Analysis
-
max time kernel
75s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 06:07
Static task
static1
Behavioral task
behavioral1
Sample
5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
5438fc72599780bfe9b69d20345706d403088e71f4e84b794636762cff8fbc8bN.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
VirtualFDD.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
VirtualFDD.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
uninst.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
uninst.exe
Resource
win10v2004-20241007-en
General
-
Target
VirtualFDD.exe
-
Size
1.1MB
-
MD5
1bfa59a2e75e7eb03425cedbe1f5188d
-
SHA1
f7fc483f3a07f9e163ef9740e863b4683e185d15
-
SHA256
565322d626b984d9e9c4bb02897abe038abdfa2ba198a8c77963a507bb2bf68a
-
SHA512
afefba7c0095de3c77c857e5200f0bdac7820ac5aff64cb883f733ac20e299c357d19b1de46357c4bc3f699254adf339cacc8e1890f14f4855a28f5242a53ac7
-
SSDEEP
12288:dd6MsBXQECj7eg7+bYQL9bzxXs/bTs2ayYI5VWEx3gkELzdYhNq2ehNHP8kpcu:n6McgE6aXPQbTfj+6g/sq20v8Ecu
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VirtualFDD.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 509556b06d32db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437294298" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000010533f58b07739e7babe61558b7289c39d83b6e0ba423dd975eb8a547444fd5c000000000e8000000002000020000000f9bcecc8ed79d32dec14114eec8aafe7c31655ced9b867a573e180662e941bfb20000000f99d25056a2284f890111c6631f25cacb7eefc9ab66cc5fd9296643339c16e344000000034151337cca73eae269e87b403d2dae90be00456c3268a7bfea7b32b16a3e95e1e882f22355f2211c25ba43e8c832b60538305a1c0153e5c993ff60948f9c486 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000004bb8b49b97d8dda5f738df05e0945ed372f22876cb99faa8ea14d855b7fa9a54000000000e8000000002000020000000f27a678b5e508201711fc6c6f217930f6bcdb822672fe1f3199edc4a199a6c2390000000b6803edbbe2100300fa3c94679784c49610221786c02a7500a6b631bae63bc0ec14fa63a2e36b00d3b850bf80add9eab49ee59a59b1cd0b08ff8bb3dc9fbac3cef1927ca42b710b9e5d29d7347710218cfbdf6312223868d12b9604ce9798fc239e68d601eec27862832f32beec67232e3991920a648fdd74f92ac27d7fba3f99c87da3de43aeca3a418c3941ba66eb8400000002a2a8a82e952a44d85128d33bdf1e7372aa12b446f67c20f3ecc0bbf42ab1f4e7e955fa0f9b2e66b1b0f14c7ef019b04213f0699b60d770f60dffe6936fb9297 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB504A81-9E60-11EF-BE3F-EA7747D117E6} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2944 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1728 VirtualFDD.exe 2944 iexplore.exe 2944 iexplore.exe 2296 IEXPLORE.EXE 2296 IEXPLORE.EXE 2296 IEXPLORE.EXE 2296 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2944 1728 VirtualFDD.exe 30 PID 1728 wrote to memory of 2944 1728 VirtualFDD.exe 30 PID 1728 wrote to memory of 2944 1728 VirtualFDD.exe 30 PID 1728 wrote to memory of 2944 1728 VirtualFDD.exe 30 PID 2944 wrote to memory of 2296 2944 iexplore.exe 31 PID 2944 wrote to memory of 2296 2944 iexplore.exe 31 PID 2944 wrote to memory of 2296 2944 iexplore.exe 31 PID 2944 wrote to memory of 2296 2944 iexplore.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe"C:\Users\Admin\AppData\Local\Temp\VirtualFDD.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.virtualfdd.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2296
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5958871d3e07d9f1f29e8da1746c478b6
SHA1f56416e4ceaa61b10fab03b0c41fa0875780de65
SHA256dd69b41c52e49f8afc7e8a3e129a4cd275d499cd948b2b0fa0129afa04b5fa23
SHA5125b003896c016ad8ad95eb1fbee714b6779047cda358a60d65f047558bc52c6be550005675d7842983461e1a2cdb965e985d8b3db47eb19d26cd46f7411d92998
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51b8bd8bea0c8d81c4fbebce85ce92153
SHA1b910516b516c52d9bb20b22f11fe5e26a6be22d0
SHA25696e756d50e528941f38d0a7e1b89f870e2ae5897e9b2b217e955abcbd90a26a5
SHA5120d004078c23b49c54a65de3501325cbedef675a0a306619fa6fedb7bf5cf4c40fa48d5de55f28a26249608a50d94af67c711aece47fe1535f70fc1127baf851c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59adf5cc6dbf8acb46e6b513cdf0dd87e
SHA12d55eb5d41e530efdf0136882b83ded6e04a4abf
SHA2561e219011f5bc1d085fd3eefd007d1af0611ffd81e5e0056d63ef126944688e3b
SHA512712acc367c3143d161d3eecff571032b5c89303a30b197d37cc0d49cd53571d3d5dc8ab5704af84cfe7842e8177aa5870575891e4dae5011a06ab82fa2341d3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52dccb4a2242aac87696f6abd3778202c
SHA124f049eda903b74a43bb759e0a62b9be47ec94f0
SHA256b477561ca2a82c2aa80cda2d339f624482bc501cd22f8e4501d0c79e3fd6e4b9
SHA512bdf08e7da8ab29298159dcba0030d794127578135ac3dcb1c794965a4b16c5ec226803f52387ab3903d17136ee6e609b16902fbe2ff2f1d98603914e0d311927
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54df614eb5bc916becd5c0c5b70d285b7
SHA1a9f026f794e2d6049c8bda9366a3e32fc5b3d8d0
SHA256a4d0dfe60ad9e1f29cc803f871a4d9dd8d479b1bb66471c9bc6a81cfe3a9a0a4
SHA5127143cbe55dc477a7f050e0c43319a28cc8dc5d956a64bc7a7a6e73c87f50708b81b2868fc80c785df62c3ceda7267af03e62cb000b1882850753053f82bf0187
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597a5c11f01f8876811a16986da41a3ed
SHA1be5a2201ba821caf3e1343970315c8a91a926660
SHA25615e6e27f4c74772c2bb6cefa0eb2c1263a84eb9ffe87dca2bfe85dd03662440d
SHA512272c4faacffbf0d38cf64a745537d095026cbe813fbff0edb9a537a03a579a8cd9d23f95d1f521aaab61e5ede33e8bcdcb90669358ba4f70ecfe22c27f6985eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593061a1a6fc8a69cd8d92f6107021c14
SHA1179f97fdbee2c917e30719f9287f7193e0b2be8d
SHA256cdd5d4b9a5b69bbafca77c1108024f2ad3e3334755cc1e30e71651cf4f2b515d
SHA51242c0b0262049ed29f17b18e88407f9eb0403b44b58f61ba27e7f124247d30e7e3addec55b5cfb20570f53201e64e989fb4c07f0a9ec8727db7bc6a91c17c5197
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56769dd9040454a03363f05b13febb007
SHA11c6e2937bec979222cae4d0e63f86b57f63685f3
SHA256f49655485658b9ba6fadf1629aac4dd5c89d2733548db8565be02b6cbc12caae
SHA5127988907567c737cb177da45b7267a767c86319be18bc52c205f377d9ce9a1003db28fff978468b02b311990ab0cd781b5399df3d9860709455fd0b0850627a55
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5089e8de24c4916901800f9b40133b4d0
SHA184e8ba38d54720e13b69dfb6b74e058f53d66faf
SHA256bde82737106f8aef4c05c5fd947eed741da8763015f1fd85e36230efb64639ee
SHA512c63a5eb6c809f0597d6ad27f8ebc58d0931acfc83aa6a86819fb1dc5dc918349c8f523069acebb78c9d60bb980fd5bed311c9bc1b5a601b3d08671d385b7b945
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57ac9e2b0239e38eefcde69a343d83a3f
SHA1827ff38ed8bb1afd5722e21161d9c6953cbd24c6
SHA256247b96d4327e919f2a22cee5df3cd44dc2ce3e6fd9ddb66392fc9506a1e266cd
SHA512306eae4fd4501471f2e6f1c1d0784a239c07c6517480aa65992c5f3649bfd136e6bd37573807742c784a2a9051877821914f240b3a14afb254bf64113aa17c55
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b