1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

General

Target

1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
Size

122KB
MD5

53ebe3efa9bdad1a2af74252ccf19bd2
SHA1

74e3bea45a504edd34ac009c5abcc56f477617b9
SHA256

1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a
SHA512

6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b
SSDEEP

3072:TAY9SuJNW8CZ+zTyxvJ530A3RAVavmyKoSiZBtJ:TPX69ZMyxx5kA3RAVauZoSiZ7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1480	VVf83d6c.exe
1944	VVf83d6c.exe

Loads dropped DLL 3 IoCs

pid	Process
1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
1744	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	188.190.98.22
Destination IP	188.190.98.22
Destination IP	188.190.98.22
Destination IP	188.190.98.22
Destination IP	188.190.98.22
Destination IP	188.190.98.22
Destination IP	188.190.98.22

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	VVf83d6c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	VVf83d6c.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 4 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	VVf83d6c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	VVf83d6c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	VVf83d6c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	VVf83d6c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	VVf83d6c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Error Dlg Displayed On Every Error = "no"	VVf83d6c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1480	1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	27
PID 1148 wrote to memory of 1480	1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	27
PID 1148 wrote to memory of 1480	1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	27
PID 1148 wrote to memory of 1480	1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	27
PID 1148 wrote to memory of 1744	1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	30
PID 1148 wrote to memory of 1744	1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	30
PID 1148 wrote to memory of 1744	1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	30
PID 1148 wrote to memory of 1744	1148	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	30
PID 1744 wrote to memory of 1944	1744	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	31
PID 1744 wrote to memory of 1944	1744	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	31
PID 1744 wrote to memory of 1944	1744	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	31
PID 1744 wrote to memory of 1944	1744	1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe	31

C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
"C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148
- C:\ProgramData\VVf83d6c.exe
  "C:\ProgramData\VVf83d6c.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe
  "C:\Users\Admin\AppData\Local\Temp\1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a.exe"
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer Protected Mode Banner
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\ProgramData\VVf83d6c.exe
    "C:\ProgramData\VVf83d6c.exe"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VVf83d6c.exe

Filesize
122KB

MD5
53ebe3efa9bdad1a2af74252ccf19bd2

SHA1
74e3bea45a504edd34ac009c5abcc56f477617b9

SHA256
1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

SHA512
6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

Download Submit
C:\ProgramData\VVf83d6c.exe

Filesize
122KB

MD5
53ebe3efa9bdad1a2af74252ccf19bd2

SHA1
74e3bea45a504edd34ac009c5abcc56f477617b9

SHA256
1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

SHA512
6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

Download Submit
C:\ProgramData\VVf83d6c.exe

Filesize
122KB

MD5
53ebe3efa9bdad1a2af74252ccf19bd2

SHA1
74e3bea45a504edd34ac009c5abcc56f477617b9

SHA256
1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

SHA512
6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

Download Submit
\ProgramData\VVf83d6c.exe

Filesize
122KB

MD5
53ebe3efa9bdad1a2af74252ccf19bd2

SHA1
74e3bea45a504edd34ac009c5abcc56f477617b9

SHA256
1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

SHA512
6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

Download Submit
\ProgramData\VVf83d6c.exe

Filesize
122KB

MD5
53ebe3efa9bdad1a2af74252ccf19bd2

SHA1
74e3bea45a504edd34ac009c5abcc56f477617b9

SHA256
1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

SHA512
6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

Download Submit
\ProgramData\VVf83d6c.exe

Filesize
122KB

MD5
53ebe3efa9bdad1a2af74252ccf19bd2

SHA1
74e3bea45a504edd34ac009c5abcc56f477617b9

SHA256
1cf515f3703846fc5f83ab053ab501e126fc4171d57cff4f53d7b8e489fb5d6a

SHA512
6f8ff09930a0f8502c93ce4cfc2f92d526e7aa348848e5df23e021aa419cea06dbc3ddcf6cceae92c8f14416cda3a43bf3b82e539ef2f57637e160e60c51455b

Download Submit
memory/1148-55-0x00000000001B0000-0x00000000001F6000-memory.dmp

Filesize
280KB

Download
memory/1148-54-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1148-56-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1148-57-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1148-62-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1148-69-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1480-67-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1480-66-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1480-64-0x0000000000220000-0x0000000000266000-memory.dmp

Filesize
280KB

Download
memory/1480-63-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1744-70-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1744-71-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/1744-74-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1744-78-0x0000000002770000-0x00000000027B6000-memory.dmp

Filesize
280KB

Download
memory/1944-80-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads