a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16

General

Target

a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe
Size

1.3MB
MD5

60e134b705a0467716c2c8846b0971d9
SHA1

db41d8e6c9b023509cb290f8d3f75853061fa246
SHA256

a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16
SHA512

ac2769691abfee85d6a23499b13c92652f7c1fce4c93c46d094a496d10f9906174aeb97956fbf1acddc90763109bc175ac30c90b5524413169962aa18746cb77
SSDEEP

24576:2aNleScW/QSWySa41v4+ySl5YFHhUPKJ18re4puV/Pg7MAICa:fvdLJ+Ll5mme155dC

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/864-55-0x0000000000400000-0x0000000000733000-memory.dmp	vmprotect
behavioral1/memory/864-57-0x0000000000400000-0x0000000000733000-memory.dmp	vmprotect
behavioral1/memory/864-59-0x0000000000400000-0x0000000000733000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5D9F501-6B03-11ED-BF3D-D6AAFEFD221A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "131"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001d36fdbc59cbe54c9202816be9635843000000000200000000001066000000010000200000004e1f6f604a0a5bf5dd27c68a1e029700eb379587b4cccd9e203988609025531c000000000e8000000002000020000000ea94069d0011908a1516ec1056913f5220f1856177862dd15845e6c2ba324f2420000000967703a912fcd4ccc866e67de133a5b2f71f82f14a6d6d0acaf30717fdfb56bf400000005e4915614b52c674782b9fb8c4db1ff2c3a57f5c58ea1b8f0db881cffb771bd8e1c4299de8d3cc65732658255c73fe994fd5e6da5e8c19e45ea6a65463c00d9f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\pan.baidu.com\ = "131"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\NumberOfSubdomains = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70692e9010ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\pan.baidu.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\pan.baidu.com\ = "83"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375954871"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\pan.baidu.com\ = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "20"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\pan.baidu.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "83"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "131"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "83"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001d36fdbc59cbe54c9202816be963584300000000020000000000106600000001000020000000a27039c5de673c0c801525dabda35e395ec7112292e7fc645cde4c3ddc496a74000000000e80000000020000200000006acdb5053b4552a71e38df8c3d961aea5fad86dfa4cd8421f42eb95b32e371a590000000d3e8561eecbc5e66e5b1b59c506884e4aec7b16f03e1102869203ec60cfa292cff37c512089c7d264d4c3015486104b4b803e37891f1443e75ddc608675e424afabbe7c5d79ecf9486fd6a37856541a321b4c6fae71aa8820040aefe6c1e82840515f139d9cb3d06f3b3a12ee3de7665f0f10ff5578c9cbd3c4a76e17451a1ff50130678d51c3d883033cac33a769c6940000000ecab2f9a49a5adff8b26ca27db09f31cb3da9ba1e8b1487da55d8c13ea2104ea2e08326f4a61970795c07ff4db0a079aff2776fc17b6a666dc39749cfd7cec82	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe

pid process

864 a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1564 iexplore.exe

pid	process
1564	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exeiexplore.exeIEXPLORE.EXE

pid	process
864	a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe
864	a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe
864	a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe
864	a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe
1564	iexplore.exe
1564	iexplore.exe
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exeiexplore.exe

description	pid	process	target process
PID 864 wrote to memory of 1564	864	a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe	iexplore.exe
PID 864 wrote to memory of 1564	864	a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe	iexplore.exe
PID 864 wrote to memory of 1564	864	a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe	iexplore.exe
PID 864 wrote to memory of 1564	864	a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe	iexplore.exe
PID 1564 wrote to memory of 1676	1564	iexplore.exe	IEXPLORE.EXE
PID 1564 wrote to memory of 1676	1564	iexplore.exe	IEXPLORE.EXE
PID 1564 wrote to memory of 1676	1564	iexplore.exe	IEXPLORE.EXE
PID 1564 wrote to memory of 1676	1564	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe
"C:\Users\Admin\AppData\Local\Temp\a8ff40bcee6d5fd42732b1d296e5ffc65df5615e13d846cbe51faeea673f7b16.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://pan.baidu.com/s/1kTwXzNp
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
360e124043db65c2392626b2d211eabb

SHA1
c1cabb011e298f9bf02871defab61bfa6aabd5b8

SHA256
d4a3c3066b9600741832d6d6d6bd79a91e0a8a11726a57fde78b81dd017f4308

SHA512
642471a820621a7656791c8e023dae2081f2e465455008beb143c5de5aecda38db35b49325991cb243eed7e2aa943afe0e3e380610dff58e3eb88d0155e75cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
Filesize
8KB

MD5
b8cfe1c9d8ea59620c68244fc5b118c2

SHA1
b1309281b52e2e3b1367ef6d53c7133034137c0b

SHA256
3a78ad213a19b7fb8914a429614881389d4486b21138a6726d7786f3d6154a5b

SHA512
34ed6112366b1a45f4be8b202c54c5a037512a5bf27959dfbb450206da0738ba816adb910f68f3238396e4bf19713c179a85da203e05e0550744a35d4401a4c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\78BD7TMI.txt
Filesize
608B

MD5
cc6079831f2444fdc1144113b1f05924

SHA1
60728ff2b74a3aa0fb3f987b2df68880d50dab52

SHA256
757e0aa4941b73c708d88c4a1a634b1b5ef3975fd58e3241bcb186a8fbc15c20

SHA512
53f5b0dbbc3dec9b03127c89b062277327282c4720c0141bef195b9e95dc1c50120b346d2a45a8a6476ab32ff8b13a7fc89fc9a52633fc9a976bda45d539b235

Download Submit
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/864-55-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/864-57-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download
memory/864-58-0x0000000002630000-0x0000000002657000-memory.dmp

Filesize
156KB

Download
memory/864-59-0x0000000000400000-0x0000000000733000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads