4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758

General

Target

4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Size

5.0MB
MD5

f74bd5f56433110b95565e56f07afd8e
SHA1

5d44f174c65a052f7479aa3726def72a44145288
SHA256

4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758
SHA512

715507e2ae43f1e6dc3f6410184b62915504b4f0465fcca22911db928f7fd4ae7629cc59b0e1e72abb6b3cbb69a19a5095e43190f4c2ddb6a51db1fa840e0662
SSDEEP

98304:0g1glG4ajy2toG3AMzo3kDS0TDPQqKiuW3Am1HF3F/DudvwUuI+Qz8aY4v:084H0CBigCD2vwHIX8aY4v

Score

7^/10

vmprotect

Malware Config

Signatures

Loads dropped DLL 3 IoCs

Processes:

4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

pid	process
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/920-54-0x0000000000400000-0x000000000086A000-memory.dmp	vmprotect
behavioral1/memory/920-84-0x0000000000400000-0x000000000086A000-memory.dmp	vmprotect
behavioral1/memory/920-155-0x0000000000400000-0x000000000086A000-memory.dmp	vmprotect

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

Modifies registry class 36 IoCs

Processes:

4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

pid	process
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

pid	process
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

pid	process
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
920	4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe

C:\Users\Admin\AppData\Local\Temp\4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe
"C:\Users\Admin\AppData\Local\Temp\4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T22XS5WA\k[1].js
Filesize
94B

MD5
514eb157c352678fe6e6ffb103579bfa

SHA1
5892249a4b53845b0761623aefa1c0d251ccf7da

SHA256
5e0f936c52cb1e65ccda6fe580472f66166fa4687aeb931c2f0b25bf8c858daf

SHA512
91832b7b508d3386e65bea57a42c5b8af73f5cee55efa0b05ffb8dc9a60473cec718f2d28a9d8c7420ae92ec6ba43a1df598541571ffed4726a61fa4b8703edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a673e2e7e8d965eeba0b5e6c2f66065e6631460ae9cd8a19779d2f23d19c758.ini
Filesize
177B

MD5
8892f0595db0617f1df5f3d622346c14

SHA1
424bdb8665bca00b7a227e8522157649cd335063

SHA256
b3d5b1e0f8014d3b9e03834c923c4a8c7b2283afc2f3beaf24161f56dbda927c

SHA512
577444527e706326028eca634f188881e2dcc1f2fd20b82ba041e2b5d71e49983197a7c679d349da17e4c4ca8ad08fb99ba7ab3337ddb4787bb96179414dcc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\5E37.tmp
Filesize
897B

MD5
c007d3dbd75e68e081f3989abb3ac500

SHA1
fe2bf83519cfa40e0dc9316d0f036c2ce127865a

SHA256
c33dea9c78fd745bd74e38aaae210349f9f3dc52b21bad68896cd1c1bbe095cc

SHA512
afce746bae2a7d9a148fcebebbf42ba3a6a6b7b615022cb1319332cb76fe2d34cf2d9394d259cdf8ab8d71e40b5d21828063c3b302c0e0a7588d176fe381d3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad-mymacro9.xml.tmp
Filesize
3KB

MD5
6a004b4196400a627b5b6248a2a2dcba

SHA1
fa9a555e83a4c3a73e07a728ec92827f55fbcf02

SHA256
9cd3e3f97866082f8edfed25d56b40786c2809f264c4f8b10c022403e7f0f101

SHA512
1b5cea41dce0742e4ba7a7f3c4bef3eefc92c63d267a306e4098c68b768723abc0f0eace4a486ff3f4b1bb8a74279dd04e9c2a48df9a20125c21209e3d205624

Download Submit
\Users\Admin\AppData\Local\Temp\cfgdll.dll
Filesize
59KB

MD5
929f56b46242fa68a616374a5403689b

SHA1
45b4ade1f0cc2bf13e74d9801eee5c7abee3c3b2

SHA256
767b2e735693a9455a23b19e7a94643fd6095fa1158cbe22f612d657ebbb670d

SHA512
81c69649efff9d320533bcb3256d42c671877e1d48f9df99134c514aa2d888d11ded13b9d3447949881513e376cf4644b41b997cad2a9ffb51f4f45ca3cdc641

Download Submit
\Users\Admin\AppData\Roaming\mymacro\qdisp.dll
Filesize
43KB

MD5
7171bc500507f070355c8903e0ea6d3d

SHA1
073d479fdbd1f2af5d494e90b950098be63dee75

SHA256
3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c

SHA512
a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

Download Submit
\Users\Admin\AppData\Roaming\mymacro\qdisp.dll
Filesize
43KB

MD5
7171bc500507f070355c8903e0ea6d3d

SHA1
073d479fdbd1f2af5d494e90b950098be63dee75

SHA256
3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c

SHA512
a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

Download Submit
memory/920-54-0x0000000000400000-0x000000000086A000-memory.dmp

Filesize
4.4MB

Download
memory/920-84-0x0000000000400000-0x000000000086A000-memory.dmp

Filesize
4.4MB

Download
memory/920-89-0x0000000000A00000-0x0000000000A0F000-memory.dmp

Filesize
60KB

Download
memory/920-155-0x0000000000400000-0x000000000086A000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads