Analysis
-
max time kernel
118s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:42
Static task
static1
Behavioral task
behavioral1
Sample
36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe
Resource
win10v2004-20241007-en
General
-
Target
36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe
-
Size
82KB
-
MD5
f9755557f27ae40511f601f4603e30e0
-
SHA1
5874068fec9c0a057892c8c4c17c8a47cfde24ca
-
SHA256
36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5
-
SHA512
d5a39c664ef5f52806fecb54f1e0deeafc03b64a4bd80dee7b297fa4064f6b5e67d949b2abd9c45f554944f6672ce336563c53ec3b811f206f283ec7223824b9
-
SSDEEP
768:8embNRqsuhlGOBrhgFwumSCbxTGy/BBGg4NKJJKqUThbJ32+ve7i40vN0TlT+XkB:Wnqdu3abBGy3G8V0iuo5qkSZZZ3q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vcw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vcw.exe -
Executes dropped EXE 1 IoCs
pid Process 2652 vcw.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" vcw.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: vcw.exe File opened (read-only) \??\J: vcw.exe File opened (read-only) \??\N: vcw.exe File opened (read-only) \??\O: vcw.exe File opened (read-only) \??\Q: vcw.exe File opened (read-only) \??\U: vcw.exe File opened (read-only) \??\X: vcw.exe File opened (read-only) \??\B: vcw.exe File opened (read-only) \??\Y: vcw.exe File opened (read-only) \??\P: vcw.exe File opened (read-only) \??\Z: vcw.exe File opened (read-only) \??\E: vcw.exe File opened (read-only) \??\M: vcw.exe File opened (read-only) \??\R: vcw.exe File opened (read-only) \??\S: vcw.exe File opened (read-only) \??\T: vcw.exe File opened (read-only) \??\L: vcw.exe File opened (read-only) \??\I: vcw.exe File opened (read-only) \??\K: vcw.exe File opened (read-only) \??\V: vcw.exe File opened (read-only) \??\W: vcw.exe File opened (read-only) \??\H: vcw.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm vcw.exe File created \??\c:\windows\SysWOW64\maxtrox.txt 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe File created \??\c:\windows\SysWOW64\Windows 3D.scr 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt vcw.exe File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr vcw.exe File created \??\c:\windows\SysWOW64\Desktop.sysm vcw.exe -
Drops file in Program Files directory 27 IoCs
description ioc Process File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\setup_wm.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe vcw.exe File opened for modification \??\c:\Program Files\7-Zip\7zG.exe vcw.exe File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe vcw.exe File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe vcw.exe File opened for modification \??\c:\Program Files\7-Zip\7z.exe vcw.exe File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe vcw.exe File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe vcw.exe File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe vcw.exe File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe vcw.exe File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe vcw.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vcw.exe -
Modifies registry class 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon vcw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" vcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" vcw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1680 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe 2652 vcw.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2652 1680 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe 83 PID 1680 wrote to memory of 2652 1680 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe 83 PID 1680 wrote to memory of 2652 1680 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe"C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe"c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD55567f115cf53f9f180a000676b23deb1
SHA1d5dca6370eccd30fa9f4170b4ac678cef174e449
SHA256b412f6aa47934aa162ebcc8e3a7569631734d90c15a8fea853af01120b16fff4
SHA512ab53cdb2d5d01552e8c1e123e7904d98552daa27b4f6d36861df292e577ad57249e9df675e00261246fd2ded3afad0d7b4126a68b35711081d5db0434e35347d
-
Filesize
82KB
MD5d7997f49f670d876e06d9b9b2e47b4b9
SHA1bda4eadba89c0cd4b43e2c42772a58db8178076b
SHA2563b01786c8166dc1e0596ea6a67e2367906eda66a8cb283de68d7a3f8b6fabd8e
SHA5120e62b520084398a8fed73d6334689a48100d623f03c14356c06aaa76a0c9f815165cfc0007cedf57ec155c245320d78d6e720ffaf1a6ac0955152e5f7d6fd001
-
Filesize
8B
MD524865ca220aa1936cbac0a57685217c5
SHA137f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062