e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34

General

Target

e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe
Size

388KB
MD5

96bf6cd67a17a9d1a9fbc7ff04dcfe72
SHA1

b593c9d0311c4ead374c97eaecad143b542b610a
SHA256

e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34
SHA512

bf50f4dc42e1cc053e53516be4c3d7da69e6acc11e52cac7acb0fe8cc8c0050019f5381234a918d5eda7ac654f314eb124c331d1f82cb7c82a8175c3028e4f3e

Score

10^/10

evasion persistence spyware stealer trojan vmprotect

Malware Config

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe	disable_win_def
C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe	disable_win_def
C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe	disable_win_def
behavioral1/memory/1712-65-0x0000000000D80000-0x0000000000DAE000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Executes dropped EXE 1 IoCs

Processes:

Disable-Windows-Defender.vmp.exe

pid process

1712 Disable-Windows-Defender.vmp.exe

pid	process
1712	Disable-Windows-Defender.vmp.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1936-54-0x00000000009A0000-0x0000000000A1A000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe	vmprotect
C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe	vmprotect
C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe	vmprotect
behavioral1/memory/1712-65-0x0000000000D80000-0x0000000000DAE000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe

pid process

1936 e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

Disable-Windows-Defender.vmp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features Disable-Windows-Defender.vmp.exe

pid	process
1936	e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	Disable-Windows-Defender.vmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe"	e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 icanhazip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1592 powershell.exe

flow	ioc
3	icanhazip.com

pid	process
1592	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1936	e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe
Token: SeDebugPrivilege	1592	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exeDisable-Windows-Defender.vmp.exe

description	pid	process	target process
PID 1936 wrote to memory of 1712	1936	e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe	Disable-Windows-Defender.vmp.exe
PID 1936 wrote to memory of 1712	1936	e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe	Disable-Windows-Defender.vmp.exe
PID 1936 wrote to memory of 1712	1936	e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe	Disable-Windows-Defender.vmp.exe
PID 1936 wrote to memory of 1712	1936	e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe	Disable-Windows-Defender.vmp.exe
PID 1712 wrote to memory of 1592	1712	Disable-Windows-Defender.vmp.exe	powershell.exe
PID 1712 wrote to memory of 1592	1712	Disable-Windows-Defender.vmp.exe	powershell.exe
PID 1712 wrote to memory of 1592	1712	Disable-Windows-Defender.vmp.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe
"C:\Users\Admin\AppData\Local\Temp\e9c320fc6f33b99e8cf439454854347febb9852719009cf2befc9c7ce9e58c34.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe
"C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe
Filesize
143KB

MD5
787f632e3502dc87a30e82543b89bfa9

SHA1
f430ee7e9e6381877a2f05475c4911dfebf72290

SHA256
358358793c2e152bbc2cc78a29fba9b52beb0d51b071ae680449808593fc76a3

SHA512
e0f74f229917f4568fc13092e61c70aeb9bbcb2549796afa25f3fdf46dd0fd943e01b455bd50e35bc4f505e6f26dba5d1f0823005c2c64c0205a4f9c05bba2df

Download Submit
C:\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe
Filesize
143KB

MD5
787f632e3502dc87a30e82543b89bfa9

SHA1
f430ee7e9e6381877a2f05475c4911dfebf72290

SHA256
358358793c2e152bbc2cc78a29fba9b52beb0d51b071ae680449808593fc76a3

SHA512
e0f74f229917f4568fc13092e61c70aeb9bbcb2549796afa25f3fdf46dd0fd943e01b455bd50e35bc4f505e6f26dba5d1f0823005c2c64c0205a4f9c05bba2df

Download Submit
\Users\Admin\AppData\Local\Disable-Windows-Defender.vmp.exe
Filesize
143KB

MD5
787f632e3502dc87a30e82543b89bfa9

SHA1
f430ee7e9e6381877a2f05475c4911dfebf72290

SHA256
358358793c2e152bbc2cc78a29fba9b52beb0d51b071ae680449808593fc76a3

SHA512
e0f74f229917f4568fc13092e61c70aeb9bbcb2549796afa25f3fdf46dd0fd943e01b455bd50e35bc4f505e6f26dba5d1f0823005c2c64c0205a4f9c05bba2df

Download Submit
memory/1592-68-0x000007FEEDFA0000-0x000007FEEE9C3000-memory.dmp

Filesize
10.1MB

Download
memory/1592-66-0x0000000000000000-mapping.dmp

Download
memory/1592-67-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/1592-69-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1592-70-0x000007FEED440000-0x000007FEEDF9D000-memory.dmp

Filesize
11.4MB

Download
memory/1592-71-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1712-62-0x0000000000000000-mapping.dmp

Download
memory/1712-65-0x0000000000D80000-0x0000000000DAE000-memory.dmp

Filesize
184KB

Download
memory/1936-60-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/1936-59-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1936-58-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1936-57-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1936-54-0x00000000009A0000-0x0000000000A1A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads