Overview

overview

8

Static

static

c9b96a0aba...f4.exe

windows7-x64

8

c9b96a0aba...f4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    158s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe

  • Size

    869KB

  • MD5

    e511698aef8e71f65e7e00aec8fe095d

  • SHA1

    fd623cbdb0d0322b9e336eebe23b5aca739f3afa

  • SHA256

    c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4

  • SHA512

    9c4f021a499ab3a3eb41e9108d2af549900ee3b58d12f96229b9d9f830081c876c39dcc924863cec8a318df73a36f2dd40736c916ff38bf3c0a72e94d35944cc

  • SSDEEP

    24576:W9wKYexO07Ulw9CrWoYAD3EGVRdpdpS1XhMLL34N+:hXeT79CWxA5PdhSZhM/9

Score
8/10
vmprotect

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe
    "C:\Users\Admin\AppData\Local\Temp\c9b96a0abab02fe0a0f6d14d6e08d0e5081de38ac25d96951f575876fc34b0f4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\PRo\9.9.exe
      "C:\PRo\9.9.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:804
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
      PID:4704
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4880 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4800

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PRo\9.9.exe
      Filesize

      508KB

      MD5

      475ea9609310a0a6dc7ab026b970b6de

      SHA1

      742efb06d0839318da0f8c1f64af9939314b9d5f

      SHA256

      9cce45f43d5de3b02762f9366e6102b18a12e2b442d6b845f120ecdd599eb3f1

      SHA512

      2757130cb8286179111fd8807aca9ef9670b84a97350962ed67d647959844c85c263e7fc203a48d90be224227557838ecb04115a986b6b887d95bfef42bef2e3

      Download Submit

    • C:\PRo\9.9.exe
      Filesize

      508KB

      MD5

      475ea9609310a0a6dc7ab026b970b6de

      SHA1

      742efb06d0839318da0f8c1f64af9939314b9d5f

      SHA256

      9cce45f43d5de3b02762f9366e6102b18a12e2b442d6b845f120ecdd599eb3f1

      SHA512

      2757130cb8286179111fd8807aca9ef9670b84a97350962ed67d647959844c85c263e7fc203a48d90be224227557838ecb04115a986b6b887d95bfef42bef2e3

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      1KB

      MD5

      84464274ad0baf0f6368c19d5377319b

      SHA1

      2ce075479a0877f76e75712a0f2c6292eafed5e0

      SHA256

      cfcf1e1f5ac6761b8228ccbaf14fa5695361c5ebef8c30cf54564a3fdf6a4347

      SHA512

      7257fcc3960dc148e3f4c0010985dd8ec597e5a59f325adaf83cdaa591778d130461181d032496e49d26d8cc7b325bc345832ca27754a602f75cbcabe86f21ba

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      a42abb21be3940a88a73771b18ed0f35

      SHA1

      de12f2f619852ef135ee726614c43c2033ec5743

      SHA256

      edaf1fb1f6ca2a0caf5f4d85b3f13507bd5df4971fa9ea8a6e08c1227f1ec667

      SHA512

      c1f775deb2bcb2e0c48ed74dec1cd95f34690ca16d6465175d52d60ae45e746201cc608a58b6f8f080b7e6a7893993b61093c7d9ff63fa735ebaba61ddd0ebf7

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
      Filesize

      724B

      MD5

      f569e1d183b84e8078dc456192127536

      SHA1

      30c537463eed902925300dd07a87d820a713753f

      SHA256

      287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

      SHA512

      49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      410B

      MD5

      a05bef948e8dbbda0d6c0b7397cc8fa7

      SHA1

      be19f6ed330b86733fc648eb42ac0945d37186c1

      SHA256

      d7352b122dc825cc4e20d0c3b1204e436a6f8e1a23950c6bbe0b65829f790660

      SHA512

      91d870b9f7f9ba63a47cd7506eb4580e70b6759443f089c5ec26b628fb7d6ff8710a583690784508d56ca2c110bc356be5d49091352bfda0c3eb56d252ee9223

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      434B

      MD5

      a94f12bc8bb0c27400fd9b364f5a0ec2

      SHA1

      68f1ec138f474f2b7a8c8b939e1aaedbf0b25dc2

      SHA256

      15ea2e172af8e27fea2131454dd5fb43ac84a1084746753eceece0260a5c2a3a

      SHA512

      e91c576cd3bd2cf160104f1d79f205dae96f636423f0b13a0f5c2f74f3e6c9608506457dd1705f12885fc70b1cc27ccde7c912714033f5db65621b53e2d77119

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
      Filesize

      392B

      MD5

      e7de98dae23cc671000a67eab84a2796

      SHA1

      fc269b26f197306f0ecd1e283cdbfbf2be1faab5

      SHA256

      17caa47d097612290f5e0a5eb6e77e0d35012e70b8f8840a8251583ed2cef70c

      SHA512

      a7fb926af62d907d441b7b94c476c1bd580bc417e121844ab1cfe5c0568496e03456aa085116deae3a3a384eeb65a84b6e63093b5687107256784eeb1d62b115

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat
      Filesize

      1KB

      MD5

      7abe720bec7ec63c9da1b59906262a04

      SHA1

      bd7691428bd03d2217f9bff5861bebc23517e50c

      SHA256

      fcb7f85636eca2a43baa744e84be0cbce68cd29d7793ebe5a28b115ea6aff5f4

      SHA512

      fa65ad49e324e028818bd18aee5d6b339b73140ce8575f4e101089154fa022c84d093d766a55bd70ba56daf1e6a3e1a929b2575e4b03f5e7557c7329b9f7da3b

      Download Submit

    • memory/804-143-0x0000000000400000-0x0000000000513000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/804-132-0x0000000000000000-mapping.dmp

      Download

    • memory/804-138-0x0000000000400000-0x0000000000513000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/804-135-0x0000000000400000-0x0000000000513000-memory.dmp

      Filesize

      1.1MB

      Download