f988031e3278f097698eb15edc6e102b0fcc52e7cb7724956a08b3c707601f4a

General

Target

cfxindong.exe
Size

1.4MB
MD5

2db0597e0fbbf3aab93dea3ca76db883
SHA1

9b431e5d427176fe9bca82464322be3f3a723187
SHA256

b98932763d82836e2de77e3043b1687db27a17ea98fc1532818032d4ea9f2543
SHA512

7cc86eddb9be47dda8bc03197319ba686f46ff765b8bea2260ba308f720d7ccee73dd868b7ee92eb973f3a1a15986039659c09c572cae2cb6477ee01dbf223ca
SSDEEP

24576:YOhS6Gp4FvrTVAoByFq45oMWTSV0Oq20dGIIxocDIukNdl5ThASKYReX5kPTwHH:NndrTtMquojTSCOIOlCTyfX5kUHH

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2020-54-0x0000000000400000-0x000000000072E000-memory.dmp	vmprotect
behavioral1/memory/2020-56-0x0000000000400000-0x000000000072E000-memory.dmp	vmprotect
behavioral1/memory/2020-60-0x0000000000400000-0x000000000072E000-memory.dmp	vmprotect
behavioral1/memory/2020-61-0x0000000000400000-0x000000000072E000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.execfxindong.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e05ee4fe7efc07439f725fc88d3d390800000000020000000000106600000001000020000000f1e3967c37087931633e49a8077ed669eb2a476d3c73da4b3293b1444bf33321000000000e80000000020000200000006373844fc1a93ff82ed157bb43f2fcaee64c88b4090dc5ee1aea70d101a82e1f20000000c42aacac057e2e5ee967766c96c7a6fd7891c98e3822011e09afab99e8257bf9400000000138e6661b9e92e489730da7f966b77433fe9febb0307e5f977796d56e90d352e6da0d5713a6b2707f837bb2f8e31b4f3de7ba02257ec0bb78157a0ceac1a9e0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	cfxindong.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376389543"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	cfxindong.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e05ee4fe7efc07439f725fc88d3d3908000000000200000000001066000000010000200000001c8c4bdc5e2d0a96c9fcf85876ea759f80373b1038bf99a5715cc71974ca0e80000000000e800000000200002000000004ca14fb13dda54d95252117168c9598fcfd903194bb4764d9630d0b4141ff1f900000006b00bfd3708dbf4e6a930a1c36787b028e0eaffe4cd4e802c7496ea32842703fa36495b5b45cf92b25816d6b64fff9f97e8439587b676d06119497779e06b61f3fbd352ec3ace7a7e7e6fe55cd91ca742ca2f0ce8922deed108c799c795012c422ad329e8d431bf1764b201450b449cda2cf04212606c5ddfbb520981c08301c5ee7d8d61bd18dcc5006c7aadbcfd468400000000c41e3bfc59e09fe9d0f89798f0521e45f8c4b4018c654292b35bfce0e8eb883f8a14a22a5fa61f71a7e486d3d9fd972088d72901bf4a560f5f1badcd82c3520	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	cfxindong.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c039038a0403d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B21FCF41-6EF7-11ED-AF38-FE72C9E2D9C9} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cfxindong.exe

pid process

2020 cfxindong.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cfxindong.exe

description pid process

Token: SeDebugPrivilege 2020 cfxindong.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1868 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2020	cfxindong.exe

pid	process
1868	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

cfxindong.exeiexplore.exeIEXPLORE.EXE

pid	process
2020	cfxindong.exe
2020	cfxindong.exe
2020	cfxindong.exe
2020	cfxindong.exe
1868	iexplore.exe
1868	iexplore.exe
808	IEXPLORE.EXE
808	IEXPLORE.EXE
808	IEXPLORE.EXE
808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cfxindong.exeiexplore.exe

description	pid	process	target process
PID 2020 wrote to memory of 1868	2020	cfxindong.exe	iexplore.exe
PID 2020 wrote to memory of 1868	2020	cfxindong.exe	iexplore.exe
PID 2020 wrote to memory of 1868	2020	cfxindong.exe	iexplore.exe
PID 2020 wrote to memory of 1868	2020	cfxindong.exe	iexplore.exe
PID 1868 wrote to memory of 808	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 808	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 808	1868	iexplore.exe	IEXPLORE.EXE
PID 1868 wrote to memory of 808	1868	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\cfxindong.exe
"C:\Users\Admin\AppData\Local\Temp\cfxindong.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.cfxindong.com/#network
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2O13BI7D.txt
Filesize
606B

MD5
e43537d67e42ed528eb98bca65745bc3

SHA1
9b2b64f6c526ea5a63986e2a31f83b78ae894795

SHA256
af720b184ae94ef335ed632ab2e425fe06a193d5d9e3beff99b45b0fd4353517

SHA512
f8b462a83580c3a7ba2dafc7ca9a08b3727013743f60be57a0a9c5af2531a3a25734e16f7eed4b374605ca71c27e9ab667e51b905036cec51ea24d1c1c697f38

Download Submit
memory/2020-54-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2020-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2020-59-0x0000000000130000-0x000000000013C000-memory.dmp

Filesize
48KB

Download
memory/2020-60-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2020-61-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads