1d807e51251146cf266619eeb7f4c87c41683fa3b004492b4ba38e340674dd67

General

Target

記憶-14.10.1.1/記憶-14.10.1.1.exe
Size

2.2MB
MD5

1be1092a4fa89860e7328d16dfdd3512
SHA1

29885cd68b6b8acde1584bb4265ad85c2b2d4526
SHA256

9867c8d176e724a2ab10098ff19beccb5e006103a2a77e9a6a74c38422960b24
SHA512

87ea2ee4abbba1e41eebd4ec63afc639dfe81faeab2c246d1a911fa7cfa68b79fd70c7c7aedd2767db8d8e62345f51015cb6eb111ccea2d64ac24bca7fcfd616
SSDEEP

49152:2leBez5K/OO0i+Mg4Om3RcOYPhKYuJAJFtgCCw5H:JUK/wgR+KAFtCAH

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral3/memory/1488-55-0x0000000000400000-0x0000000000965000-memory.dmp	vmprotect
behavioral3/memory/1488-57-0x0000000000400000-0x0000000000965000-memory.dmp	vmprotect
behavioral3/memory/1488-58-0x0000000000400000-0x0000000000965000-memory.dmp	vmprotect
behavioral3/memory/1488-59-0x0000000000400000-0x0000000000965000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BB9556E1-6C1C-11ED-8C25-6AB3F8C7EA51} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f25012c552b8b84fb7e2aa6d46a8c4e000000000020000000000106600000001000020000000d4d1f22cd29eb529b4e536b5b93dc86b7abe73e3afeb12bfbbab65e605e25b14000000000e8000000002000020000000685cdfcc12cfec4c32cbd71ab7c8d4f34ae8d81a61c49eb07e282d096a9ee251200000002a108f968879a13c3555bdabdc45e13b1b61d48d457d67a82272417e7ec0317a40000000635ea0e73080585234211e8a836664aa77e1f056920394098d8f2062113f40040354f507f77b0039a459bcbb457318ce03aa076669f94960aa03129311bbeb12	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d02b902900d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376075597"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\pan.baidu.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\pan.baidu.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f25012c552b8b84fb7e2aa6d46a8c4e000000000020000000000106600000001000020000000eb55b7d746d135f9530e086a6e0c7444f1b674230db6557cfec34ff3c8e4633c000000000e80000000020000200000005e044e72ea1ee1164acc9d8f62b9b087769bfd17080102f8f38418ca02cfedac90000000dd67eb454a52919bea4f8546bc54d46eacbce4fa5249943c26779ec02a48ad070ae4d09b7357da697743d061b836fb4c8a861cc4d871af1bffc8de214e30d11d286d7026eb567eb73f406525baa8b289c9bee15179f31d737f77147fe4b236a9ce6167d02413c73b368af4ed45505dc26748af6d0c1d3b474b95691522c5253949e06238047a9f11a42ee4d72408e11140000000eb8d589f7d5b8c2cf9292f2e46380b8d37636386b59fed78e5cdcfedcb1e290b7c749c8bfcee4be8563ecde4f85cabaed425a80415aca3fb7088694091978c65	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com\Total = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

記憶-14.10.1.1.exe

pid process

1488 記憶-14.10.1.1.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

768 iexplore.exe

pid	process
768	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

記憶-14.10.1.1.exeiexplore.exeIEXPLORE.EXE

pid	process
1488	記憶-14.10.1.1.exe
1488	記憶-14.10.1.1.exe
1488	記憶-14.10.1.1.exe
1488	記憶-14.10.1.1.exe
768	iexplore.exe
768	iexplore.exe
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

記憶-14.10.1.1.exeiexplore.exe

description	pid	process	target process
PID 1488 wrote to memory of 768	1488	記憶-14.10.1.1.exe	iexplore.exe
PID 1488 wrote to memory of 768	1488	記憶-14.10.1.1.exe	iexplore.exe
PID 1488 wrote to memory of 768	1488	記憶-14.10.1.1.exe	iexplore.exe
PID 1488 wrote to memory of 768	1488	記憶-14.10.1.1.exe	iexplore.exe
PID 768 wrote to memory of 1128	768	iexplore.exe	IEXPLORE.EXE
PID 768 wrote to memory of 1128	768	iexplore.exe	IEXPLORE.EXE
PID 768 wrote to memory of 1128	768	iexplore.exe	IEXPLORE.EXE
PID 768 wrote to memory of 1128	768	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\記憶-14.10.1.1\記憶-14.10.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\記憶-14.10.1.1\記憶-14.10.1.1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://pan.baidu.com/share/home?uk=406623129
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
2c16fba44c22a1a1ffc00ce52e4dc986

SHA1
7bc1c64ce82077953b472dfcc3a8879f39de1379

SHA256
0cb76a066dd8c44a843e9b361136334c418ed7ed4af97e83600fd3d1aed38020

SHA512
c72d51ba49d36c5333234d3658aba0bf54f159f31a2b43456ca41f56d9ed57ad5a2b083c55812fe0c292bbb0c8c5c8de6684cd63de2b539549b9e12bd09034d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat
Filesize
8KB

MD5
4108d9c89ed8d8a0ee3296b527d434af

SHA1
03aaaf44c9ede094e1032fdbba2e6c5bacf53415

SHA256
5147e49301d36ccd2939a6641d78410baf5b77bcbf9fd06d6677516705429858

SHA512
3b3ed2ab501261aab0f15f99cf317bafe499f1f1efc41e4b46e19b80e7cec4124d28b751b933aa1d92d360a87f90c0c26f7373d5464a7b4b9bb9ac728f32e7b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LY7O9UJW.txt
Filesize
606B

MD5
fb3dd53a2cdc8de3cd0a60f6fdc0f9e6

SHA1
6e111cc1140f7a98d5be5655c99114bf24cb001d

SHA256
50016297274d6ba62d562a5acd1d7ec88127402555ab1e4892fd95de05c55ffa

SHA512
e19b1b9932c495eb4d9c0813a7dcebfb612ecb38de068e7d7fb26fd27782cbf3e965e4605d31df1c389ccb177cd0d106b1abab76aef9f9a11b162da9a9f959a3

Download Submit
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1488-57-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1488-58-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1488-59-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads