963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63

General

Target

963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
Size

2.6MB
MD5

05d5981642e6cd89a646b1854be683e6
SHA1

0d987ced733fbf76a4623176c503802d2cfe3932
SHA256

963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63
SHA512

1c3250c03d1e88db47cc5fe07eab550dfb2598b89945f5e6754413f7a26b5949d996cd5ef4f616bb2c5a78e1c95f46eda1eec000e8ac40e16490281503baa7b5
SSDEEP

49152:9RQi1iyA3ePyFmITaqZ4juFqR0axwwed/TPY/7N/1Xx2Wp+:wF93cQmjA4aI0aSfOPXx

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

1380 1.exe

pid	process
1380	1.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1816-55-0x0000000000400000-0x00000000008FE000-memory.dmp	vmprotect
behavioral1/memory/1816-60-0x0000000000400000-0x00000000008FE000-memory.dmp	vmprotect

Loads dropped DLL 1 IoCs

Processes:

963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe

pid process

1816 963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

1.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main 1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe1.exe

pid	process
1816	963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe
1380	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1320	AUDIODG.EXE
Token: 33	1320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1320	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

1.exe

pid process

1380 1.exe
1380 1.exe
1380 1.exe

pid	process
1380	1.exe
1380	1.exe
1380	1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe

description	pid	process	target process
PID 1816 wrote to memory of 1380	1816	963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe	1.exe
PID 1816 wrote to memory of 1380	1816	963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe	1.exe
PID 1816 wrote to memory of 1380	1816	963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe	1.exe
PID 1816 wrote to memory of 1380	1816	963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe
"C:\Users\Admin\AppData\Local\Temp\963453be32b03d84d70492a69a6a7d83d1245377627799a2e327b5105a9d8a63.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
1.7MB

MD5
726a11b7025866b24c2797b1b3355e1c

SHA1
b54c54a1f26feec9f3078584789f00b7c5f57ea0

SHA256
435e36cfe4b8bf8efeb70753db014a966ff42faeea48decb258ebf8afeb61a5a

SHA512
2196fbc857bbfe6b4522c475a4dc0405ed2883ab214abd4f1ad05e3b6c5042c2cc59baf0dd0eab9c655531614c3e25238d0e41eced640eea0e486113204e1b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
1.7MB

MD5
726a11b7025866b24c2797b1b3355e1c

SHA1
b54c54a1f26feec9f3078584789f00b7c5f57ea0

SHA256
435e36cfe4b8bf8efeb70753db014a966ff42faeea48decb258ebf8afeb61a5a

SHA512
2196fbc857bbfe6b4522c475a4dc0405ed2883ab214abd4f1ad05e3b6c5042c2cc59baf0dd0eab9c655531614c3e25238d0e41eced640eea0e486113204e1b85

Download Submit
\Users\Admin\AppData\Local\Temp\1.exe
Filesize
1.7MB

MD5
726a11b7025866b24c2797b1b3355e1c

SHA1
b54c54a1f26feec9f3078584789f00b7c5f57ea0

SHA256
435e36cfe4b8bf8efeb70753db014a966ff42faeea48decb258ebf8afeb61a5a

SHA512
2196fbc857bbfe6b4522c475a4dc0405ed2883ab214abd4f1ad05e3b6c5042c2cc59baf0dd0eab9c655531614c3e25238d0e41eced640eea0e486113204e1b85

Download Submit
memory/1380-57-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1816-55-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1816-60-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads