3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853

Analysis

max time kernel
127s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe
Size

256KB
MD5

ef0546a86f8bc61f931e87474c80977d
SHA1

9f92cd8e52aed564f686c0ec57a1548ce27caba9
SHA256

3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853
SHA512

e043ae83ce3a002ffe70d5f409a5d4b6370559c01b00fe590de226a2621094e12b0bcc06fe247098f897a926e2fd38913eb06ce00ea9ae017d26e94293f8013b
SSDEEP

6144:wDLQxoyQ1LpnFyZ+dayL9rvolH8u3ZhGod:IQCyQ1LHk+zR7QHjGo

Score

9^/10

persistence vmprotect

Malware Config

Signatures

Detects executables packed with VMProtect. 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1728-2-0x0000000000400000-0x000000000048C000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1728-0-0x0000000000400000-0x000000000048C000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/1728-19-0x0000000000400000-0x000000000048C000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
C:\Users\Admin\AppData\Local\Temp\yyyy	INDICATOR_EXE_Packed_VMProtect

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
persistence

Active Setup
T1547.014

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe
Drops file in Drivers directory 1 IoCs

Processes:

3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe

description ioc process

File opened for modification C:\WINDOWS\system32\drivers\etc\hosts 3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2500 cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

description	ioc	process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe

pid	process
2500	cmd.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1728-2-0x0000000000400000-0x000000000048C000-memory.dmp	vmprotect
behavioral1/memory/1728-0-0x0000000000400000-0x000000000048C000-memory.dmp	vmprotect
behavioral1/memory/1728-19-0x0000000000400000-0x000000000048C000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\yyyy	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2637.cn/?56"	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe

pid process

1728 3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe

pid	process
1728	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe
Token: SeShutdownPrivilege	1760	explorer.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

explorer.exe

pid	process
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe
1760	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe

description	pid	process	target process
PID 1728 wrote to memory of 1760	1728	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe	explorer.exe
PID 1728 wrote to memory of 1760	1728	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe	explorer.exe
PID 1728 wrote to memory of 1760	1728	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe	explorer.exe
PID 1728 wrote to memory of 1760	1728	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe	explorer.exe
PID 1728 wrote to memory of 2500	1728	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe	cmd.exe
PID 1728 wrote to memory of 2500	1728	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe	cmd.exe
PID 1728 wrote to memory of 2500	1728	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe	cmd.exe
PID 1728 wrote to memory of 2500	1728	3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe
"C:\Users\Admin\AppData\Local\Temp\3b4fc8117a3228f3e4993fbb0adfebd93b714f1677e93f95b55fdb8381681853.exe"
1⤵
- Drops file in Drivers directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat
2⤵
- Deletes itself
PID:2500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2880

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yyyy
Filesize
256KB

MD5
c33dae20121003088a6717122912889d

SHA1
cfd3ce79ebd9f813ec6a7aea1700ce489776cc05

SHA256
c54ec841eb48a2e413d27eacee4e39653b93e3e479741482566967cc0e689f7c

SHA512
553e2e8957ce18efd502cb94bba5fc9af001a17efaf6db4742c1a74ece1c7e5642ee856954162e2e3381704ec4a9a3d04c4c40953cb2831cd6846a9d200acac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyyy.bat
Filesize
337B

MD5
efd7461ff257a05c2b27c3fa8b44feb3

SHA1
9f1ee75f69e62dd75791b3dd9e4e4103d89ee3b4

SHA256
ba55801b55544afd76d2da2361d9f24011a51a646a37d46cf5fb882189f5a989

SHA512
7a154c0806ab2da7a98d77fde5deb8e04fd444eec701f911f007cb3f554608cc716ac2914bf68921b1c91b52a9261903d123fe9370d6a420e3914ea345bb2419

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
a1d921556cf3a3d9d26b2ef002a7f87e

SHA1
6d35761aa3c8d24ab25db1d6a6e8a964bebd7121

SHA256
be7dfb47e11615f6b0cda24d8d568fccb6cea492112f723b8784ee26cbe5d309

SHA512
282607c9fc123c57dff829e728c4b08fe7fa27a130903907856127c9aec7d7f2c83c8e6d812208291c495cf25af195404d9010391cf53fcd12f2647475acc049

Download Submit
memory/1728-2-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1728-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1728-19-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1760-24-0x0000000004370000-0x0000000004380000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads