36ab6110a522e29709f6f3d85c800a8965dd8d222e361a5c7f31d5b85e671d6a

General

Target

SecuriteInfo.com.FileRepMalware.9786.25455.exe
Size

528KB
MD5

5a88d8e2be02b85a62a4ac969406b643
SHA1

8cf4575add13e7e7fe5d70fb014f0857890a2414
SHA256

36ab6110a522e29709f6f3d85c800a8965dd8d222e361a5c7f31d5b85e671d6a
SHA512

0efe0bda29031c07d574182bde11da3cf333b47066b0161c243281b44f748906036af295d892bb817d5d5ce197d22f7d4658688f27df7e2fcdbde2ad9b76797b
SSDEEP

12288:Ho5mh631p5TsYkg0dWQ02SZ2s6DgGC4i8Rx5I8u4y55t:I5J1p5QaUtszqRpIt5t

Score

8^/10

vmprotect

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.9786.25455.exe

description ioc process

File opened for modification C:\WINDOWS\system32\drivers\etc\hosts SecuriteInfo.com.FileRepMalware.9786.25455.exe

description	ioc	process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	SecuriteInfo.com.FileRepMalware.9786.25455.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4708-132-0x0000000000400000-0x0000000000585000-memory.dmp	vmprotect
behavioral2/memory/4708-133-0x0000000000400000-0x0000000000585000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

SecuriteInfo.com.FileRepMalware.9786.25455.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	SecuriteInfo.com.FileRepMalware.9786.25455.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	SecuriteInfo.com.FileRepMalware.9786.25455.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	SecuriteInfo.com.FileRepMalware.9786.25455.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	SecuriteInfo.com.FileRepMalware.9786.25455.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

SecuriteInfo.com.FileRepMalware.9786.25455.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.wz123.com/?nuli"	SecuriteInfo.com.FileRepMalware.9786.25455.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.9786.25455.exe

pid	process
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.9786.25455.exe

description pid process

Token: SeDebugPrivilege 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe

description	pid	process
Token: SeDebugPrivilege	4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.9786.25455.exe

pid	process
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe
4708	SecuriteInfo.com.FileRepMalware.9786.25455.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.9786.25455.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.9786.25455.exe"
1⤵
- Drops file in Drivers directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4708-132-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4708-133-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads