Overview

overview

8

Static

static

Krev

windows10_x64

Analysis

  • max time kernel
    628s
  • max time network
    630s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    18-10-2020 05:17

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://anonfiles.com/Hfo8Qbc5p5/FsE42k9kJ_exe

  • Sample

    201018-zp1q9wj3ke

Score
8/10
vmprotectransomwarebootkit

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

    ransomwarebootkit
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/Hfo8Qbc5p5/FsE42k9kJ_exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3832 CREDAT:82945 /prefetch:2
      2⤵
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3524
    • C:\Users\Admin\Downloads\FsE42k9kJ.exe
      "C:\Users\Admin\Downloads\FsE42k9kJ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\FsE42k9kJ.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3256
        • C:\Windows\system32\PING.EXE
          ping 1.1.1.1 -n 1 -w 3000
          4⤵
          • Runs ping.exe
          PID:3760
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -Embedding
    1⤵
      PID:2864
    • C:\Windows\regedit.exe
      "regedit.exe" "C:\Users\Admin\Desktop\InvokeOptimize.reg"
      1⤵
      • Runs .reg file with regedit
      PID:2072
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1344
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x2b8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4060
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0 /state0:0xa3ade055 /state1:0x41c64e6d
        1⤵
        • Modifies WinLogon to allow AutoLogon
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:3260

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
        MD5

        52c8ff8b999c1449aa14a11ab1bdfb6c

        SHA1

        8dd131a76c188b5e5f5e6864995bdd5d56146725

        SHA256

        9637cae37edfa438df0ddda51c5c2deba138d8548ffc415ed56d5abb902f15cf

        SHA512

        bd727851f9da606eefd98665ee814c8dd268660aa6dedd65f775dc70fd466a3ff5618310724a23aaeb2388d65c883de0da302c997ba80de6ffb900e1c7365944

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
        MD5

        f2219af60c38b0f20b395fe1a1b7d869

        SHA1

        2eadc4b73a1a4c83226a5f461e1883302a486f18

        SHA256

        e8c961a9213e3fffa7cd32738b71519f0942b28ee847ad8cf12a37b2d0acc8da

        SHA512

        a4d0c93b71f090ca12ceed826aca703e3a6b3b4d4ee12f7402d03093afded68504c42b29b5f03697363c95221e3d20c1040d2fbf73d44cbb69515b0983d83f33

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
        MD5

        4257108557e9e6971aa077414a5aa8a8

        SHA1

        ef03f250e6681dd1669fdbfdaa9e06dad6c1809d

        SHA256

        612dbf6f8c5f50cbb6f73f5d79c573cce97abdc787b680fbf451031923c3053c

        SHA512

        383b4c7f774e8127459e39e6f4ad2b9e0cac7fc8639bcc6f2104de2b28d4c9f0d06badc68d0e0c8b2759ee717bcac1530cc08afc50286ed80c92b1fa199ae186

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
        MD5

        b177cb549056ad544e9326786000fbd5

        SHA1

        4ad7244754d3d47629fd3a6f05c4bbd0f38daf7f

        SHA256

        56a4172a29ec9a69c9a129813d68c6ec04c338bda7eef21d1a4f57d0126fef55

        SHA512

        d9be3a2422f01fd1dbf51c66d70da716e16002d6408524966cbbbfbd31bc8cf0e04041f20a18bb44988ab25f73c40daa92720a198a088f4f7d8315cf4597b140

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\6ADLN19X.cookie
        MD5

        5f2bfce5ed9368c447e869ad1acd16d0

        SHA1

        87ccb12f7ada6ec31ae8fbe1a7de5b52a4bc1817

        SHA256

        5f5989e4037b3ec7cf9935f9401ff70cf604fc452ddc4248641f3eeeb59cdf59

        SHA512

        3d55542d43e4a55a14865b6e6729d71b360ae6ea77b095b70c01155f7599a1d25b05ed6d10266ffc3ad81165a094ed95c315266cacc123d03bbe27c55e2d9923

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\P4I22FM1.cookie
        MD5

        125b5f1872372f5c4b6c9f2d3446b90d

        SHA1

        ec5799a57c7c53b61766c63e878327146c7ed6fc

        SHA256

        91813eb00f58023b76806380012aebde5cce1d689efb3ba016ce4f63d1b4767c

        SHA512

        7394e2c324470b80c333bb75851de2325a6606d8c433053cfecf0a9f22288c009ced62333db6cbde60cc5e96751775d930ffd40a4966357708d0f78f09a80229

        Download Submit
      • C:\Users\Admin\Downloads\FsE42k9kJ.exe
        MD5

        4407c7c717997c58011aaaac9af61758

        SHA1

        b2287f759e03650c8ece45472d914fa3481ce6d6

        SHA256

        07c9eebaca4315566ee657ef167ebea0f4c7f4f7a99da75253fcaf46eadf765f

        SHA512

        f984e123d6e687aaf6715f0d58d6edbb703a0b13fd645aec8a55cdf1599fbc652e29068ba51ab9af5debb3aba29ed2b4ace030db8c61713a46d6abaa271b9d63

        Download Submit
      • C:\Users\Admin\Downloads\FsE42k9kJ.exe.1ubcake.partial
        MD5

        4407c7c717997c58011aaaac9af61758

        SHA1

        b2287f759e03650c8ece45472d914fa3481ce6d6

        SHA256

        07c9eebaca4315566ee657ef167ebea0f4c7f4f7a99da75253fcaf46eadf765f

        SHA512

        f984e123d6e687aaf6715f0d58d6edbb703a0b13fd645aec8a55cdf1599fbc652e29068ba51ab9af5debb3aba29ed2b4ace030db8c61713a46d6abaa271b9d63

        Download Submit
      • memory/2452-8-0x0000000000000000-mapping.dmp
        Download
      • memory/3256-10-0x0000000000000000-mapping.dmp
        Download
      • memory/3524-0-0x0000000000000000-mapping.dmp
        Download
      • memory/3760-11-0x0000000000000000-mapping.dmp
        Download