| File name: | VBCABLE_A_B_Driver_Pack43.zip |
| Full analysis: | https://app.any.run/tasks/cd0b6362-15af-47e4-a662-569760c1861e |
| Verdict: | Malicious activity |
| Analysis date: | December 22, 2023, 13:50:46 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract |
| MD5: | 094F53B935B5B8C15175D1D4DAAB8F1E |
| SHA1: | 7DD0329EC5D32CC1127EBD62EF1A36F2FDB981D1 |
| SHA256: | 4D23903C4AA4D9E2C4F320A7989D071AF9FA822D852814AEEB3F905E03128FD0 |
| SSDEEP: | 98304:cDRVYD+AYKZ9sYbFdIk/5lsCLABGyYI3ioupXNe6NeEqWbMcVcSfmLvvZRnAJhPL:oLNhQ9gu |
MALICIOUS
Creates a writable file in the system directory
- drvinst.exe (PID: 664)
SUSPICIOUS
Reads settings of System Certificates
- VBCABLE_Setup.exe (PID: 2432)
- rundll32.exe (PID: 552)
Drops a system driver (possible attempt to evade defenses)
- VBCABLE_Setup.exe (PID: 2432)
- WinRAR.exe (PID: 1404)
- drvinst.exe (PID: 664)
Reads security settings of Internet Explorer
- VBCABLE_Setup.exe (PID: 2432)
Checks Windows Trust Settings
- VBCABLE_Setup.exe (PID: 2432)
- drvinst.exe (PID: 664)
Creates files in the driver directory
- drvinst.exe (PID: 664)
INFO
Reads the computer name
- drvinst.exe (PID: 664)
- VBCABLE_Setup.exe (PID: 2432)
Checks supported languages
- VBCABLE_Setup.exe (PID: 2432)
- drvinst.exe (PID: 664)
Reads the machine GUID from the registry
- drvinst.exe (PID: 664)
- VBCABLE_Setup.exe (PID: 2432)
Manual execution by a user
- explorer.exe (PID: 2268)
- VBCABLE_Setup.exe (PID: 2328)
- VBCABLE_Setup.exe (PID: 2432)
Create files in a temporary directory
- VBCABLE_Setup.exe (PID: 2432)
Drops the executable file immediately after the start
- VBCABLE_Setup.exe (PID: 2432)
- WinRAR.exe (PID: 2184)
- WinRAR.exe (PID: 1404)
- drvinst.exe (PID: 664)
Application launched itself
- WinRAR.exe (PID: 2184)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 552)
Executes as Windows Service
- VSSVC.exe (PID: 680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2015:10:19 16:33:54 |
| ZipCRC: | 0xddadde54 |
| ZipCompressedSize: | 1087106 |
| ZipUncompressedSize: | 1087106 |
| ZipFileName: | VBCABLE_B_Driver_Pack43.zip |
Total processes
47
Monitored processes
8
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 552 | rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1306230b-ddfb-326e-aca7-6969d7348d72} Global\{32541860-c44d-5a2a-611d-fb57deb3a044} C:\Windows\System32\DriverStore\Temp\{159a2e61-230b-1306-98c6-1521fb889129}\vbmmecablea_win7.inf C:\Windows\System32\DriverStore\Temp\{159a2e61-230b-1306-98c6-1521fb889129}\vbaudio_cablea_win7.cat | C:\Windows\System32\rundll32.exe | — | drvinst.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 664 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{759f3b78-9716-51fe-43d1-cd3abf9cd105}\vbmmecablea_win7.inf" "0" "66a81b357" "00000330" "WinSta0\Default" "000004BC" "208" "c:\users\admin\downloads" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 680 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1404 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2184.4209\VBCABLE_A_Driver_Pack43.zip | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2184 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\VBCABLE_A_B_Driver_Pack43.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2268 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2328 | "C:\Users\admin\Downloads\VBCABLE_Setup.exe" | C:\Users\admin\Downloads\VBCABLE_Setup.exe | — | explorer.exe | |||||||||||
User: admin Company: VB-AUDIO Software Integrity Level: MEDIUM Description: VB-AUDIO Virtual Cable Installer Exit code: 3221226540 Version: 1, 0, 3, 8 Modules
| |||||||||||||||
| 2432 | "C:\Users\admin\Downloads\VBCABLE_Setup.exe" | C:\Users\admin\Downloads\VBCABLE_Setup.exe | explorer.exe | ||||||||||||
User: admin Company: VB-AUDIO Software Integrity Level: HIGH Description: VB-AUDIO Virtual Cable Installer Exit code: 0 Version: 1, 0, 3, 8 Modules
| |||||||||||||||
Total events
13 041
Read events
12 940
Write events
101
Delete events
0
Modification events
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2184) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
20
Suspicious files
14
Text files
10
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1404 | WinRAR.exe | C:\Users\admin\Downloads\vbaudio_cablea_vista.cat | cat | |
MD5:082BB4F183483230C1CE3B7525AA3979 | SHA256:A1861115A107E5085E25C0706A3E1D76942599CFF18A2FD2F8FBE59E6E1EAD64 | |||
| 2184 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2184.4209\VBCABLE_A_Driver_Pack43.zip | compressed | |
MD5:7266CEC4ED6B388180AD96F906CBF186 | SHA256:CC22E1BA821563A34CE1B7035FF136BE694BEEB9AAEC8934E6FD1B0E86CF05AA | |||
| 1404 | WinRAR.exe | C:\Users\admin\Downloads\vbaudio_cablea_win7.cat | cat | |
MD5:BD868706619EF599BE18C207CFD2DD7B | SHA256:9EAB8BF838C6593FEB1547C032018656A72CF83A11EE260675529F0684EC9E9C | |||
| 1404 | WinRAR.exe | C:\Users\admin\Downloads\pin_in.ico | image | |
MD5:D9A5613B33C46867C07A70265ADA276D | SHA256:DB6FFD304E036A07A472D2E226A60A999BAFBAF28CE78322A8271277E581B032 | |||
| 1404 | WinRAR.exe | C:\Users\admin\Downloads\vbaudio_cablea_xp.sys | executable | |
MD5:5E22C8E2E69142C82CAD703D8C487337 | SHA256:9C09CCAE77084DBDEC44934B67B850A48326385E88008947589E3872E1C9DF61 | |||
| 1404 | WinRAR.exe | C:\Users\admin\Downloads\vbaudio_cablea64_2003.sys | executable | |
MD5:8D02577B426006CABA38104B99250FD9 | SHA256:0E3211EB286BBBBBA9AABE9106F688E45F6A18D59B2562B275C3CB7E66793FF6 | |||
| 1404 | WinRAR.exe | C:\Users\admin\Downloads\vbaudio_cablea_xp.cat | cat | |
MD5:7B16F6D4F10B2AA49CB919C4316E90A0 | SHA256:8B5A6B49171059BCF9DE67FC0F60FA50B50ED85EF2B8E3F0A686BB22C75B84BC | |||
| 1404 | WinRAR.exe | C:\Users\admin\Downloads\vbaudio_cablea64_2003.cat | cat | |
MD5:CF1C5889833CFF198CFA135A0AFCC01C | SHA256:C8A133E68AD5195EB7FB1D5137511316A1C47895BFB86481C70AD251617CC735 | |||
| 1404 | WinRAR.exe | C:\Users\admin\Downloads\vbaudio_cablea64_vista.sys | executable | |
MD5:DB728E744B1C856B617E47E34B87BFD9 | SHA256:EE05AE32A02B4313D399BC4C7322CFEE88956ACA27D4300AD32D4E512C0A1BB2 | |||
| 1404 | WinRAR.exe | C:\Users\admin\Downloads\vbaudio_cablea64_win7.sys | executable | |
MD5:48CD2CDF941D7A31BA38B98CEC75C5C0 | SHA256:E606EBBE8EED82C78C45207CA06A29448AED067840848C2989D3D8D9F1D04559 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |