d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c

General

Target

d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
Size

9.8MB
MD5

816adbf6b1a6be1f8bfb3f67730a6a1e
SHA1

8a6d9041effe330d48b5026999f9c541d9991399
SHA256

d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c
SHA512

d0263651c6cd1b2a829e1818c1fe2c2ad47dc981649d51e900e6a2fa28859a21012df003af27b28b23d84f3912cf32619b7791ddcf4e5a3f7e20826a903f35f6
SSDEEP

196608:n+fzePNuyOthwkY/MMNW8y3tMqr372msFxpWOui0nW:n+fzDWkRatg7SmKxUW

Score

7^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	start.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2224-0-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect
behavioral1/memory/2224-1-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect
behavioral1/memory/2224-2-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect
behavioral1/memory/2224-3-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect
behavioral1/memory/2224-4-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect
behavioral1/memory/2224-6-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect
behavioral1/memory/2224-7-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect
behavioral1/memory/2224-11-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect
behavioral1/memory/2224-19-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect
behavioral1/memory/2224-27-0x0000000140000000-0x0000000141180000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2632	start.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Silverlighte\medge.exe	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
File created	C:\Program Files (x86)\Microsoft Silverlighte\XLBugHandler.dll	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	start.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	start.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Wow6432Node\Interface\{8224C668-8596-82A8-83DC-806E31AE4817}	start.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Wow6432Node	start.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Wow6432Node\Interface	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Wow6432Node\Interface\{8224C668-8596-82A8-83DC-806E31AE4817}\ = "S+uFHfANohGX4CfzSJJHaXmCoReL4iH/Iogyebxm6Se13C/E3FbEo2Tkeh3sDZIRgeAT8xSSAGeSe5YXh+IR/wyIHnmIZqIltdwvxNxWxKMV+UxSQeSDoclZeFBPDdod"	start.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\Wow6432Node\Interface\{8224C668-8596-82A8-83DC-806E31AE4817}\ = "S+uFHfANohGX4CfzSJJHaXmCoReL4iH/IogyebxmCCe13C/E3FbEo2Tkeh3sDZIRgeAT8xSSAGeSe5YXh+IR/wyIHnmIZqIltdwvxNxWxKMBBuwCeZb7x5lRtTMuQyzm"	start.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2632	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	27
PID 2224 wrote to memory of 2632	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	27
PID 2224 wrote to memory of 2632	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	27
PID 2224 wrote to memory of 2632	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	27
PID 2224 wrote to memory of 1676	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	30
PID 2224 wrote to memory of 1676	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	30
PID 2224 wrote to memory of 1676	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	30
PID 2224 wrote to memory of 2504	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	32
PID 2224 wrote to memory of 2504	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	32
PID 2224 wrote to memory of 2504	2224	d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe	32

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1676	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
"C:\Users\Admin\AppData\Local\Temp\d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Public\Documents\start.exe
  "C:\Users\Public\Documents\start.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Enumerates system info in registry
  - Modifies registry class
  PID:2632
- C:\Windows\system32\attrib.exe
  attrib C:/Users/Public/Documents/medge.exe -s -h -r
  2⤵
  - Views/modifies file attributes
  PID:1676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del /q C:\Users\Admin\AppData\Local\Temp\d83d8b17bb5e5d57cab1c69b857dd8d273a46c68e48655449c8aff4e4e6ddc2c.exe
  2⤵
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\medge.exe

Filesize
457KB

MD5
90cc9513b3758fdd553c56b0ef4e7a1a

SHA1
cfa8be21c10bc7b56eddc31cc122ca3bb1ee647b

SHA256
88c647215a1893de5cb0b3889d74be07d3c7fc99bfd4ca20e0f5e0c27edd4657

SHA512
29e2bb00169f7cd5208988dbc3f44a480c13a5054469f8d184fe73fc46e8709ad81a372edacde415a34e7685b67459191bf19b0a18720dd46b417a8beece16b2

Download Submit
C:\Users\Public\Documents\start.exe

Filesize
3.5MB

MD5
2b345d7415d6668fe2709f0b5b1b3fea

SHA1
fb3746ab66aced57473f2912bd35590da922a802

SHA256
19ff73117325f5c864f204429f6dab10f58bd16896c9b6f53a50baded594d1b6

SHA512
4e7b778efff807e3af6786e345b6e9e526e4c1958598dac99c5af1def4902a16d2c77d94c86fe02b7e1a186b9b3a5ad69cf373f8294388671ebb8ba08d4eae4a

Download Submit
C:\Users\Public\Documents\start.exe

Filesize
3.5MB

MD5
2b345d7415d6668fe2709f0b5b1b3fea

SHA1
fb3746ab66aced57473f2912bd35590da922a802

SHA256
19ff73117325f5c864f204429f6dab10f58bd16896c9b6f53a50baded594d1b6

SHA512
4e7b778efff807e3af6786e345b6e9e526e4c1958598dac99c5af1def4902a16d2c77d94c86fe02b7e1a186b9b3a5ad69cf373f8294388671ebb8ba08d4eae4a

Download Submit
memory/2224-7-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2224-4-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2224-6-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2224-0-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2224-11-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2224-3-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2224-2-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2224-19-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2224-1-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2224-27-0x0000000140000000-0x0000000141180000-memory.dmp

Filesize
17.5MB

Download
memory/2632-16-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download
memory/2632-18-0x0000000000400000-0x00000000009FA000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing