Task
task1
Task
task2
Task
task3
Task
task4
Task
task5
Task
task6
Task
task7
Task
task8
Task
task9
Task
task10
General
-
Target
test.zip
-
Sample
190813-bzccs8gxyn
-
SHA256
72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5
Score
N/A
Malware Config
Signatures
-
Modifies Internet Explorer settings 1 TTPs 18 IoCs
description \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\MenuExt (CreateKeyEx) \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel (CreateKeyEx) \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE/3000" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute (CreateKeyEx) \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\excel (CreateKeyEx) \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\excel\WarnOnOpen = "0" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-excel (CreateKeyEx) \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-excel\WarnOnOpen = "0" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-powerpoint (CreateKeyEx) \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-powerpoint\WarnOnOpen = "0" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\powerpoint (CreateKeyEx) \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\powerpoint\WarnOnOpen = "0" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-word (CreateKeyEx) \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-word\WarnOnOpen = "0" \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\word (CreateKeyEx) \REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\word\WarnOnOpen = "0" -
Suspicious behavior: AddClipboardFormatListener
-
Suspicious use of SetWindowsHookEx 1 TTPs
-
process_martian 1 IoCs
description pid Parent 3924 is not expected to spawn this process 3924 -
Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs
description pid Process PID 3924 wrote to memory of 3984 3984 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs
description Token: SeDebugPrivilege -
Suspicious behavior: EnumeratesProcesses