Overview
overview
10Static
static
5file.exe
windows7-x64
10file.exe
windows10-2004-x64
10lv copy.exe
windows7-x64
9lv copy.exe
windows10-2004-x64
9$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
34_ico.exe
windows7-x64
94_ico.exe
windows10-2004-x64
96_ico.exe
windows7-x64
96_ico.exe
windows10-2004-x64
9vpn_ico.exe
windows7-x64
9vpn_ico.exe
windows10-2004-x64
9lv.exe
windows7-x64
9lv.exe
windows10-2004-x64
9$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
34_ico.exe
windows7-x64
94_ico.exe
windows10-2004-x64
96_ico.exe
windows7-x64
96_ico.exe
windows10-2004-x64
9Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 14:02
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
lv copy.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
lv copy.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
4_ico.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
4_ico.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
6_ico.exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
6_ico.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
vpn_ico.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
vpn_ico.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
lv.exe
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
lv.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
4_ico.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
4_ico.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
6_ico.exe
Resource
win7-20241010-en
General
-
Target
vpn_ico.exe
-
Size
1.7MB
-
MD5
bdb4c5b8c4c698e57631a3fa67609c7b
-
SHA1
30152fadedf4f7dbbe9ffe59c9e45724a1bd790b
-
SHA256
f50692b2d081d70f7f61acc5a412da98a76d62a2833630c0d9ce780c65369305
-
SHA512
aac48cedfed3c22359eb0276912348879ad0d9552ff20ea03e87119f2c4bf79c232c3a6c519ff7c1ab82e8786a1ac2f1ff423fbf1a75018e8a216d6b60460d8e
-
SSDEEP
24576:ZQuOSRRD6IHLmw6vZIjfX4T9S0PqJFdvCfQ+vPEjLolvvKLGxj:ZQAvHLX6SMT9xPqdCfQ+vsIlqK
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vpn_ico.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 8 2572 WScript.exe 10 2572 WScript.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion vpn_ico.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion vpn_ico.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine vpn_ico.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 iplogger.org 8 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1796 vpn_ico.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpn_ico.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vpn_ico.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vpn_ico.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1796 vpn_ico.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1796 wrote to memory of 2572 1796 vpn_ico.exe 32 PID 1796 wrote to memory of 2572 1796 vpn_ico.exe 32 PID 1796 wrote to memory of 2572 1796 vpn_ico.exe 32 PID 1796 wrote to memory of 2572 1796 vpn_ico.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\vpn_ico.exe"C:\Users\Admin\AppData\Local\Temp\vpn_ico.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rlmcxvter.vbs"2⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2572
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133B
MD5e84cf2f01c51a193055984e7cafc690a
SHA1803a27829e2835ccc091ecd0c04bb6f320ede76c
SHA2567a29f21f67eceb6f30285d039c56fccb5cd49e6d84e419e3441894fadec939f2
SHA51245d91ea88d9cabd5a2217bde78cf57f2743ff1877c3c3b9bb15d8f4097dab3b274e772b341b9446907243fdf2cbce1ccf3ebc9046d633cdd7e381beff631c6dd