fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b

General

Target

fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe
Size

2.5MB
MD5

4f8b214af696b026f6dc96e47c918c92
SHA1

b18abb5a9807c7d22551865a9269a09a54603e95
SHA256

fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b
SHA512

8d82e40c9e09bf581c67a5decb266ce9097c489291f2fa5bd67f8e6ebbca14d316d40a489e2d6fa73fe61d0061a8c43823eaf526a84cee1ee22497adf790bc75
SSDEEP

49152:1LqxxvMksXV1Jyi1/ACCMvr+B3Lg8izRI8IF35TC:1LeQF1JLM4Sq88BIFJT

Score

8^/10

aspackv2 vmprotect

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000022f6b-133.dat	aspack_v212_v242
behavioral2/files/0x0007000000022f6b-134.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
3216	dnfmm1.16vip.exe
3580	360Setup.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000022f6b-133.dat	vmprotect
behavioral2/files/0x0007000000022f6b-134.dat	vmprotect
behavioral2/memory/3216-139-0x0000000000400000-0x000000000071E000-memory.dmp	vmprotect
behavioral2/memory/3216-140-0x0000000000400000-0x000000000071E000-memory.dmp	vmprotect
behavioral2/memory/3216-141-0x0000000000400000-0x000000000071E000-memory.dmp	vmprotect
behavioral2/memory/3216-142-0x0000000000400000-0x000000000071E000-memory.dmp	vmprotect

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcp70.dll	dnfmm1.16vip.exe
File created	C:\Windows\SysWOW64\mfc70.dll	dnfmm1.16vip.exe
File created	C:\Windows\SysWOW64\msvcr70.dll	dnfmm1.16vip.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3216	dnfmm1.16vip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4604	3216	WerFault.exe	79

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	dnfmm1.16vip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	dnfmm1.16vip.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	dnfmm1.16vip.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	dnfmm1.16vip.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3444	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe
3216	dnfmm1.16vip.exe
3216	dnfmm1.16vip.exe
3216	dnfmm1.16vip.exe
3216	dnfmm1.16vip.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3216	3444	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	79
PID 3444 wrote to memory of 3216	3444	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	79
PID 3444 wrote to memory of 3216	3444	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	79
PID 3444 wrote to memory of 3580	3444	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	80
PID 3444 wrote to memory of 3580	3444	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	80
PID 3444 wrote to memory of 3580	3444	fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe	80

C:\Users\Admin\AppData\Local\Temp\fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe
"C:\Users\Admin\AppData\Local\Temp\fa52fe886d6559d4419febc519a386dcf640bd5c4af2978ad298e8718655c34b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe
  "C:\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 520
    3⤵
    - Program crash
    PID:4604
- C:\Users\Admin\AppData\Local\Temp\360Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\360Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3216 -ip 3216
1⤵
PID:4148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\360Setup.exe

Filesize
591KB

MD5
a5ff092a23490953f75de3f2acac0920

SHA1
d64d886442abbb82b44cc82be4b656d0305ff7cb

SHA256
a75a52faa66566e955ec1cd9b6aa8060eda4a676b85ab52021ebb245872937a2

SHA512
3359571bd09fd1103e7c84153783763d026c9deee7bf659063b6fc39de8f03af481e0cdb86352a5c0665511c32814e1a0d4f682e5d01d6f6cf266dcad9c38d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\360Setup.exe

Filesize
591KB

MD5
a5ff092a23490953f75de3f2acac0920

SHA1
d64d886442abbb82b44cc82be4b656d0305ff7cb

SHA256
a75a52faa66566e955ec1cd9b6aa8060eda4a676b85ab52021ebb245872937a2

SHA512
3359571bd09fd1103e7c84153783763d026c9deee7bf659063b6fc39de8f03af481e0cdb86352a5c0665511c32814e1a0d4f682e5d01d6f6cf266dcad9c38d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe

Filesize
1.9MB

MD5
82dbd60cc617b2562deb0d3eef1d53c7

SHA1
95c18514d3ec9bad1eed4a9c238135c8a084a573

SHA256
e0d05a910f15b8ea2c70eeb60e18760c6eb213a7762c3cfa57b527058a44b05c

SHA512
d249894b9742ad9b22755bcb2244e94bdaf9d992d4da8123ed6da12b12edfa227404385560075b47c8dbf9c7cc1ec1bac18e1a2125b4c16a8324eb0c80d1636e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnfmm1.16vip.exe

Filesize
1.9MB

MD5
82dbd60cc617b2562deb0d3eef1d53c7

SHA1
95c18514d3ec9bad1eed4a9c238135c8a084a573

SHA256
e0d05a910f15b8ea2c70eeb60e18760c6eb213a7762c3cfa57b527058a44b05c

SHA512
d249894b9742ad9b22755bcb2244e94bdaf9d992d4da8123ed6da12b12edfa227404385560075b47c8dbf9c7cc1ec1bac18e1a2125b4c16a8324eb0c80d1636e

Download Submit
memory/3216-139-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/3216-140-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/3216-141-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/3216-142-0x0000000000400000-0x000000000071E000-memory.dmp

Filesize
3.1MB

Download
memory/3580-138-0x0000000000400000-0x00000000004A9200-memory.dmp

Filesize
676KB

Download

Analysis

Sharing