fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b

General

Target

fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe
Size

2.5MB
MD5

4f8b214af696b026f6dc96e47c918c92
SHA1

b18abb5a9807c7d22551865a9269a09a54603e95
SHA256

fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b
SHA512

8d82e40c9e09bf581c67a5decb266ce9097c489291f2fa5bd67f8e6ebbca14d316d40a489e2d6fa73fe61d0061a8c43823eaf526a84cee1ee22497adf790bc75
SSDEEP

49152:1LqxxvMksXV1Jyi1/ACCMvr+B3Lg8izRI8IF35TC:1LeQF1JLM4Sq88BIFJT

Score

8^/10

aspackv2 vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b0000000122ea-55.dat	aspack_v212_v242
behavioral1/files/0x000b0000000122ea-56.dat	aspack_v212_v242
behavioral1/files/0x000b0000000122ea-58.dat	aspack_v212_v242
behavioral1/files/0x000b0000000122ea-70.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
856	dnfmm1.16vip.exe
1040	360Setup.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000b0000000122ea-55.dat	vmprotect
behavioral1/files/0x000b0000000122ea-56.dat	vmprotect
behavioral1/files/0x000b0000000122ea-58.dat	vmprotect
behavioral1/memory/856-65-0x0000000000400000-0x000000000071E000-memory.dmp	vmprotect
behavioral1/memory/856-68-0x0000000000400000-0x000000000071E000-memory.dmp	vmprotect
behavioral1/memory/856-69-0x0000000000400000-0x000000000071E000-memory.dmp	vmprotect
behavioral1/files/0x000b0000000122ea-70.dat	vmprotect
behavioral1/memory/856-86-0x0000000000400000-0x000000000071E000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

pid	Process
1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe
1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe
1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcr70.dll	dnfmm1.16vip.exe
File created	C:\Windows\SysWOW64\msvcp70.dll	dnfmm1.16vip.exe
File created	C:\Windows\SysWOW64\mfc70.dll	dnfmm1.16vip.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
856	dnfmm1.16vip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	dnfmm1.16vip.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	dnfmm1.16vip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	dnfmm1.16vip.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe
856	dnfmm1.16vip.exe
856	dnfmm1.16vip.exe
856	dnfmm1.16vip.exe
856	dnfmm1.16vip.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 856	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	28
PID 1628 wrote to memory of 856	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	28
PID 1628 wrote to memory of 856	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	28
PID 1628 wrote to memory of 856	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	28
PID 1628 wrote to memory of 1040	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	29
PID 1628 wrote to memory of 1040	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	29
PID 1628 wrote to memory of 1040	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	29
PID 1628 wrote to memory of 1040	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	29
PID 1628 wrote to memory of 1040	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	29
PID 1628 wrote to memory of 1040	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	29
PID 1628 wrote to memory of 1040	1628	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	29

C:\Users\Admin\AppData\Local\Temp\fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe
"C:\Users\Admin\AppData\Local\Temp\fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe
  "C:\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:856
- C:\Users\Admin\AppData\Local\Temp\360Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\360Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\360Setup.exe

Filesize
591KB

MD5
a5ff092a23490953f75de3f2acac0920

SHA1
d64d886442abbb82b44cc82be4b656d0305ff7cb

SHA256
a75a52faa66566e955ec1cd9b6aa8060eda4a676b85ab52021ebb245872937a2

SHA512
3359571bd09fd1103e7c84153783763d026c9deee7bf659063b6fc39de8f03af481e0cdb86352a5c0665511c32814e1a0d4f682e5d01d6f6cf266dcad9c38d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe

Filesize
1.9MB

MD5
82dbd60cc617b2562deb0d3eef1d53c7

SHA1
95c18514d3ec9bad1eed4a9c238135c8a084a573

SHA256
e0d05a910f15b8ea2c70eeb60e18760c6eb213a7762c3cfa57b527058a44b05c

SHA512
d249894b9742ad9b22755bcb2244e94bdaf9d992d4da8123ed6da12b12edfa227404385560075b47c8dbf9c7cc1ec1bac18e1a2125b4c16a8324eb0c80d1636e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe

Filesize
1.9MB

MD5
82dbd60cc617b2562deb0d3eef1d53c7

SHA1
95c18514d3ec9bad1eed4a9c238135c8a084a573

SHA256
e0d05a910f15b8ea2c70eeb60e18760c6eb213a7762c3cfa57b527058a44b05c

SHA512
d249894b9742ad9b22755bcb2244e94bdaf9d992d4da8123ed6da12b12edfa227404385560075b47c8dbf9c7cc1ec1bac18e1a2125b4c16a8324eb0c80d1636e

Download Submit
\Users\Admin\AppData\Local\Temp\360Setup.exe

Filesize
591KB

MD5
a5ff092a23490953f75de3f2acac0920

SHA1
d64d886442abbb82b44cc82be4b656d0305ff7cb

SHA256
a75a52faa66566e955ec1cd9b6aa8060eda4a676b85ab52021ebb245872937a2

SHA512
3359571bd09fd1103e7c84153783763d026c9deee7bf659063b6fc39de8f03af481e0cdb86352a5c0665511c32814e1a0d4f682e5d01d6f6cf266dcad9c38d97

Download Submit
\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe

Filesize
1.9MB

MD5
82dbd60cc617b2562deb0d3eef1d53c7

SHA1
95c18514d3ec9bad1eed4a9c238135c8a084a573

SHA256
e0d05a910f15b8ea2c70eeb60e18760c6eb213a7762c3cfa57b527058a44b05c

SHA512
d249894b9742ad9b22755bcb2244e94bdaf9d992d4da8123ed6da12b12edfa227404385560075b47c8dbf9c7cc1ec1bac18e1a2125b4c16a8324eb0c80d1636e

Download Submit
\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe

Filesize
1.9MB

MD5
82dbd60cc617b2562deb0d3eef1d53c7

SHA1
95c18514d3ec9bad1eed4a9c238135c8a084a573

SHA256
e0d05a910f15b8ea2c70eeb60e18760c6eb213a7762c3cfa57b527058a44b05c

SHA512
d249894b9742ad9b22755bcb2244e94bdaf9d992d4da8123ed6da12b12edfa227404385560075b47c8dbf9c7cc1ec1bac18e1a2125b4c16a8324eb0c80d1636e

Download Submit
memory/856-68-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/856-86-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/856-69-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/856-65-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/1040-67-0x0000000000400000-0x00000000004A9200-memory.dmp

Filesize
676KB

Download
memory/1628-66-0x0000000000430000-0x00000000004DA000-memory.dmp

Filesize
680KB

Download
memory/1628-61-0x0000000002300000-0x000000000261E000-memory.dmp

Filesize
3.1MB

Download
memory/1628-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1628-87-0x0000000002300000-0x000000000261E000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing