596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874

General

Target

596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe
Size

1.2MB
MD5

02c0b8b0987037a1a69a60ab28f448aa
SHA1

6cdfd4eaec28c5ab2c8f42e7daf1289aeaa461cf
SHA256

596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874
SHA512

28877adaabe32465cb567e9c31d2cc25ed06d7854761c522abba1d0ce48453c896b4a311a7f9a8f6c420dbbc986f71d64e5330e806570883f014caaf05c9dd1d
SSDEEP

24576:uZeZdWCFhod4oBOLA0IhJdEbYVVnmV+nOJ84wSBTsBbylk+k8ir:uZeZd7FGqoBOLATabYG+u87lWk+Qr

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exedl.exe

pid process

944 ¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
1784 dl.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe	vmprotect
behavioral1/memory/944-66-0x0000000001110000-0x0000000001379000-memory.dmp	vmprotect
behavioral1/memory/944-67-0x0000000001110000-0x0000000001379000-memory.dmp	vmprotect
behavioral1/memory/944-74-0x0000000001110000-0x0000000001379000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

Processes:

596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe

pid	process
900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe
900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe
900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

dl.exe¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	dl.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exedl.exe

pid	process
944	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
1784	dl.exe
944	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
944	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
944	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
944	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
1784	dl.exe
1784	dl.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe

description	pid	process	target process
PID 900 wrote to memory of 944	900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
PID 900 wrote to memory of 944	900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
PID 900 wrote to memory of 944	900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
PID 900 wrote to memory of 944	900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
PID 900 wrote to memory of 1784	900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	dl.exe
PID 900 wrote to memory of 1784	900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	dl.exe
PID 900 wrote to memory of 1784	900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	dl.exe
PID 900 wrote to memory of 1784	900	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	dl.exe

C:\Users\Admin\AppData\Local\Temp\596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe
"C:\Users\Admin\AppData\Local\Temp\596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
"C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:944

C:\Users\Admin\AppData\Local\Temp\dl.exe
"C:\Users\Admin\AppData\Local\Temp\dl.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dl.exe
Filesize
32KB

MD5
aced796f88cbc02297c0b71d53ba37a7

SHA1
42a3782fc6d2ef30747e040f794894c75e799bb3

SHA256
7dcbb23d270585bf15d5c8200867233f37cdfa146b82f1ff33d65290ffed1aaa

SHA512
2b2a6aa9b274ccf51ce9d6caab9c34e60248aa3bf660b42e1a190b4f25c0b54d690e88a972b8905a826237e0826b72b59817457e2499424ab5ad2568a4a44e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\dl.exe
Filesize
32KB

MD5
aced796f88cbc02297c0b71d53ba37a7

SHA1
42a3782fc6d2ef30747e040f794894c75e799bb3

SHA256
7dcbb23d270585bf15d5c8200867233f37cdfa146b82f1ff33d65290ffed1aaa

SHA512
2b2a6aa9b274ccf51ce9d6caab9c34e60248aa3bf660b42e1a190b4f25c0b54d690e88a972b8905a826237e0826b72b59817457e2499424ab5ad2568a4a44e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Filesize
1.1MB

MD5
cf18513664273db59cfe9c4d6f943dcb

SHA1
12ff7e7b70e58d527276b75270607e6336f0bfce

SHA256
f596a7546de74c3268373c1c14f1fca061f84a24ccb1306d5ddbca9239ba0991

SHA512
b70c137009ec5d89016c4ee30c5aef76a3c542e80bd30b1ba14690ccdd54fd6c9109ce8bbf531ee9aef0be19d66c05231c67b73f5e7cda817abc086174af6e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Filesize
1.1MB

MD5
cf18513664273db59cfe9c4d6f943dcb

SHA1
12ff7e7b70e58d527276b75270607e6336f0bfce

SHA256
f596a7546de74c3268373c1c14f1fca061f84a24ccb1306d5ddbca9239ba0991

SHA512
b70c137009ec5d89016c4ee30c5aef76a3c542e80bd30b1ba14690ccdd54fd6c9109ce8bbf531ee9aef0be19d66c05231c67b73f5e7cda817abc086174af6e7f

Download Submit
\Users\Admin\AppData\Local\Temp\dl.exe
Filesize
32KB

MD5
aced796f88cbc02297c0b71d53ba37a7

SHA1
42a3782fc6d2ef30747e040f794894c75e799bb3

SHA256
7dcbb23d270585bf15d5c8200867233f37cdfa146b82f1ff33d65290ffed1aaa

SHA512
2b2a6aa9b274ccf51ce9d6caab9c34e60248aa3bf660b42e1a190b4f25c0b54d690e88a972b8905a826237e0826b72b59817457e2499424ab5ad2568a4a44e08

Download Submit
\Users\Admin\AppData\Local\Temp\dl.exe
Filesize
32KB

MD5
aced796f88cbc02297c0b71d53ba37a7

SHA1
42a3782fc6d2ef30747e040f794894c75e799bb3

SHA256
7dcbb23d270585bf15d5c8200867233f37cdfa146b82f1ff33d65290ffed1aaa

SHA512
2b2a6aa9b274ccf51ce9d6caab9c34e60248aa3bf660b42e1a190b4f25c0b54d690e88a972b8905a826237e0826b72b59817457e2499424ab5ad2568a4a44e08

Download Submit
\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Filesize
1.1MB

MD5
cf18513664273db59cfe9c4d6f943dcb

SHA1
12ff7e7b70e58d527276b75270607e6336f0bfce

SHA256
f596a7546de74c3268373c1c14f1fca061f84a24ccb1306d5ddbca9239ba0991

SHA512
b70c137009ec5d89016c4ee30c5aef76a3c542e80bd30b1ba14690ccdd54fd6c9109ce8bbf531ee9aef0be19d66c05231c67b73f5e7cda817abc086174af6e7f

Download Submit
memory/900-63-0x0000000000400000-0x000000000053BB1A-memory.dmp

Filesize
1.2MB

Download
memory/900-73-0x0000000002880000-0x0000000002AE9000-memory.dmp

Filesize
2.4MB

Download
memory/900-65-0x0000000002880000-0x0000000002AE9000-memory.dmp

Filesize
2.4MB

Download
memory/900-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/944-66-0x0000000001110000-0x0000000001379000-memory.dmp

Filesize
2.4MB

Download
memory/944-67-0x0000000001110000-0x0000000001379000-memory.dmp

Filesize
2.4MB

Download
memory/944-74-0x0000000001110000-0x0000000001379000-memory.dmp

Filesize
2.4MB

Download
memory/944-56-0x0000000000000000-mapping.dmp

Download
memory/1784-62-0x0000000000000000-mapping.dmp

Download
memory/1784-72-0x00000000034E1000-0x000000000438D000-memory.dmp

Filesize
14.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads