c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4

Analysis

max time kernel
152s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe
Size

869KB
MD5

e511698aef8e71f65e7e00aec8fe095d
SHA1

fd623cbdb0d0322b9e336eebe23b5aca739f3afa
SHA256

c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4
SHA512

9c4f021a499ab3a3eb41e9108d2af549900ee3b58d12f96229b9d9f830081c876c39dcc924863cec8a318df73a36f2dd40736c916ff38bf3c0a72e94d35944cc
SSDEEP

24576:W9wKYexO07Ulw9CrWoYAD3EGVRdpdpS1XhMLL34N+:hXeT79CWxA5PdhSZhM/9

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

9.9.exe

pid process

1928 9.9.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\PRo\9.9.exe	vmprotect
\PRo\9.9.exe	vmprotect
\PRo\9.9.exe	vmprotect
\PRo\9.9.exe	vmprotect
\PRo\9.9.exe	vmprotect
C:\PRo\9.9.exe	vmprotect
C:\PRo\9.9.exe	vmprotect
behavioral1/memory/1928-64-0x0000000000400000-0x0000000000513000-memory.dmp	vmprotect
behavioral1/memory/1928-69-0x0000000000400000-0x0000000000513000-memory.dmp	vmprotect
behavioral1/memory/1928-81-0x0000000000400000-0x0000000000513000-memory.dmp	vmprotect

Loads dropped DLL 5 IoCs

Processes:

c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe

pid	process
2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe
2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe
2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe
2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe
2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe9.9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ck.page	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\karinknoetze.ck.page\ = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\neexulro.net	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ck.page\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\karinknoetze.ck.page\ = "40"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000893455b2e89e6a468fd5293229446eef000000000200000000001066000000010000200000006796e2dcf69ba2d4c029dbd2bc3a2531da6dc08cba5f86b9e13b89e96e78e47e000000000e800000000200002000000007f158f511da896aed94441d30dd66c0353b19c7ee44fb906ba4e82c41cb4c80900000000fe9073871ba0d381f6353576bba4f9d021abfc2726bec966f57c5915b861446bd577a3484c92679ccd37d74794ae25a0a954e283453ceeb5061f35236585efa32f9d68859732aae80b0f1b8c9202f3409ab0fbf6c6c3142c14ed041018d5093d921528f4ceafae401af0df72a4db82b67cb1ca0c411494760c1123dfb7cae1b8732f65db5a83c40b82ac21cbcee644b400000008bb4dd33b4d6864774f2420d571add0c591dcf9bfcb6121e11c0557350885d16f8de01a454dd2cb2c9ac1a05a56e03e547ad4669f45f9e4dbaf91659acc7cc27	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{616E3C21-6D7C-11ED-A34F-EA25B6F29539} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\karinknoetze.ck.page	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "40"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376226625"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ck.page\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ck.page\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\karinknoetze.ck.page\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000893455b2e89e6a468fd5293229446eef000000000200000000001066000000010000200000004742338c4855b7241ab0b61bbe58687fecf756fcbb99fe96696615ee7d0ee153000000000e800000000200002000000033f31b7a622b3e90341acf7b78e7e2c6a317db37df91d50f5c575c9df43796c1200000004737878586d67bb87b1a0c702d8c70c6e2d81ab1d251443c2f186aca09160ab840000000ae93a0c6b54ec31846a14f6d3e55d7f1176b52490d661a8d5ac01074c629e624386fc420cc7c93f072470811de6a7b9235b03252fb7bfc34fcbb247d07ec1a6a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	9.9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\ck.page\Total = "40"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c090a33c8901d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\neexulro.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

9.9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://trollface.biz"	9.9.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9.9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	9.9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	9.9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9.9.exe

pid	process
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe
1928	9.9.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

9.9.exe

description	pid	process
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe
Token: SeDebugPrivilege	1928	9.9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1724 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

9.9.exeiexplore.exeIEXPLORE.EXE

pid process

1928 9.9.exe
1928 9.9.exe
1928 9.9.exe
1724 iexplore.exe
1724 iexplore.exe
1544 IEXPLORE.EXE
1544 IEXPLORE.EXE

pid	process
1724	iexplore.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exeiexplore.exe

description	pid	process	target process
PID 2036 wrote to memory of 1928	2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe	9.9.exe
PID 2036 wrote to memory of 1928	2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe	9.9.exe
PID 2036 wrote to memory of 1928	2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe	9.9.exe
PID 2036 wrote to memory of 1928	2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe	9.9.exe
PID 2036 wrote to memory of 1928	2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe	9.9.exe
PID 2036 wrote to memory of 1928	2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe	9.9.exe
PID 2036 wrote to memory of 1928	2036	c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe	9.9.exe
PID 1724 wrote to memory of 1544	1724	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 1544	1724	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 1544	1724	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 1544	1724	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 1544	1724	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 1544	1724	iexplore.exe	IEXPLORE.EXE
PID 1724 wrote to memory of 1544	1724	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe
"C:\Users\Admin\AppData\Local\Temp\c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\PRo\9.9.exe
"C:\PRo\9.9.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PRo\9.9.exe

Filesize
508KB

MD5
475ea9609310a0a6dc7ab026b970b6de

SHA1
742efb06d0839318da0f8c1f64af9939314b9d5f

SHA256
9cce45f43d5de3b02762f9366e6102b18a12e2b442d6b845f120ecdd599eb3f1

SHA512
2757130cb8286179111fd8807aca9ef9670b84a97350962ed67d647959844c85c263e7fc203a48d90be224227557838ecb04115a986b6b887d95bfef42bef2e3

Download Submit
C:\PRo\9.9.exe

Filesize
508KB

MD5
475ea9609310a0a6dc7ab026b970b6de

SHA1
742efb06d0839318da0f8c1f64af9939314b9d5f

SHA256
9cce45f43d5de3b02762f9366e6102b18a12e2b442d6b845f120ecdd599eb3f1

SHA512
2757130cb8286179111fd8807aca9ef9670b84a97350962ed67d647959844c85c263e7fc203a48d90be224227557838ecb04115a986b6b887d95bfef42bef2e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
84464274ad0baf0f6368c19d5377319b

SHA1
2ce075479a0877f76e75712a0f2c6292eafed5e0

SHA256
cfcf1e1f5ac6761b8228ccbaf14fa5695361c5ebef8c30cf54564a3fdf6a4347

SHA512
7257fcc3960dc148e3f4c0010985dd8ec597e5a59f325adaf83cdaa591778d130461181d032496e49d26d8cc7b325bc345832ca27754a602f75cbcabe86f21ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d29656ad52cff6f690ef6c2ffa12ae3c

SHA1
f55ae61adf23304b6eab32f71a2c3fd54ddc4bc4

SHA256
fb50d091c8ea13b819503f758e4cd046400d8c75c5c5bcc75d8c0cc9bdc906fb

SHA512
f15a3a41adb5cc9e5c590e0301d3361c3a811e772370d297753131da3cacf50d5e19d552fd4dc99107c9b647008f7722e4230a8ab80b5e12399856936a8f0306

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
718463a6e096deab3899c6f2b67b91aa

SHA1
607470756c9cfff8a49fddd3d2b75f6366ed2740

SHA256
7bca965536b2e94eccd61a40f35741d395725a6d37ac4fe9e629f76ebe14d8e8

SHA512
fddda4e1790f04c4d7fea5134ec4b88b627ec1556116b2e8961a2aa1b44b321dd6e73c62d5593c561fe4bb7cc7004477f4ab983955778c2f82903f7ff508a954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f5c6e4c9ee89ba87f449f86cc557f5f

SHA1
99a4a38c6179a6591ee63450fae02e638a846525

SHA256
7edca543b0ca08ba288f7bc5325b4e24946850ee196fcf83f145b11c46fb257d

SHA512
5ebb936d0e37fa89bb0844ce00584dd2a45b27de3341916a56ac784290ed151fbf29ece4582e5f7d075f72f7975f4eb0805aebbe9e001210a45e45cfe54d5c4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
086f22e3b36f20c67e14e4ecb90bc363

SHA1
6483edf68c60620debf86ffbf4136a30a6883445

SHA256
16f1601d1b70d0c225801a35cf80b8600dcf5ff40a2a8c31773e6d8df274e48e

SHA512
18fb891c31e0ef96ff9f0cf759445ddb5a84b4b196cd7cb76e08d82ca018c832965e94941b34eac47dc74bd01a0355854e1365e9b4f7866cfc018061c1f2239c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
086f22e3b36f20c67e14e4ecb90bc363

SHA1
6483edf68c60620debf86ffbf4136a30a6883445

SHA256
16f1601d1b70d0c225801a35cf80b8600dcf5ff40a2a8c31773e6d8df274e48e

SHA512
18fb891c31e0ef96ff9f0cf759445ddb5a84b4b196cd7cb76e08d82ca018c832965e94941b34eac47dc74bd01a0355854e1365e9b4f7866cfc018061c1f2239c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93cb429f39f1545eea432f5068f258fb

SHA1
cca5ca3f07446672ed52f97657365d1a6d3dab25

SHA256
646f2ad280409ea446906cc2cc8e8add4438da3bc5a8736a2db8ea9223cf895f

SHA512
dedd941b0607b422cd1793ef9ed75e5e9667e0fa2185064bec13f54df853cf3e2e27ac5c1311ff2768615f770d4e23a32dae164fc76673c9c6656ddb4ea36506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
1408bbbf2c5be2f84321a1753f915d07

SHA1
b8709698768e3c0228ea5d4b0497cad591991276

SHA256
0f4d5ef080fb2583ee5dd04f9306ad3d74a1c126d1f92041bc35253a93e54ff1

SHA512
a03b1a8bfbfdf4cb97e5f1806c158b2828db16243acfacd72c4e86cefaaec7f2c313148ac1287fd56c5bacbcc59a951f929f4760489063e3e1165d5cd358049a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
5KB

MD5
d5c99ec1de83c7c215f486a0fc1a0913

SHA1
288f87c0b26a8a82ad4cacab053987d1d57413ba

SHA256
af8f64cfb58691e11158fc50f68a23c559afcefdec328b8a4ee51debf6994103

SHA512
cae1120fb0cf857d48f78a99f6264fefa58679adc786273f4737860fa6671ac3b35aaf969efc51d3228b12580abadd507adb9df38b8678179ac27cfe301153e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4DD87FY2.txt

Filesize
608B

MD5
e582914c12025f52661fda400f7d5e7a

SHA1
0941c2b0608b1ff005bde8789c5aa83a1100afc6

SHA256
b6eca1f8e1421e2e925789e671cbb011afd49599d8cd1175551bcd47df160870

SHA512
13668faafe2c6f5bbfc215673adbf241af1f73278517ca5ac9ce55a8f9b27b5dd4c617747d5bfab446dd032d27e4310ae0e7c86af6f023eddfe3c8ca79f4fa31

Download Submit
\PRo\9.9.exe

Filesize
508KB

MD5
475ea9609310a0a6dc7ab026b970b6de

SHA1
742efb06d0839318da0f8c1f64af9939314b9d5f

SHA256
9cce45f43d5de3b02762f9366e6102b18a12e2b442d6b845f120ecdd599eb3f1

SHA512
2757130cb8286179111fd8807aca9ef9670b84a97350962ed67d647959844c85c263e7fc203a48d90be224227557838ecb04115a986b6b887d95bfef42bef2e3

Download Submit
\PRo\9.9.exe

Filesize
508KB

MD5
475ea9609310a0a6dc7ab026b970b6de

SHA1
742efb06d0839318da0f8c1f64af9939314b9d5f

SHA256
9cce45f43d5de3b02762f9366e6102b18a12e2b442d6b845f120ecdd599eb3f1

SHA512
2757130cb8286179111fd8807aca9ef9670b84a97350962ed67d647959844c85c263e7fc203a48d90be224227557838ecb04115a986b6b887d95bfef42bef2e3

Download Submit
\PRo\9.9.exe

Filesize
508KB

MD5
475ea9609310a0a6dc7ab026b970b6de

SHA1
742efb06d0839318da0f8c1f64af9939314b9d5f

SHA256
9cce45f43d5de3b02762f9366e6102b18a12e2b442d6b845f120ecdd599eb3f1

SHA512
2757130cb8286179111fd8807aca9ef9670b84a97350962ed67d647959844c85c263e7fc203a48d90be224227557838ecb04115a986b6b887d95bfef42bef2e3

Download Submit
\PRo\9.9.exe

Filesize
508KB

MD5
475ea9609310a0a6dc7ab026b970b6de

SHA1
742efb06d0839318da0f8c1f64af9939314b9d5f

SHA256
9cce45f43d5de3b02762f9366e6102b18a12e2b442d6b845f120ecdd599eb3f1

SHA512
2757130cb8286179111fd8807aca9ef9670b84a97350962ed67d647959844c85c263e7fc203a48d90be224227557838ecb04115a986b6b887d95bfef42bef2e3

Download Submit
\PRo\9.9.exe

Filesize
508KB

MD5
475ea9609310a0a6dc7ab026b970b6de

SHA1
742efb06d0839318da0f8c1f64af9939314b9d5f

SHA256
9cce45f43d5de3b02762f9366e6102b18a12e2b442d6b845f120ecdd599eb3f1

SHA512
2757130cb8286179111fd8807aca9ef9670b84a97350962ed67d647959844c85c263e7fc203a48d90be224227557838ecb04115a986b6b887d95bfef42bef2e3

Download Submit
memory/1928-60-0x0000000000000000-mapping.dmp

Download
memory/1928-70-0x0000000004811000-0x00000000056BD000-memory.dmp

Filesize
14.7MB

Download
memory/1928-69-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1928-81-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1928-64-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2036-68-0x00000000030F0000-0x0000000003203000-memory.dmp

Filesize
1.1MB

Download
memory/2036-67-0x0000000002FB0000-0x00000000030C3000-memory.dmp

Filesize
1.1MB

Download
memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download