0000-0x00000000032DE000-memory.dmp

Filesize
2.1MB

Download
memory/316-8123-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/316-14-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/2912-13-0x0000000002BC0000-0x0000000002DCE000-memory.dmp

Filesize
2.1MB

Download
memory/2912-12-0x0000000002BC0000-0x0000000002DCE000-memory.dmp

Filesize
2.1MB

Download