29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe
Size

88KB
MD5

0718af0923bc5061c9ec5200b402a617
SHA1

3ed8d34e9d64dbf50d59d1536691c47ff5b2eb7d
SHA256

29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e
SHA512

a65c20fa2b72a0d3daa86aa838b66ff2c8e55532d6545c9a645569998a1e6ef4137689d8ee5e02e0bc0d5998d7c9f81d259623a76cea1e20aedfe531b84cd2b6
SSDEEP

1536:dXNXdlRH+Dwk4cSGesvhC8plnQ85+HwClgfTQqPTFTCtOQ8Ccfix:ddtlRH+UxGzh3HQ85+QqoTBfix

Score

7^/10

bootkit discovery persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5652	svchosts.exe

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/6000-0-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral2/memory/6000-1-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral2/files/0x00090000000227aa-6.dat	vmprotect
behavioral2/memory/5652-9-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral2/memory/6000-72-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect
behavioral2/memory/5652-92-0x0000000000400000-0x0000000000431000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\svchosts.exe	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe
File opened for modification	C:\windows\svchosts.exe	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 400ee3a8f89fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D3734A82-0BEB-11F0-B6D4-5A3D6C403EEC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449941769"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093a53d3a8f9e6f478baf2534b57034d4000000000200000000001066000000010000200000003086f49a7e380ba364203e5e9bc17897fdbf3ebd929909009ecc44d6ec3beb6c000000000e8000000002000020000000b69583fdd8d4daa26a857682998db8df285542d2a888d854aae82b266bbda30a20000000e072b00aabacaf9d4adf451dd50e7c695dfbb9cdab0a463c80ba7905d7787538400000009b3d273542c322769c744c943f86baf4435ec35e51469400f81b4d4b3080697b89fbcc69ecac5546e5df07ef46b0f1782cd6049937193bbc24a8a079180258ad	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e2dba8f89fdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000093a53d3a8f9e6f478baf2534b57034d400000000020000000000106600000001000020000000154e0b48bc5f679dbdb8dbd99c03569b33ab8a70d6d3809a390799d57bdef04a000000000e800000000200002000000026b6073a893836dbeffbb38477579df1a8113720943654e345d0347f5491a979200000000c878cd56d44808d2e7fa0aed9abc2c3b49a4233fcb8030319b0d6491e35fbfb40000000fd17f0b47ca6320def8ad2f15cca24f69e41e3ed8f62366606d845a654b7cb0174a74151876d8b48935ae47d6587bcc7a614484d40b9631548f2cfc5c6350053	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
6000	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe
6000	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5664	iexplore.exe
5652	svchosts.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
6000	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe
5652	svchosts.exe
5664	iexplore.exe
5664	iexplore.exe
4876	IEXPLORE.EXE
4876	IEXPLORE.EXE
4876	IEXPLORE.EXE
4876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 6000 wrote to memory of 5652	6000	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe	89
PID 6000 wrote to memory of 5652	6000	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe	89
PID 6000 wrote to memory of 5652	6000	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe	89
PID 6000 wrote to memory of 5664	6000	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe	90
PID 6000 wrote to memory of 5664	6000	29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe	90
PID 5664 wrote to memory of 4876	5664	iexplore.exe	91
PID 5664 wrote to memory of 4876	5664	iexplore.exe	91
PID 5664 wrote to memory of 4876	5664	iexplore.exe	91

C:\Users\Admin\AppData\Local\Temp\29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe
"C:\Users\Admin\AppData\Local\Temp\29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6000
- C:\windows\svchosts.exe
  C:\windows\svchosts.exe auto
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:5652
- C:\progra~1\Intern~1\iexplore.exe
  C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=232138804165&isqq=3
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5664
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5664 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
0c5ef9158dcdd3b41a7e84c5e760b59d

SHA1
9cb930588b30e4399d0fbf73a559b2d89373a6a9

SHA256
95c2b916d5668f7823fc9222d4cac008570c4f1866a3ef2b4175cb1ea5bbd9d9

SHA512
13cf19b192d4b6365ab09e13b5ffc6c26470ff51527d8e49fad7aa410df5a7bc6557e731d5b49fa7c19cd9b677764422d2f57c10d2578cdfdf91cd1120db9c4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
a36b0448fde472b399baf471295cdd9c

SHA1
d1af473dc72b457b00e4ef6c804d7c7229934149

SHA256
8a8f1c32317d4b13a955d71fdb8dedbb6d20bea2941faa376070cc986d7fb487

SHA512
50f6a59cb4853158e157b8cdd2c3a03afb5941ecbe216fd242cae0a117566ea7d643ae2b76bc23e218fc261ebd921523b05794cb58a0b956eb54a24f72d7b0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZDUDUCB4\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\svchosts.exe

Filesize
88KB

MD5
0718af0923bc5061c9ec5200b402a617

SHA1
3ed8d34e9d64dbf50d59d1536691c47ff5b2eb7d

SHA256
29093e8a65e245f8e1dcddb7e05cdf79ee6ab317d76bdbff94103b451deac21e

SHA512
a65c20fa2b72a0d3daa86aa838b66ff2c8e55532d6545c9a645569998a1e6ef4137689d8ee5e02e0bc0d5998d7c9f81d259623a76cea1e20aedfe531b84cd2b6

Download Submit
memory/5652-9-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5652-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5664-34-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-29-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-19-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-23-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-22-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-26-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-32-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-36-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-42-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-43-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-51-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-46-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-52-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-45-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-44-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-50-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-41-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-40-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-39-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-38-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-16-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-31-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-30-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-20-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-28-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-24-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-21-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-18-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-17-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-53-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-54-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-59-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-62-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-67-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-65-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-64-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-63-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-61-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-73-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-76-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-15-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-13-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/5664-12-0x00007FFC56760000-0x00007FFC567CE000-memory.dmp

Filesize
440KB

Download
memory/6000-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/6000-1-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/6000-72-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download