603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe

General

Target

603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe
Size

1.4MB
MD5

8e233c992156b95805392a881e197b2e
SHA1

71edc7b81583e8bc476d3843673849d84c0eeabd
SHA256

603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe
SHA512

81f69d3c998cea39df058f4ff23d84831c50fe33e7d996b6ae708cfe4c7e27851c31494ccbe80a1018e35ec44752976ea8bed5a292c7b8e69d8d717dc0d1b3d8
SSDEEP

24576:gGZ82zzYfFalQPNUPjHnP1ZBpQO7yThjVc48E21x3JiGtzV/0lT2iTqc/l0vW3jK:D83fFGQPNudZTzyNjVc4x21x3Jft6lPy

Score

8^/10

upx vmprotect

Malware Config

Signatures

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1880-58-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-61-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-60-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-63-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-62-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-64-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-66-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-68-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-70-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-72-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-74-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-76-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-78-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-80-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-82-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-84-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-86-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-88-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-90-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-92-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-94-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-96-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-98-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-100-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-102-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-104-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/1880-106-0x0000000010000000-0x000000001003D000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1880-55-0x0000000000400000-0x0000000000744000-memory.dmp	vmprotect
behavioral1/memory/1880-56-0x0000000000400000-0x0000000000744000-memory.dmp	vmprotect
behavioral1/memory/1880-105-0x0000000000400000-0x0000000000744000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

pid process

1880 603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

pid process

1880 603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

pid process

1880 603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

pid process

1880 603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

pid	process
1880	603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe
1880	603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe
1880	603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe
1880	603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe
1880	603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe

C:\Users\Admin\AppData\Local\Temp\603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe
"C:\Users\Admin\AppData\Local\Temp\603f8c5b4ea6435f1d15a97382fd86580a0840b8999618e6320fd152b8870efe.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1880-55-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1880-56-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1880-58-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-61-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-60-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-63-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-62-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-64-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-66-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-68-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-70-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-72-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-74-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-76-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-78-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-80-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-82-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-84-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-86-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-88-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-90-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-92-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-94-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-96-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-98-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-100-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-102-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-104-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1880-105-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/1880-106-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads