88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8

General

Target

88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe
Size

135KB
MD5

49da45d1390201b6f770864402de125c
SHA1

c1e6dffbd1c843a5183bd65726a02525ffbd4603
SHA256

88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8
SHA512

f91f8beeaa261d794a6deace9ada9b7781aba1d1ada5398156d30800b46bd9cff7df6753ff57f714cd9da55fe22864cc2852821865b9b98b5461b19e51756977
SSDEEP

3072:vsi/0hhfx3jeNvkMO+niR2Sh1bsKo8h8Bma/Ytd2Fs8NRMp:vsi/o9tjeNsM5niMSh1QKo8h8dA/2i8Q

Score

8^/10

persistence vmprotect

Malware Config

Signatures

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1288-57-0x0000000000400000-0x0000000000454000-memory.dmp	vmprotect
C:\DV9F7H\lL7xRr55.dll	vmprotect
\DV9F7H\lL7xRr55.dll	vmprotect
\DV9F7H\lL7xRr55.dll	vmprotect
\DV9F7H\lL7xRr55.dll	vmprotect
\DV9F7H\lL7xRr55.dll	vmprotect
behavioral1/memory/1524-81-0x0000000010000000-0x000000001004F000-memory.dmp	vmprotect
behavioral1/memory/1524-82-0x0000000010000000-0x000000001004F000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1560 cmd.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1524 rundll32.exe
1524 rundll32.exe
1524 rundll32.exe
1524 rundll32.exe

pid	process
1560	cmd.exe

pid	process
1524	rundll32.exe
1524	rundll32.exe
1524	rundll32.exe
1524	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lL7xRr55 = "rundll32.exe C:\\DV9F7H\\lL7xRr55.dll,gouqi_Go"	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syotom = "C:\\Windows\\SysWOW64\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1524 set thread context of 468 1524 rundll32.exe svchost.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main svchost.exe

description	pid	process	target process
PID 1524 set thread context of 468	1524	rundll32.exe	svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	svchost.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.naver.com"	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exerundll32.exe

description	pid	process	target process
PID 1288 wrote to memory of 1524	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	rundll32.exe
PID 1288 wrote to memory of 1524	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	rundll32.exe
PID 1288 wrote to memory of 1524	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	rundll32.exe
PID 1288 wrote to memory of 1524	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	rundll32.exe
PID 1288 wrote to memory of 1524	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	rundll32.exe
PID 1288 wrote to memory of 1524	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	rundll32.exe
PID 1288 wrote to memory of 1524	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	rundll32.exe
PID 1288 wrote to memory of 1560	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	cmd.exe
PID 1288 wrote to memory of 1560	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	cmd.exe
PID 1288 wrote to memory of 1560	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	cmd.exe
PID 1288 wrote to memory of 1560	1288	88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe	cmd.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe
PID 1524 wrote to memory of 468	1524	rundll32.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe
"C:\Users\Admin\AppData\Local\Temp\88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\DV9F7H\lL7xRr55.dll,gouqi_Go
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
3⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:468

C:\Windows\SysWOW64\cmd.exe
cmd /c del "C:\Users\Admin\AppData\Local\Temp\88644b6c7f4f9f5b8dd0b8df891b1dda8abe5c0230d1a3ad23142722a015c7c8.exe"
2⤵
- Deletes itself
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DV9F7H\lL7xRr55.dll
Filesize
100KB

MD5
ac4dec0f5b9c4adb99758e5c04f0a458

SHA1
b02e38da72496a51d0d466a6331fed35963f0f78

SHA256
0525e7d373d87d2009272afbfef1e98d8ef9119790fed204db5da521564b10a3

SHA512
3d0936c9cb5a8a514c009244a991c58a332f288364e11be10fd5bfabcc0d1efe68d99acde6bc3a9b8b205edbaaefbd5025d192105982bc0b85a9789ff5457fdd

Download Submit
\DV9F7H\lL7xRr55.dll
Filesize
100KB

MD5
ac4dec0f5b9c4adb99758e5c04f0a458

SHA1
b02e38da72496a51d0d466a6331fed35963f0f78

SHA256
0525e7d373d87d2009272afbfef1e98d8ef9119790fed204db5da521564b10a3

SHA512
3d0936c9cb5a8a514c009244a991c58a332f288364e11be10fd5bfabcc0d1efe68d99acde6bc3a9b8b205edbaaefbd5025d192105982bc0b85a9789ff5457fdd

Download Submit
\DV9F7H\lL7xRr55.dll
Filesize
100KB

MD5
ac4dec0f5b9c4adb99758e5c04f0a458

SHA1
b02e38da72496a51d0d466a6331fed35963f0f78

SHA256
0525e7d373d87d2009272afbfef1e98d8ef9119790fed204db5da521564b10a3

SHA512
3d0936c9cb5a8a514c009244a991c58a332f288364e11be10fd5bfabcc0d1efe68d99acde6bc3a9b8b205edbaaefbd5025d192105982bc0b85a9789ff5457fdd

Download Submit
\DV9F7H\lL7xRr55.dll
Filesize
100KB

MD5
ac4dec0f5b9c4adb99758e5c04f0a458

SHA1
b02e38da72496a51d0d466a6331fed35963f0f78

SHA256
0525e7d373d87d2009272afbfef1e98d8ef9119790fed204db5da521564b10a3

SHA512
3d0936c9cb5a8a514c009244a991c58a332f288364e11be10fd5bfabcc0d1efe68d99acde6bc3a9b8b205edbaaefbd5025d192105982bc0b85a9789ff5457fdd

Download Submit
\DV9F7H\lL7xRr55.dll
Filesize
100KB

MD5
ac4dec0f5b9c4adb99758e5c04f0a458

SHA1
b02e38da72496a51d0d466a6331fed35963f0f78

SHA256
0525e7d373d87d2009272afbfef1e98d8ef9119790fed204db5da521564b10a3

SHA512
3d0936c9cb5a8a514c009244a991c58a332f288364e11be10fd5bfabcc0d1efe68d99acde6bc3a9b8b205edbaaefbd5025d192105982bc0b85a9789ff5457fdd

Download Submit
memory/468-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/468-69-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/468-80-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/468-78-0x0000000000401000-mapping.dmp

Download
memory/468-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/468-74-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/468-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/468-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/468-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1288-57-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1524-54-0x0000000000000000-mapping.dmp

Download
memory/1524-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1524-81-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download
memory/1524-82-0x0000000010000000-0x000000001004F000-memory.dmp

Filesize
316KB

Download
memory/1560-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads