596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874

General

Target

596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe
Size

1.2MB
MD5

02c0b8b0987037a1a69a60ab28f448aa
SHA1

6cdfd4eaec28c5ab2c8f42e7daf1289aeaa461cf
SHA256

596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874
SHA512

28877adaabe32465cb567e9c31d2cc25ed06d7854761c522abba1d0ce48453c896b4a311a7f9a8f6c420dbbc986f71d64e5330e806570883f014caaf05c9dd1d
SSDEEP

24576:uZeZdWCFhod4oBOLA0IhJdEbYVVnmV+nOJ84wSBTsBbylk+k8ir:uZeZd7FGqoBOLATabYG+u87lWk+Qr

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exedl.exe

pid process

3956 ¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
4388 dl.exe

pid	process
3956	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
4388	dl.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe	vmprotect
behavioral2/memory/3956-142-0x0000000000600000-0x0000000000869000-memory.dmp	vmprotect
behavioral2/memory/3956-144-0x0000000000600000-0x0000000000869000-memory.dmp	vmprotect
behavioral2/memory/3956-145-0x0000000000600000-0x0000000000869000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

dl.exe¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe

pid	process
4388	dl.exe
4388	dl.exe
4388	dl.exe
3956	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
3956	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
3956	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
3956	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
3956	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe

description	pid	process	target process
PID 4788 wrote to memory of 3956	4788	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
PID 4788 wrote to memory of 3956	4788	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
PID 4788 wrote to memory of 3956	4788	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
PID 4788 wrote to memory of 4388	4788	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	dl.exe
PID 4788 wrote to memory of 4388	4788	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	dl.exe
PID 4788 wrote to memory of 4388	4788	596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe	dl.exe

C:\Users\Admin\AppData\Local\Temp\596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe
"C:\Users\Admin\AppData\Local\Temp\596ab1a1f7d50a65aa7f608a9305e419f4cf8115f8b50559900512ba18d9d874.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788

C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
"C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Users\Admin\AppData\Local\Temp\dl.exe
"C:\Users\Admin\AppData\Local\Temp\dl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dl.exe
Filesize
32KB

MD5
aced796f88cbc02297c0b71d53ba37a7

SHA1
42a3782fc6d2ef30747e040f794894c75e799bb3

SHA256
7dcbb23d270585bf15d5c8200867233f37cdfa146b82f1ff33d65290ffed1aaa

SHA512
2b2a6aa9b274ccf51ce9d6caab9c34e60248aa3bf660b42e1a190b4f25c0b54d690e88a972b8905a826237e0826b72b59817457e2499424ab5ad2568a4a44e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\dl.exe
Filesize
32KB

MD5
aced796f88cbc02297c0b71d53ba37a7

SHA1
42a3782fc6d2ef30747e040f794894c75e799bb3

SHA256
7dcbb23d270585bf15d5c8200867233f37cdfa146b82f1ff33d65290ffed1aaa

SHA512
2b2a6aa9b274ccf51ce9d6caab9c34e60248aa3bf660b42e1a190b4f25c0b54d690e88a972b8905a826237e0826b72b59817457e2499424ab5ad2568a4a44e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Filesize
1.1MB

MD5
cf18513664273db59cfe9c4d6f943dcb

SHA1
12ff7e7b70e58d527276b75270607e6336f0bfce

SHA256
f596a7546de74c3268373c1c14f1fca061f84a24ccb1306d5ddbca9239ba0991

SHA512
b70c137009ec5d89016c4ee30c5aef76a3c542e80bd30b1ba14690ccdd54fd6c9109ce8bbf531ee9aef0be19d66c05231c67b73f5e7cda817abc086174af6e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\¡ºìÅÎè²Êºç¡»ÕýÊ½·þ9.15°æ.exe
Filesize
1.1MB

MD5
cf18513664273db59cfe9c4d6f943dcb

SHA1
12ff7e7b70e58d527276b75270607e6336f0bfce

SHA256
f596a7546de74c3268373c1c14f1fca061f84a24ccb1306d5ddbca9239ba0991

SHA512
b70c137009ec5d89016c4ee30c5aef76a3c542e80bd30b1ba14690ccdd54fd6c9109ce8bbf531ee9aef0be19d66c05231c67b73f5e7cda817abc086174af6e7f

Download Submit
memory/3956-132-0x0000000000000000-mapping.dmp

Download
memory/3956-142-0x0000000000600000-0x0000000000869000-memory.dmp

Filesize
2.4MB

Download
memory/3956-144-0x0000000000600000-0x0000000000869000-memory.dmp

Filesize
2.4MB

Download
memory/3956-145-0x0000000000600000-0x0000000000869000-memory.dmp

Filesize
2.4MB

Download
memory/4388-136-0x0000000000000000-mapping.dmp

Download
memory/4788-139-0x0000000000400000-0x000000000053BB1A-memory.dmp

Filesize
1.2MB

Download
memory/4788-133-0x0000000000400000-0x000000000053BB1A-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads