e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa

Analysis

max time kernel
167s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
Size

76KB
MD5

06da6fd21bcff5c3dbefed8563fb8b7c
SHA1

8525f1aa97a3fde352e35df3ab1cbf5dca341ddf
SHA256

e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa
SHA512

9a30e17b9793bcc942fc47f7db9dabdcbb8d611bbb4aca39533f3925427126d52d0db234918744120e06453c9612a07322712548dbbdaea82f61769a0c861789
SSDEEP

1536:p3xVPoyObzZ59oxYNwFwlIvgOXEObEtzp2q1R5Rz7:p3noZPZ59b0wlI4O0N1fJ7

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4080	ads.exe
4456	ads.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/444-132-0x0000000000400000-0x000000000042D000-memory.dmp	vmprotect
behavioral2/memory/444-133-0x0000000000400000-0x000000000042D000-memory.dmp	vmprotect
behavioral2/memory/444-141-0x0000000000400000-0x000000000042D000-memory.dmp	vmprotect

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ads.exe	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
File opened for modification	C:\Windows\ads2.exe	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
Token: SeDebugPrivilege	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
Token: SeDebugPrivilege	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
Token: SeDebugPrivilege	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
4080	ads.exe
4080	ads.exe
4080	ads.exe
4456	ads.exe
4456	ads.exe
4456	ads.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 4080	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe	82
PID 444 wrote to memory of 4080	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe	82
PID 444 wrote to memory of 4080	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe	82
PID 444 wrote to memory of 4456	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe	85
PID 444 wrote to memory of 4456	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe	85
PID 444 wrote to memory of 4456	444	e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe	85

C:\Users\Admin\AppData\Local\Temp\e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe
"C:\Users\Admin\AppData\Local\Temp\e1eb2017651d6daf220c2576268d32fc9e7a0d11ef7a4c52f15750b7b8f72cfa.exe"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:444
- C:\Windows\ads.exe
  C:\Windows\ads.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4080
- C:\Windows\ads.exe
  C:\Windows\ads.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DU2BEY67\static[1].css

Filesize
420B

MD5
b2b046dac5ad7c0939e90564cac43e9c

SHA1
8c33f7b86d0c4352d9d0dc0a4b55debf26346d4a

SHA256
e34fe81eabef2bb61177783c03c8042752b33b93e0ef6672a3b9e5698db1c865

SHA512
199c65f9e10022fd4d1294f765afee66deb8b5d7d44b5357b5532ea89db4ef97627d1025468c2fa63f0878da1aa8811386e19a528bfc42bce7b936a07bf1dd02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\G9LDH5FK\logo[1].png

Filesize
9KB

MD5
25e3e75dd5d6f30361d61e919335858e

SHA1
8ec690d03b8e684911d8ba56014d4787e9259dd1

SHA256
556a6fbbcc8e98218bb37809bdc03bf149fa25de12afc0d848f45160d0e1d9a9

SHA512
065e1033ebba7d92c901505695b9a5d60fc54f1aa530b068234392b2f29df9a641baa1b9ea5ea817cdd017aecbdeba083f46414fece8d4ad7f56561104c8edf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S58XVZL8\header_gradient[1].jpg

Filesize
4KB

MD5
c64481cc98427fcd594be2aead5ae6f6

SHA1
a3870ae306bf9c97d671f427e81c3bcbb86ca2f0

SHA256
5cb1dd17d8f085b5e3b4654893c6aad4dde9dbe3de2574da72c24a6cf3a4ec6e

SHA512
dcd815acb359643be1bc536d0d0d064a69f6f978b118e161d9503aeee62a64d1bd1bd723fda12cfe47b006c2a5206237199f8dcd20259a790fa27eb6aacddbce

Download Submit
C:\Windows\ads.exe

Filesize
32KB

MD5
3f70c0b1c1a3645eb31e7f04ef62e56b

SHA1
a71bcfc497e92f28d884ab5e40893f0bd5e92690

SHA256
9f6547297df9303c69a735238b3f4b92fce827cd014266295618fee07362c315

SHA512
8968987bf5ac59e0ced36916468eb99d6867b8cb876c01e0a5b58e1f8d226434617d86577d637d8374e53be9263edd334a3d02e0ab15ddc6ef21da41e3376997

Download Submit
C:\Windows\ads.exe

Filesize
32KB

MD5
3f70c0b1c1a3645eb31e7f04ef62e56b

SHA1
a71bcfc497e92f28d884ab5e40893f0bd5e92690

SHA256
9f6547297df9303c69a735238b3f4b92fce827cd014266295618fee07362c315

SHA512
8968987bf5ac59e0ced36916468eb99d6867b8cb876c01e0a5b58e1f8d226434617d86577d637d8374e53be9263edd334a3d02e0ab15ddc6ef21da41e3376997

Download Submit
C:\Windows\ads.exe

Filesize
32KB

MD5
3f70c0b1c1a3645eb31e7f04ef62e56b

SHA1
a71bcfc497e92f28d884ab5e40893f0bd5e92690

SHA256
9f6547297df9303c69a735238b3f4b92fce827cd014266295618fee07362c315

SHA512
8968987bf5ac59e0ced36916468eb99d6867b8cb876c01e0a5b58e1f8d226434617d86577d637d8374e53be9263edd334a3d02e0ab15ddc6ef21da41e3376997

Download Submit
memory/444-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/444-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/444-141-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download