3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c

General

Target

3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe
Size

12.4MB
MD5

8d7bc30e8f1256b3a1a447e6cf8de012
SHA1

26e266cb7f8b5dc4826d487c1e3bbfe78dfdb87b
SHA256

3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c
SHA512

6e44c6f3ee7614fb286daf80d14ab16d28a5aaca6edcc8db4ca421e991cc583189419271fb23860895726bc29211c8ead4b8edae253dfddaf4493139aa71b692

Score

8^/10

spyware stealer vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Mono-Install.exeDecoder.exe

pid process

4756 Mono-Install.exe
1964 Decoder.exe

pid	process
4756	Mono-Install.exe
1964	Decoder.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe	vmprotect
behavioral2/memory/4756-132-0x0000000000DC0000-0x000000000119A000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exeMono-Install.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Mono-Install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1316 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Mono-Install.exe

pid process

4756 Mono-Install.exe
4756 Mono-Install.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Mono-Install.exe

description pid process

Token: SeDebugPrivilege 4756 Mono-Install.exe

flow	ioc
11	api.ipify.org

pid	process
1316	timeout.exe

pid	process
4756	Mono-Install.exe
4756	Mono-Install.exe

description	pid	process
Token: SeDebugPrivilege	4756	Mono-Install.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exeMono-Install.execmd.exe

description	pid	process	target process
PID 824 wrote to memory of 4756	824	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe	Mono-Install.exe
PID 824 wrote to memory of 4756	824	3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe	Mono-Install.exe
PID 4756 wrote to memory of 1964	4756	Mono-Install.exe	Decoder.exe
PID 4756 wrote to memory of 1964	4756	Mono-Install.exe	Decoder.exe
PID 4756 wrote to memory of 1964	4756	Mono-Install.exe	Decoder.exe
PID 4756 wrote to memory of 4864	4756	Mono-Install.exe	cmd.exe
PID 4756 wrote to memory of 4864	4756	Mono-Install.exe	cmd.exe
PID 4864 wrote to memory of 1316	4864	cmd.exe	timeout.exe
PID 4864 wrote to memory of 1316	4864	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe
"C:\Users\Admin\AppData\Local\Temp\3e7a2442794542444ce7eb56c63340de1d92912d7d2883cc90dd3787e0d00d3c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\ProgramData\Decoder.exe
    "C:\ProgramData\Decoder.exe"
    3⤵
    - Executes dropped EXE
    PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\system32\timeout.exe
      timeout 4
      4⤵
      Delays execution with timeout.exe
      PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

MD5
1c1818c3b332b2ef045ddb22abf1dbf9

SHA1
6d4bf4c4375465f6c47371ff542e9f9ed5798be6

SHA256
0314a3f57a790247db452c1100695503329e5c81e93859d9126a7d2cd788214c

SHA512
ca8c14d5dde9cc2641b537990ccc1d3754bf51b67c9410f0b0b8e9ef1ea9faa78807626d4d25c9e7d27700e876e389468ee57442e6f9eebfaffd111c045cc030

Download Submit
C:\ProgramData\Decoder.exe

MD5
1c1818c3b332b2ef045ddb22abf1dbf9

SHA1
6d4bf4c4375465f6c47371ff542e9f9ed5798be6

SHA256
0314a3f57a790247db452c1100695503329e5c81e93859d9126a7d2cd788214c

SHA512
ca8c14d5dde9cc2641b537990ccc1d3754bf51b67c9410f0b0b8e9ef1ea9faa78807626d4d25c9e7d27700e876e389468ee57442e6f9eebfaffd111c045cc030

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe

MD5
96ba3f9039a185d138836138659887cb

SHA1
b2de46b3863abc018265824c9089c28edebcc1a5

SHA256
f4b6a78225e9703f17cead70638ad72340c8e1c1b5b59262bac17ed6ebf36b78

SHA512
70bc4a06ec8d4c9e3b1d9d694bc79c3304cbe82b9ed0cb3f904ac0b8e59215cc83768c9506d19bee5d658868c3d111dfc8b160c8cf3d5d1dd6666174ba46ab72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mono-Install.exe

MD5
96ba3f9039a185d138836138659887cb

SHA1
b2de46b3863abc018265824c9089c28edebcc1a5

SHA256
f4b6a78225e9703f17cead70638ad72340c8e1c1b5b59262bac17ed6ebf36b78

SHA512
70bc4a06ec8d4c9e3b1d9d694bc79c3304cbe82b9ed0cb3f904ac0b8e59215cc83768c9506d19bee5d658868c3d111dfc8b160c8cf3d5d1dd6666174ba46ab72

Download Submit
memory/1964-141-0x0000000000120000-0x000000000016A000-memory.dmp

Filesize
296KB

Download
memory/1964-142-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4756-132-0x0000000000DC0000-0x000000000119A000-memory.dmp

Filesize
3.9MB

Download
memory/4756-133-0x00007FFD3A350000-0x00007FFD3AE11000-memory.dmp

Filesize
10.8MB

Download
memory/4756-136-0x000000001D550000-0x000000001D552000-memory.dmp

Filesize
8KB

Download
memory/4756-137-0x00000000018B0000-0x00000000018B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads