82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e

General

Target

82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe
Size

568KB
MD5

b71663ea25449309654413f80cb514b1
SHA1

c3c091448648ad491da5ba38e039e884bd1c22b9
SHA256

82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e
SHA512

fd1446b382bfd0ec18b3bd503baf7209dc5a6d16891f420c8a089e36533be6250bbc2acff5a25034aafd5a3ec1d802ffd1c1960750a4e4409a8202730436c762
SSDEEP

12288:TEZNocRXWCBDVo52MDHKFmcUKNM+v0LmKdv24JyvE5cZEhXm:TEZNhzF6520K0c8+MidvycZEh2

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/960-55-0x0000000000400000-0x0000000000548000-memory.dmp	vmprotect
behavioral1/memory/960-56-0x0000000000400000-0x0000000000548000-memory.dmp	vmprotect
behavioral1/memory/960-57-0x0000000000400000-0x0000000000548000-memory.dmp	vmprotect

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000004d1332f50bf6c939e56a5b75a40b60daef476782b29fd64a8113c6c25f53f3f8000000000e80000000020000200000003439fc42d793389181e6b4b358ae84719844eaefdb8d78d8c8b490b5ce0cbd0690000000c4fa8482202272efbfd96f37accf0f89ff5f95d506292958dd30e8515a95c0f1795603e4fa831d477cad70677525dc9ce61cb988f18865f91872d71b8a9c47203a19045a6e2435385c84b5609fd6ff5d7fc025dabbfdae4e0ba4cf1872d80917619f12adf8c6a76846256ee5a54f0c3c1ec4869b45b703ea9e4bf97e3634e9f35c72d8a25afc4fa31a5b1d533182d3c4400000006de0a2defe9c60302bbb87c490fc9d2fda78ff72208b3159d594771b7c8ed8a3403068c626c8a7d8151d98d6784b53c1e49c693c85b9821dd2a1b363c835574e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\cqyongshi.com\Total = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\mgy7.tv\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01061e06fffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\mgy7.tv	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3AB5950-6B62-11ED-AFDA-E233F62F3A57} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\mgy7.tv\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cqyongshi.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cqyongshi.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\cqyongshi.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbafda4d2839344b902c87c07ddf25a1000000000200000000001066000000010000200000007e30bb8f6db36ab60c05780a10c912997996eddc84d5efac708d696f7f4f8248000000000e8000000002000020000000ccff38fa283dae6775d246c06606f8feb914060eca395cc36823bdbafd242d9820000000c3b01f94940f8164639bdef35b4cd6b1eca8002dad7d0a6a1dc83f4ae7aca36840000000449c9a050e2452fe70ed1f19fa8eec85a91a84472170d841c0841237ac81fda3f7662f97a77ccc15eb300d1cb61ceafbceadd7b3f5a8a9377695e9dc07c0f4c5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\mgy7.tv\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375995773"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cqyongshi.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "252"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cqyongshi.com\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\cqyongshi.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\cqyongshi.com\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\DOMStorage\cqyongshi.com\NumberOfSubdomains = "1"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe

pid	process
960	82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe
960	82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe
960	82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe
960	82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe

description pid process

Token: SeDebugPrivilege 960 82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

556 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

556 iexplore.exe
556 iexplore.exe
1180 IEXPLORE.EXE
1180 IEXPLORE.EXE
1180 IEXPLORE.EXE
1180 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	960	82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe

pid	process
556	iexplore.exe

pid	process
556	iexplore.exe
556	iexplore.exe
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exeiexplore.exe

description	pid	process	target process
PID 960 wrote to memory of 556	960	82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe	iexplore.exe
PID 960 wrote to memory of 556	960	82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe	iexplore.exe
PID 960 wrote to memory of 556	960	82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe	iexplore.exe
PID 960 wrote to memory of 556	960	82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe	iexplore.exe
PID 556 wrote to memory of 1180	556	iexplore.exe	IEXPLORE.EXE
PID 556 wrote to memory of 1180	556	iexplore.exe	IEXPLORE.EXE
PID 556 wrote to memory of 1180	556	iexplore.exe	IEXPLORE.EXE
PID 556 wrote to memory of 1180	556	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe
"C:\Users\Admin\AppData\Local\Temp\82f9702896d6e18dbe6e7d85bfc5f8a1d15b22a1638263ba8915f0a76426de5e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.cqyongshi.com/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:556 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F
Filesize
7KB

MD5
f739b394d30d392d8eb28922bf5a7e12

SHA1
78124ad341a0e03ecbb7660011409767e6678fef

SHA256
4fff638b8a8f8004eb7a6f5d71ba702373ece50bbe85f499d00d09e7c86dc543

SHA512
48cf40407485d1a22f728220a64dc15e85cf051a44104019efa868cc7fccdefcfea2169eea8fb72be819a8c67892aeee72fd22deca31b8bfbd3f8018e55e215f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F
Filesize
232B

MD5
c195b53862847fb1c0011b3febc066cb

SHA1
599e8b4ef75ba5284f5821d2bf8cb70f5da2bc28

SHA256
e50673008877d2e2273a664b852c9c2390f620e725aca57dfeb8b815370eed55

SHA512
1eeb11288823efbb5afd9c1e73916cd22eb3af844f7e5b0bb4b2d4e53812f4533b0a731f91bea3dc915c7b0314fa2020720f84c2a09ed7fc3cb6f1d415ca8e68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3c2ff1547a188c6e2fd88f3005666165

SHA1
b8ead24da1cb12d8475105a8c186bc85b15b5620

SHA256
226a7e7645513cf5358a5b3a7c424546a312e217cbc7670646638689c7ca1bc4

SHA512
e4ed3df29be85238a0b17acc680854cd207652f5707a9c6d09138b6a789042a98076835c9e56afd52f840a873fc003976ace3cbd291cc74557a0f8d1966b31d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6FOJY4KS.txt
Filesize
600B

MD5
ef7385c72608631a1c9c08b69741305a

SHA1
319656213784a7ef1c103486889d1fa8d7f94ca3

SHA256
590b88e44a705d9b10c0e89cea2cd68f881982f8f2bf6c98a80ec7319ffa6956

SHA512
3c111636e719a2fe1dd02c326a377d1d6ac5fbbd9521a582bed9ab20aeb8c21ad3a17da175bafa5b3f49b82b9111330f95d0482ba4d199ebb817d22e814f22b3

Download Submit
memory/960-54-0x0000000075001000-0x0000000075003000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/960-56-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/960-57-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads