a8eb804aed19ff28f8125358d3e2349afd613e423c081fd6b027a0ea345c2886

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Versium Research/Versium.exe
Size

746KB
MD5

393d6260e39b68b2d60300e4f62ebc83
SHA1

16c58c5b7dee3ce4c3a40925ba4eed3c188faf46
SHA256

e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3
SHA512

d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198
SSDEEP

6144:d/QiQXCz5m+ksmpk3U9j0IMsoxvjFEOTb9WmZX/8shzdsY4CpHPhnBvudg:VQi3zc6m6UR0IMp1hf39Wkv8xwJB2i

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1888	Versium.tmp

Loads dropped DLL 4 IoCs

pid	Process
2524	Versium.exe
1888	Versium.tmp
1888	Versium.tmp
1888	Versium.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versium.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1888	2524	Versium.exe	30
PID 2524 wrote to memory of 1888	2524	Versium.exe	30
PID 2524 wrote to memory of 1888	2524	Versium.exe	30
PID 2524 wrote to memory of 1888	2524	Versium.exe	30
PID 2524 wrote to memory of 1888	2524	Versium.exe	30
PID 2524 wrote to memory of 1888	2524	Versium.exe	30
PID 2524 wrote to memory of 1888	2524	Versium.exe	30

C:\Users\Admin\AppData\Local\Temp\Versium Research\Versium.exe
"C:\Users\Admin\AppData\Local\Temp\Versium Research\Versium.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\is-28H4K.tmp\Versium.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-28H4K.tmp\Versium.tmp" /SL5="$4014E,506127,422400,C:\Users\Admin\AppData\Local\Temp\Versium Research\Versium.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-28H4K.tmp\Versium.tmp

Filesize
1.0MB

MD5
baec3f13d8997ecbe4460979102ed0b5

SHA1
438d163c5629b89cad5ba953a881afdb9624a998

SHA256
b41f017498a1d43c409cc2c5840e31972858c59e83abf26ff9528c9908c7abbe

SHA512
b4e14a3bc115ae816e3117d15b9a19f29d00322bd32112745d241f3452ffa52ef3db710397ce80972a443dc066fadbc161d1617b728430bf542edfef16a32125

Download Submit
\Users\Admin\AppData\Local\Temp\is-PSK2I.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PSK2I.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
memory/1888-14-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1888-22-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2524-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2524-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2524-24-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download