Overview

overview

10

Static

static

3

VixenExter...er.exe

windows7-x64

7

VixenExter...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 03:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VixenExternal/VixenLoader.exe

  • Size

    44.0MB

  • MD5

    07c2ff366c0b16862e6ca03dfcc94428

  • SHA1

    9c29ee175d18edb1478e6074cbf123fe655684f0

  • SHA256

    6d8b2f6d80ee783788c63d2428e1707a99cacd8cc2e3daf8c8d3c394b6f6f8bd

  • SHA512

    40bec9b10392836be19a167e2140f4044a9a72f76345c7b84472446814738d261173f2ed12387dcace104068309416a22b7390330331337365188cb9c5a3cbe5

  • SSDEEP

    786432:Jo1IpD9h6HHveoo3Zl/xvj44b2Lr1rcSr+oy3Mao+8vUQDcpLlylA:Jo1EhQHHveoSZRxp2Lrj+oyjocQw

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VixenExternal\VixenLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\VixenExternal\VixenLoader.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\VixenExternal\CatPublicFr.exe
      "C:\Users\Admin\AppData\Local\Temp\VixenExternal\CatPublicFr.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:3004
      • C:\Windows\Vixen Free.exe
        "C:\Windows\Vixen Free.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Users\Admin\AppData\Local\Temp\onefile_2972_133778440894412000\Stub.exe
          "C:\Windows\Vixen Free.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\onefile_2972_133778440894412000\python310.dll
      Filesize

      4.3MB

      MD5

      e4533934b37e688106beac6c5919281e

      SHA1

      ada39f10ef0bbdcf05822f4260e43d53367b0017

      SHA256

      2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

      SHA512

      fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

      Download Submit

    • C:\Windows\Vixen Free.exe
      Filesize

      38.2MB

      MD5

      435ec84a9fa0cd8a5d979f139d529edd

      SHA1

      2cd983ba573163cd7cf34ff7e989e4773a1f1465

      SHA256

      6ce7962f45d3739810870c363f2bfab0e9cbfe448e5b5f1e6cfab829df610eb5

      SHA512

      5e138c594b1ac0be97ed772a2007765f5b887a71f4d2a009d5ac37f6074e78fe92a38a1d8abad560e7abfa4b78f7352e18647ec90ca8df4c014e550c1b1fe059

      Download Submit

    • \Users\Admin\AppData\Local\Temp\VixenExternal\CatPublicFr.exe
      Filesize

      5.8MB

      MD5

      c3f1aa504cbc00e806fd878b4de40af1

      SHA1

      742600d2a375a730d1beb49b76240ae8998c4700

      SHA256

      bec581f8ae692c99513da0442dc92f8e8c29bbd15f8be6938e2a9d48a0a87d17

      SHA512

      452a934380ebe9ee0b456e04a3f0aec87e52a3d07ad30e65aa2e36fed331d166803e281f8e6c1bed8232cbbeec63d20bcfa04be918f994674b8fecbedf2e8239

      Download Submit

    • memory/592-38-0x0000000140000000-0x0000000140B86000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/592-33-0x00000000775F0000-0x00000000775F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/592-36-0x00000000775F0000-0x00000000775F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/592-31-0x00000000775F0000-0x00000000775F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/592-30-0x00000000775E0000-0x00000000775E2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/592-28-0x00000000775E0000-0x00000000775E2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/592-26-0x00000000775E0000-0x00000000775E2000-memory.dmp

      Filesize

      8KB

      Download