262fac5a082726b317e738f86688aa64e1c84c402f444e061487dc6f54fa069f

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VSeeFace/VSeeFace.exe
Size

635KB
MD5

9563b46fe7df442172a569f2c90f8231
SHA1

a9cd7810d711e6e613f87608a47492fa1b100adb
SHA256

0011d598ab64aab694d405dd280306adfcc8f2627e0af2252b0ec4dc8419bacc
SHA512

ed62afbe9254f8e7b5b2f289077ac44e61ac768886da0693ad85b9fafff195c75e129bfbe27c23509b50878da8f7ad81654222e96f5a5e416d16acbb61c4b3d8
SSDEEP

3072:Pys7oYfSbbQTLWuiUg7VsS4jMvN0AeUNEizWOFgyPIkL3ukqfuF:P/7oYfSHQPWTUg4ht+zWqgyVf

Score

1^/10

Malware Config

Signatures

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

VSeeFace.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	VSeeFace.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	VSeeFace.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	VSeeFace.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 3028 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 3028 AUDIODG.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

VSeeFace.exe

pid process

3360 VSeeFace.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

VSeeFace.exe

description pid process target process

PID 3360 wrote to memory of 4904 3360 VSeeFace.exe UnityCrashHandler64.exe
PID 3360 wrote to memory of 4904 3360 VSeeFace.exe UnityCrashHandler64.exe

description	pid	process
Token: 33	3028	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3028	AUDIODG.EXE

pid	process
3360	VSeeFace.exe

description	pid	process	target process
PID 3360 wrote to memory of 4904	3360	VSeeFace.exe	UnityCrashHandler64.exe
PID 3360 wrote to memory of 4904	3360	VSeeFace.exe	UnityCrashHandler64.exe

C:\Users\Admin\AppData\Local\Temp\VSeeFace\VSeeFace.exe
"C:\Users\Admin\AppData\Local\Temp\VSeeFace\VSeeFace.exe"
1⤵
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\VSeeFace\UnityCrashHandler64.exe
"C:\Users\Admin\AppData\Local\Temp\VSeeFace\UnityCrashHandler64.exe" --attach 3360 2164143165440
2⤵
PID:4904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x530
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Emiliana_vt\VSeeFace\settings.ini
Filesize
175B

MD5
abd113c3199d90dcfe9fea676c21ba5a

SHA1
48e45e2532e9e17ef438a4e43391a7a65ed453b8

SHA256
eeb89bde8456586db4ea345eb3b010fea5e1f41902a975f3b3f9b1df39e914d2

SHA512
427672ab5a5abc690019de5b357a21dfceb95285e794cbb766b2e5779e56f4f1ac3211b9befb44c43102db5e9cfa1bbd897caaebe186a273f66a7df26898a7b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Emiliana_vt\VSeeFace\settings.ini
Filesize
703B

MD5
6fd127f7842fb3a2bbcb887456e5bab5

SHA1
989e7e11ec295dd6344e9de7b8b5b5393e2543ec

SHA256
95d56880f61bd11e6656db1f3376779e504c447d0a8501d521771c9e830624d0

SHA512
cc1f46c584a07de7b3a208052d336860676f253021431a3fadd2720dd91f741c792be131434e2b56f2baf6eab39fae58edf299be884b81107c86196a7c855d2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Emiliana_vt\VSeeFace\settings.ini
Filesize
139B

MD5
56469a8d0666299020206ea9cd180f6d

SHA1
67c95995443b42bfea2b47a402e942c10e98f9bb

SHA256
29eb89002600ce6d0ffee7fc7dcbecf4e88938dc3eecf37c9c2a61e94a1240dc

SHA512
930323fedd03d946e09086c4f1343f589556c0aad07b42098a15ed9831ddb4ae23838a4b1df878b3af113df0c92c9ce6880789fd82de118e33221444979c4cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Emiliana_vt\VSeeFace\settings.ini
Filesize
29B

MD5
7186ab3466d1fecbeaad7f0f075df97a

SHA1
f5552ff61b8fd2f4530848483f81fe5adec178fe

SHA256
37a93155ff507ea3328345ef224ff43fe770d2e26cd7eaa303b2e5c45dd54149

SHA512
75218b57ff10713e47de466824cc51716b08d4d720fd6f31dfdd3f9efd581502df315aa523948053f144f81be76735c6226dace4e3b3f8286b5e8fb45c7bb654

Download Submit
memory/3360-1-0x000001F7E28D0000-0x000001F7E28E0000-memory.dmp

Filesize
64KB

Download
memory/3360-0-0x000001F7E2B90000-0x000001F7E2BA0000-memory.dmp

Filesize
64KB

Download
memory/3360-169-0x000001F7E28D0000-0x000001F7E28E0000-memory.dmp

Filesize
64KB

Download
memory/3360-168-0x000001F7E2B90000-0x000001F7E2BA0000-memory.dmp

Filesize
64KB

Download