f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce

General

Target

f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe
Size

1.4MB
MD5

c736898bac2d31432a142ad9c002c51b
SHA1

afe50b0bb711b3342d6f095e7fc7ca060e196781
SHA256

f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce
SHA512

1f2d195e6ad967374185486c21d7df64d5801de7205de53db8742237e9ab29826901a5f323c938ca516f1eb04db4e9da14a80a09507ef6b2952b67422f50730a
SSDEEP

24576:Tbfgfplc+YEnwDvFwJ31vj3bmerKaMzD84Q8bkUHOIT7:TbfW7c9EnotwJ3xfmAKlbkls7

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1756-55-0x0000000000400000-0x000000000074E000-memory.dmp	vmprotect
behavioral1/memory/1756-57-0x0000000000400000-0x000000000074E000-memory.dmp	vmprotect
behavioral1/memory/1756-58-0x0000000000400000-0x000000000074E000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe

pid process

1756 f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ae16c549262d7243a2b0e38e0af03b9c000000000200000000001066000000010000200000009332a293c8d9a45d485201e1ba36de170397994e271b611df63c8f6e84091693000000000e8000000002000020000000a86f42e4cd517e08a6be9521ed9718981d5f54dda8fb5698a474be180f187408900000008084dea8a95e5d3fc41ca7bdda2b676a802555a2a675e8b53012f524851e4c12cab38c8da1fdb7dfbf9acd944ef2f60d92c0a9201967d64cde2ba4f3929fb0f2a0caddeddad124874b2d5b7cc115c791d9852ead5a7da0d1f254b0471568fb75c5cfdf41a76775842eaa507ea36bddbc8aae9effc120c1e8d9e88ed518cfebcc48b4f1f45aebf3d6180635f2491743954000000009889953a558aa258c0ac49e5ab7d2d082b9feba0dc65a39d16241a95bcae8f3fcc56a9a6d5a61b8088318c39ca16afa8484045afac9eaf6f6f4833cc3dc470d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376339626"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7879BA41-6E83-11ED-BF3D-D6AAFEFD221A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20aae1639002d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ae16c549262d7243a2b0e38e0af03b9c000000000200000000001066000000010000200000008b98da27915f2686f362d2df0c27b964501a3d7d3a97d74f8bd776c086e2d8a5000000000e8000000002000020000000ef3a6b2eb98cbd5a8d5ba02cfb40d057be427285e875a0efda62bae77b1dc403200000005d5022c8cd577588d882203f57b4ce3c975702855b6e44e22465b08ae67aba8a4000000077a834020e1914fe432ea123e83a08987a32c0d3d8a2ea3468bb9b9a92d8c708e17a37c9babe8da2d818206fcc79d3050c3b16388e677f49dc88c6e4fa04aef4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe

pid process

1756 f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1412 iexplore.exe

pid	process
1412	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exeiexplore.exeIEXPLORE.EXE

pid	process
1756	f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe
1756	f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe
1412	iexplore.exe
1412	iexplore.exe
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exeiexplore.exe

description	pid	process	target process
PID 1756 wrote to memory of 1412	1756	f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe	iexplore.exe
PID 1756 wrote to memory of 1412	1756	f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe	iexplore.exe
PID 1756 wrote to memory of 1412	1756	f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe	iexplore.exe
PID 1756 wrote to memory of 1412	1756	f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe	iexplore.exe
PID 1412 wrote to memory of 2036	1412	iexplore.exe	IEXPLORE.EXE
PID 1412 wrote to memory of 2036	1412	iexplore.exe	IEXPLORE.EXE
PID 1412 wrote to memory of 2036	1412	iexplore.exe	IEXPLORE.EXE
PID 1412 wrote to memory of 2036	1412	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe
"C:\Users\Admin\AppData\Local\Temp\f8f9557406ec264f63c0d8e02cf6c7a4f1771b5ac4e2ecb2d337b1407a4032ce.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://up.125.la/data/tools/UpDate.zip
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1412 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8P2QB5MN.txt
Filesize
608B

MD5
b23e87f1d51fdb1f3a320839e0b18acb

SHA1
fcbfe4eccec4ef0d5e0610451c35c8975713bd9f

SHA256
9cb71e90ed18232a148aa856efd02dfa8c783bca7a159ee2062f8ce069c785ae

SHA512
7ae9aa5c844f2989ac77f46cfa3277c03098470a8141ac9fc0e63cd897963e4b9f0cb34aabcb1f410220c016b9bc98abf324f700582983ed2f3f018460fdeddb

Download Submit
memory/1756-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1756-55-0x0000000000400000-0x000000000074E000-memory.dmp

Filesize
3.3MB

Download
memory/1756-57-0x0000000000400000-0x000000000074E000-memory.dmp

Filesize
3.3MB

Download
memory/1756-58-0x0000000000400000-0x000000000074E000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads