9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24

General

Target

9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe
Size

2.2MB
MD5

1be1092a4fa89860e7328d16dfdd3512
SHA1

29885cd68b6b8acde1584bb4265ad85c2b2d4526
SHA256

9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24
SHA512

87ea2ee4abbba1e41eebd4ec63afc639dfe81faeab2c246d1a911fa7cfa68b79fd70c7c7aedd2767db8d8e62345f51015cb6eb111ccea2d64ac24bca7fcfd616
SSDEEP

49152:2leBez5K/OO0i+Mg4Om3RcOYPhKYuJAJFtgCCw5H:JUK/wgR+KAFtCAH

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/584-54-0x0000000000400000-0x0000000000965000-memory.dmp	vmprotect
behavioral1/memory/584-56-0x0000000000400000-0x0000000000965000-memory.dmp	vmprotect
behavioral1/memory/584-58-0x0000000000400000-0x0000000000965000-memory.dmp	vmprotect
behavioral1/memory/584-59-0x0000000000400000-0x0000000000965000-memory.dmp	vmprotect
behavioral1/memory/584-61-0x0000000000400000-0x0000000000965000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb8000000000200000000001066000000010000200000000eedf742781a773bd27187aa8d94438ba3f09e7e0b663d5d739a771549d7d3f1000000000e800000000200002000000097e786d464664b75c0c8ed9ecdd475fba534bb081292786ebd41b83bff1a89a4200000009d8f7b246a5ee60e783dec2ed503e5dde8f2f338582509740010dc647fda9b444000000007168893c61f1b5068c4a3d88cd0cd0f06e773dfdaaba527465e9b1d05a05d757389f571d7a545e51dfe562f3e39e50c63e9b90d22fa0e4e607ee49aa77ca29b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40bcdeaa9affd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb80000000002000000000010660000000100002000000016fe79b3ba709e6f7a8848ffb2d643d2251f66373252dbf24678b88d6c852822000000000e8000000002000020000000cd4b55834e02b8eb42fed7ef4d7143fe4412e8a97fd6c8a38e0438b0d8cea91490000000dfd9e0eba21a95f5a9810e34c45f55caa8bd403e959c3e61a7b274f2887aa52e667e0c8f5407d79d43932ef1243e6a5ab7678bcb73bb9553c7bc0d3dd8978f8b14a0bf1e17c319013b5aac318660f4d028b337a923e12e152af3ad4d9875fa0cde5dbe68b49d6ab2880e17b731634321ce518308dbf931b31559030ff0f871c3502c32859fa7f5aaeeb5c2c1fc33b4164000000044cbf92d8a9a65f681cdafaf6bfde4d70ac741e140525c3297bc2f175779a507ba688153736ed9b849e367c937eafa3afb5a1f6d80a748cb671ca0753310681a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C62FDE21-6B8D-11ED-B7DF-7AEFAD47A2D2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\pan.baidu.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376014224"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DOMStorage\pan.baidu.com	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe

pid process

584 9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1064 iexplore.exe

pid	process
1064	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exeiexplore.exeIEXPLORE.EXE

pid	process
584	9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe
584	9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe
584	9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe
584	9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe
1064	iexplore.exe
1064	iexplore.exe
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exeiexplore.exe

description	pid	process	target process
PID 584 wrote to memory of 1064	584	9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe	iexplore.exe
PID 584 wrote to memory of 1064	584	9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe	iexplore.exe
PID 584 wrote to memory of 1064	584	9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe	iexplore.exe
PID 584 wrote to memory of 1064	584	9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe	iexplore.exe
PID 1064 wrote to memory of 1612	1064	iexplore.exe	IEXPLORE.EXE
PID 1064 wrote to memory of 1612	1064	iexplore.exe	IEXPLORE.EXE
PID 1064 wrote to memory of 1612	1064	iexplore.exe	IEXPLORE.EXE
PID 1064 wrote to memory of 1612	1064	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe
"C:\Users\Admin\AppData\Local\Temp\9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://pan.baidu.com/share/home?uk=406623129
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1064

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
687dfa0ef02c5e7b9b70b73949b24ed6

SHA1
61561243326fd57e91a40d6623f6f2321552bd9b

SHA256
a22860aa83f4aadedc81abf49bc520610f3c1ccb91df3302a50afe335bf05117

SHA512
5cb95b0ace700cc49349ff51bbcc9f60891f34533cb7fb9889b194465eb4ed752b28d628e837ad7604927a63469e9b8a37a7f3cb2cd8b0032fca71be4c62b4b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mlf2v8h\imagestore.dat
Filesize
4KB

MD5
b22d21c7a91eace85bdb4d191009b959

SHA1
af434ca58605347851804bc5dd0017e342dbee04

SHA256
1bc6ce45878698ebe78c409601d354dc71c0161ae0a5289795cf5acda21e97bd

SHA512
81aa1de7111f159583b9d7100590ef730d2e3a81a527c76c985d25393240fc05908ea152feb5390be822782368c3ba4b4313457725e6ed2f354559a9ec9bafee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VA2LKRI8.txt
Filesize
596B

MD5
428463ff49a1fa83c1e1e607cee512bc

SHA1
9c8fb9264df7351812b1dc0e2776c9ca853ab65a

SHA256
e3d06ea75ad02e54b84c5e9d822953e2e2f1a7bd2345c3c9e4536b2297cac7bc

SHA512
0cb163eac82fd3a26dba1a07f8182f62d3ad9bef7c33521f4ff118685ddf4fda3009a3d903f4ebccf1e6de38cf862cf8afdfcb932c260c09fd16d5978b05f4bd

Download Submit
memory/584-54-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/584-55-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download
memory/584-56-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/584-58-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/584-59-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/584-61-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads