Overview
overview
7Static
static
3Mechvibes.....4.exe
windows7-x64
7Mechvibes.....4.exe
windows10-2004-x64
7$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3Mechvibes.exe
windows7-x64
7Mechvibes.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1natives_blob.js
windows7-x64
3natives_blob.js
windows10-2004-x64
3resources/app.js
windows7-x64
3resources/app.js
windows10-2004-x64
3resources/...ild.js
windows7-x64
3resources/...ild.js
windows10-2004-x64
3resources/...k.node
ubuntu-24.04-amd64
1resources/...ok.dll
windows7-x64
1resources/...ok.dll
windows10-2004-x64
1resources/...ok.dll
windows7-x64
1resources/...ok.dll
windows10-2004-x64
1resources/...k.node
ubuntu-24.04-amd64
1resources/...ok.dll
windows7-x64
1Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 04:00
Static task
static1
Behavioral task
behavioral1
Sample
Mechvibes.Setup.2.3.4.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Mechvibes.Setup.2.3.4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
LICENSES.chromium.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
LICENSES.chromium.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Mechvibes.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
Mechvibes.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
d3dcompiler_47.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
ffmpeg.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral19
Sample
ffmpeg.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
natives_blob.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral21
Sample
natives_blob.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
resources/app.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral23
Sample
resources/app.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
resources/app.asar.unpacked/node_modules/iohook/build.js
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral25
Sample
resources/app.asar.unpacked/node_modules/iohook/build.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
resources/app.asar.unpacked/node_modules/iohook/builds/electron-v73-linux-x64/build/Release/iohook.node
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral27
Sample
resources/app.asar.unpacked/node_modules/iohook/builds/electron-v73-win32-x64/build/Release/iohook.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
resources/app.asar.unpacked/node_modules/iohook/builds/electron-v73-win32-x64/build/Release/iohook.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
resources/app.asar.unpacked/node_modules/iohook/builds/electron-v73-win32-x64/build/Release/uiohook.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
resources/app.asar.unpacked/node_modules/iohook/builds/electron-v73-win32-x64/build/Release/uiohook.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
resources/app.asar.unpacked/node_modules/iohook/builds/node-v64-linux-x64/build/Release/iohook.node
Resource
ubuntu2404-amd64-20240523-en
ubuntu-24.04-amd64
Behavioral task
behavioral32
Sample
resources/app.asar.unpacked/node_modules/iohook/builds/node-v64-win32-x64/build/Release/iohook.dll
Resource
win7-20240903-en
windows7-x64
General
-
Target
Mechvibes.exe
-
Size
95.3MB
-
MD5
52dcd08a6dd8231427585bbdf933c836
-
SHA1
2e2a08e1c162a1206a1baae6ba998bad07ca24c6
-
SHA256
269fa9d2aa1d126ffe5bb592c27fff9d5ca89816445ecde01c9a2d1deb199734
-
SHA512
fdd690bd9efb7e2c62da18ab7f446556634d89240d93ada371609b15b9a2da7dc697641ef17e8972f993a4149876bb0984f715396c508ad8afd9cb8b23c09906
-
SSDEEP
1572864:mxbuVoAiIAhnzjGfG3RTLQt90hXgFSWqx/:2plI/4gMX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Mechvibes.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Mechvibes.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\mechvibes\shell\open\command Mechvibes.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\mechvibes\shell Mechvibes.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\mechvibes\shell\open Mechvibes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\mechvibes\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Mechvibes.exe\" \"%1\"" Mechvibes.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\mechvibes Mechvibes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\mechvibes\URL Protocol Mechvibes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\mechvibes\ = "URL:mechvibes" Mechvibes.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1964 Mechvibes.exe 1964 Mechvibes.exe 4176 Mechvibes.exe 4176 Mechvibes.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3756 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3756 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2252 Mechvibes.exe 2252 Mechvibes.exe 2252 Mechvibes.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2252 Mechvibes.exe 2252 Mechvibes.exe 2252 Mechvibes.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1964 Mechvibes.exe 1964 Mechvibes.exe 1964 Mechvibes.exe 1964 Mechvibes.exe 1964 Mechvibes.exe 1964 Mechvibes.exe 1964 Mechvibes.exe 1964 Mechvibes.exe 1964 Mechvibes.exe 1964 Mechvibes.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 3692 2252 Mechvibes.exe 84 PID 2252 wrote to memory of 1964 2252 Mechvibes.exe 85 PID 2252 wrote to memory of 1964 2252 Mechvibes.exe 85 PID 2252 wrote to memory of 4176 2252 Mechvibes.exe 88 PID 2252 wrote to memory of 4176 2252 Mechvibes.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mechvibes.exe"C:\Users\Admin\AppData\Local\Temp\Mechvibes.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\Mechvibes.exe"C:\Users\Admin\AppData\Local\Temp\Mechvibes.exe" --type=gpu-process --field-trial-handle=1796,7203671115739980942,10272303479653518444,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --gpu-preferences=IAAAAAAAAADgAAAgAAAAAAAAYAAAAAAACAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAABQAAABAAAAAAAAAAAAAAAAYAAAAQAAAAAAAAAAEAAAAFAAAAEAAAAAAAAAABAAAABgAAAA== --service-request-channel-token=14807217088803434100 --mojo-platform-channel-handle=1808 --ignored=" --type=renderer " /prefetch:22⤵PID:3692
-
-
C:\Users\Admin\AppData\Local\Temp\Mechvibes.exe"C:\Users\Admin\AppData\Local\Temp\Mechvibes.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1796,7203671115739980942,10272303479653518444,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --no-sandbox --no-zygote --preload="C:\Users\Admin\AppData\Local\Temp\resources\app.asar\src\app.js" --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=4050098726134516696 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\Mechvibes.exe"C:\Users\Admin\AppData\Local\Temp\Mechvibes.exe" --type=gpu-process --field-trial-handle=1796,7203671115739980942,10272303479653518444,131072 --disable-features=LayoutNG,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=IAAAAAAAAADgAAAgAAAAAAAAYAAAAAAACAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAABQAAABAAAAAAAAAAAAAAAAYAAAAQAAAAAAAAAAEAAAAFAAAAEAAAAAAAAAABAAAABgAAAA== --service-request-channel-token=17807465090904256083 --mojo-platform-channel-handle=3452 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4176
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4604
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ac 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5918d8a47c337b71516ff56de3b0ec306
SHA1a5fa7a891440e6c5115f447f1809f8c1703dad13
SHA2560e96ee778046578f90bdd722f36eb4c578a50e916d5f2fc63149aec743914fe6
SHA512a3433d0be715c206e8328591720cf2f168bb12012c4d014eaeb13d22da9d38f3119cb2adb5db0839bef18f011bbe8af35f87770a16458d156ce2c4908701da19
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b