e3ed9ecec6769ab3d69b37f8b7f95e0ae67c02d8fb97ca041423023fd0fb4add

General

Target

3628c057a4cc96c7415df4dd6cb31b59.exe
Size

403KB
MD5

3628c057a4cc96c7415df4dd6cb31b59
SHA1

cca8659c2f66df451aaf300035d3c67f425fdaea
SHA256

e3ed9ecec6769ab3d69b37f8b7f95e0ae67c02d8fb97ca041423023fd0fb4add
SHA512

111fcf349d9ee22f2d77b48182964cb8c0615f0ab00d17addefc84a7caeb2569168b22b6dbebf12dcf503c8a9b7bec7ef4decc3d4fae7317448cb5f0f00b4b5f
SSDEEP

6144:lw0pDStj6LZ+HHHhnnKsqNySq73cvXOwDEvmQnUO6M0KyfIzopVWCp4QJeARuddo:l7Voj8vqzbvqKnc8se2kBPW

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1.exeexplorer.exe

pid process

5028 1.exe
556 explorer.exe

pid	process
5028	1.exe
556	explorer.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe	vmprotect
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe	vmprotect
behavioral2/memory/556-140-0x00007FF731BE0000-0x00007FF732475000-memory.dmp	vmprotect
behavioral2/memory/556-141-0x00007FF731BE0000-0x00007FF732475000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3628c057a4cc96c7415df4dd6cb31b59.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	3628c057a4cc96c7415df4dd6cb31b59.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer\\explorer.exe"	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

explorer.exe

pid process

556 explorer.exe
556 explorer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3628c057a4cc96c7415df4dd6cb31b59.exe

description pid process

Token: SeDebugPrivilege 2196 3628c057a4cc96c7415df4dd6cb31b59.exe

pid	process
556	explorer.exe
556	explorer.exe

description	pid	process
Token: SeDebugPrivilege	2196	3628c057a4cc96c7415df4dd6cb31b59.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3628c057a4cc96c7415df4dd6cb31b59.exe1.execmd.exe

description	pid	process	target process
PID 2196 wrote to memory of 5028	2196	3628c057a4cc96c7415df4dd6cb31b59.exe	1.exe
PID 2196 wrote to memory of 5028	2196	3628c057a4cc96c7415df4dd6cb31b59.exe	1.exe
PID 2196 wrote to memory of 5028	2196	3628c057a4cc96c7415df4dd6cb31b59.exe	1.exe
PID 5028 wrote to memory of 2876	5028	1.exe	cmd.exe
PID 5028 wrote to memory of 2876	5028	1.exe	cmd.exe
PID 5028 wrote to memory of 2876	5028	1.exe	cmd.exe
PID 2876 wrote to memory of 556	2876	cmd.exe	explorer.exe
PID 2876 wrote to memory of 556	2876	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\3628c057a4cc96c7415df4dd6cb31b59.exe
"C:\Users\Admin\AppData\Local\Temp\3628c057a4cc96c7415df4dd6cb31b59.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\Temp\1.exe
"C:\Windows\Temp\1.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
Filesize
5.2MB

MD5
dee1568dc4d523e4aff5c7563b26887c

SHA1
565a8f3d02746fb203c5a7e2777211bf33cf656b

SHA256
f7cbf79fce9ca7d06745604a44c6b2541af476cdd8f5853bf1dbf23213eb3d2b

SHA512
0e593e23f5cfbf3bf0cc07373bb013911e9c2068cfad8e666c69173afbe29d06a0635dc32dfa6baca153db2e1de25772cccbc5f63d49d19bc4d18b93f7c97ab2

Download Submit
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
Filesize
5.2MB

MD5
dee1568dc4d523e4aff5c7563b26887c

SHA1
565a8f3d02746fb203c5a7e2777211bf33cf656b

SHA256
f7cbf79fce9ca7d06745604a44c6b2541af476cdd8f5853bf1dbf23213eb3d2b

SHA512
0e593e23f5cfbf3bf0cc07373bb013911e9c2068cfad8e666c69173afbe29d06a0635dc32dfa6baca153db2e1de25772cccbc5f63d49d19bc4d18b93f7c97ab2

Download Submit
C:\Windows\Temp\1.exe
Filesize
115KB

MD5
06eca982ae495dafc793309a7abb18fe

SHA1
a53e5c5579f6f2fc69e726567fca4299baeb18f7

SHA256
984b2b5f986a23a40b17f6336d44e194d9c55a5cee69c49a9d18c0c117421dff

SHA512
28bbd604e9f2ab3ac8fc2848a1b288a155c43f4d697d773c666341eca94897771f9d8cd3459e218028acacb23f5e1d0cf6a7392a8d98ac0e5e01019ce800683f

Download Submit
C:\Windows\Temp\1.exe
Filesize
115KB

MD5
06eca982ae495dafc793309a7abb18fe

SHA1
a53e5c5579f6f2fc69e726567fca4299baeb18f7

SHA256
984b2b5f986a23a40b17f6336d44e194d9c55a5cee69c49a9d18c0c117421dff

SHA512
28bbd604e9f2ab3ac8fc2848a1b288a155c43f4d697d773c666341eca94897771f9d8cd3459e218028acacb23f5e1d0cf6a7392a8d98ac0e5e01019ce800683f

Download Submit
memory/556-137-0x0000000000000000-mapping.dmp

Download
memory/556-140-0x00007FF731BE0000-0x00007FF732475000-memory.dmp

Filesize
8.6MB

Download
memory/556-141-0x00007FF731BE0000-0x00007FF732475000-memory.dmp

Filesize
8.6MB

Download
memory/2196-132-0x0000000000890000-0x00000000008FA000-memory.dmp

Filesize
424KB

Download
memory/2876-136-0x0000000000000000-mapping.dmp

Download
memory/5028-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads