Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 17:45
Static task
static1
Behavioral task
behavioral1
Sample
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe
Resource
win10v20201028
General
-
Target
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe
-
Size
270KB
-
MD5
4b75efc2a9c47bbbf2cc1f9761922cb2
-
SHA1
f2218540985d22624021b4acb9966d20d480edff
-
SHA256
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
-
SHA512
46e396830520c4acbc8d156428cc4ab7141d5815f1215c914ac86b35e6c0ad90433becca6b818d8d7fbeea6e85d8a52dd47e0e92e83f7dc6a35b2bb31e67354e
Malware Config
Extracted
C:\Users\Admin\Documents\# DECRYPT MY FILES #.txt
cerber
http://bqyjebfh25oellur.onion.to/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.onion.cab/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.onion.nu/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.onion.link/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.tor2web.org/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.onion/9A73-BD51-45F8-0072-842A
Extracted
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
http://bqyjebfh25oellur.onion.to/9A73-BD51-45F8-0072-842A(Get
http://bqyjebfh25oellur.onion.cab/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.onion.nu/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.onion.link/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.tor2web.org/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.onion.to/9A73-BD51-45F8-0072-842A);
http://bqyjebfh25oellur.onion.to/9A73-BD51-45F8-0072-842A
http://bqyjebfh25oellur.onion/9A73-BD51-45F8-0072-842A
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Ursnif RM3
A heavily modified version of Ursnif discovered in the wild.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exefontview.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\fontview.exe\"" 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\fontview.exe\"" fontview.exe -
Executes dropped EXE 2 IoCs
Processes:
fontview.exefontview.exepid process 1388 fontview.exe 2004 fontview.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fontview.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RemoveStart.tiff fontview.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1992 cmd.exe -
Drops startup file 2 IoCs
Processes:
fontview.exe60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontview.lnk fontview.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontview.lnk 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe -
Loads dropped DLL 2 IoCs
Processes:
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exefontview.exepid process 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe 1388 fontview.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exefontview.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fontview = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\fontview.exe\"" 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run fontview.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontview = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\fontview.exe\"" fontview.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce fontview.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\fontview = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\fontview.exe\"" fontview.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontview = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\fontview.exe\"" 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe -
Processes:
fontview.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fontview.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html js -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fontview.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp4C3C.bmp" fontview.exe -
Drops file in Program Files directory 15 IoCs
Processes:
fontview.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE fontview.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.html fontview.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.txt fontview.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.vbs fontview.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.vbs fontview.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.ini fontview.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE fontview.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\# DECRYPT MY FILES #.url fontview.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE fontview.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml fontview.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.html fontview.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.txt fontview.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE fontview.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE fontview.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\# DECRYPT MY FILES #.url fontview.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1904 taskkill.exe 2136 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exefontview.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\fontview.exe\"" 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop fontview.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\\fontview.exe\"" fontview.exe -
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102453cc09b6d601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000004be76349eb876796d30b33359ecf6f3768e9c0ae984d26387d9ea9550c1e6af1000000000e80000000020000200000006076d43c00410e10ea210c52cf4ffdba2a9d29624e4a706e96728f0f222e4d0f2000000042b30b0808fe06ebeabf05329644609dfae77b156f54c13cd473afc9c4ab9f4d40000000e8b70ce6f096b5d8261773214f024cb5b975e0a0e97f059b6336efa3c5b76c8818df2c6c42c10c50ca9cc8c4a81e3a2dd9a2ebc77c9a910163600d3c4aba0732 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000096716e0b301f7a62ce55c0ab2a5d075123d799352e220178c803f4b786fbb000000000000e8000000002000020000000ad0bc44126b1e08e854fc757527142deda1bee42ade1264301bdd004e85e8b9b90000000e0f96236f7c5ccda17017e45b0a00d3f9a73ba9aa186e47f99db2876ef085eeb0fa307b37336ca290b2d4828629c35f753ad6337e9164fd50bcb38fe0c8e08c5058883c2945a69e8d947ff2c268f923507ebcd6a32db6f29d0a01f4bc9d32e8b887464971950dd003e2343fc8a9ca5071973031be08728578ca25d1c2e037f467caa8296bf59cac8dc5e42ba8446b07e40000000df28f286d92c276333face5c84b01f78afb737825efc06379ab63c7c4ce50e26340d8a3898f4af731ca628f3d08cf48c75af9b52a9c7372fff85e25d1f244bbc iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0703AF01-21FD-11EB-8489-EE45CAFA0C11} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{073F3161-21FD-11EB-8489-EE45CAFA0C11} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "311630594" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 300 IoCs
Processes:
fontview.exepid process 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe 1388 fontview.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exefontview.exetaskkill.exefontview.exeAUDIODG.EXEtaskkill.exedescription pid process Token: SeDebugPrivilege 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe Token: SeDebugPrivilege 1388 fontview.exe Token: SeDebugPrivilege 1904 taskkill.exe Token: SeDebugPrivilege 2004 fontview.exe Token: 33 2008 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2008 AUDIODG.EXE Token: 33 2008 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2008 AUDIODG.EXE Token: SeDebugPrivilege 2136 taskkill.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exeiexplore.exepid process 1792 iexplore.exe 328 iexplore.exe 1792 iexplore.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEpid process 1792 iexplore.exe 1792 iexplore.exe 328 iexplore.exe 328 iexplore.exe 1792 iexplore.exe 1792 iexplore.exe 980 IEXPLORE.EXE 980 IEXPLORE.EXE 980 IEXPLORE.EXE 1940 IEXPLORE.EXE 1940 IEXPLORE.EXE 980 IEXPLORE.EXE 980 IEXPLORE.EXE 980 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 3 IoCs
Processes:
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exefontview.exefontview.exepid process 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe 1388 fontview.exe 2004 fontview.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.execmd.exetaskeng.exefontview.exeiexplore.exeiexplore.execmd.exedescription pid process target process PID 1848 wrote to memory of 1388 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe fontview.exe PID 1848 wrote to memory of 1388 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe fontview.exe PID 1848 wrote to memory of 1388 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe fontview.exe PID 1848 wrote to memory of 1388 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe fontview.exe PID 1848 wrote to memory of 1992 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe cmd.exe PID 1848 wrote to memory of 1992 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe cmd.exe PID 1848 wrote to memory of 1992 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe cmd.exe PID 1848 wrote to memory of 1992 1848 60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe cmd.exe PID 1992 wrote to memory of 1904 1992 cmd.exe taskkill.exe PID 1992 wrote to memory of 1904 1992 cmd.exe taskkill.exe PID 1992 wrote to memory of 1904 1992 cmd.exe taskkill.exe PID 1992 wrote to memory of 1904 1992 cmd.exe taskkill.exe PID 1992 wrote to memory of 676 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 676 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 676 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 676 1992 cmd.exe PING.EXE PID 1624 wrote to memory of 2004 1624 taskeng.exe fontview.exe PID 1624 wrote to memory of 2004 1624 taskeng.exe fontview.exe PID 1624 wrote to memory of 2004 1624 taskeng.exe fontview.exe PID 1624 wrote to memory of 2004 1624 taskeng.exe fontview.exe PID 1388 wrote to memory of 1792 1388 fontview.exe iexplore.exe PID 1388 wrote to memory of 1792 1388 fontview.exe iexplore.exe PID 1388 wrote to memory of 1792 1388 fontview.exe iexplore.exe PID 1388 wrote to memory of 1792 1388 fontview.exe iexplore.exe PID 1388 wrote to memory of 840 1388 fontview.exe NOTEPAD.EXE PID 1388 wrote to memory of 840 1388 fontview.exe NOTEPAD.EXE PID 1388 wrote to memory of 840 1388 fontview.exe NOTEPAD.EXE PID 1388 wrote to memory of 840 1388 fontview.exe NOTEPAD.EXE PID 1792 wrote to memory of 980 1792 iexplore.exe IEXPLORE.EXE PID 1792 wrote to memory of 980 1792 iexplore.exe IEXPLORE.EXE PID 1792 wrote to memory of 980 1792 iexplore.exe IEXPLORE.EXE PID 1792 wrote to memory of 980 1792 iexplore.exe IEXPLORE.EXE PID 328 wrote to memory of 1940 328 iexplore.exe IEXPLORE.EXE PID 328 wrote to memory of 1940 328 iexplore.exe IEXPLORE.EXE PID 328 wrote to memory of 1940 328 iexplore.exe IEXPLORE.EXE PID 328 wrote to memory of 1940 328 iexplore.exe IEXPLORE.EXE PID 1388 wrote to memory of 1404 1388 fontview.exe WScript.exe PID 1388 wrote to memory of 1404 1388 fontview.exe WScript.exe PID 1388 wrote to memory of 1404 1388 fontview.exe WScript.exe PID 1388 wrote to memory of 1404 1388 fontview.exe WScript.exe PID 1388 wrote to memory of 2100 1388 fontview.exe cmd.exe PID 1388 wrote to memory of 2100 1388 fontview.exe cmd.exe PID 1388 wrote to memory of 2100 1388 fontview.exe cmd.exe PID 1388 wrote to memory of 2100 1388 fontview.exe cmd.exe PID 2100 wrote to memory of 2136 2100 cmd.exe taskkill.exe PID 2100 wrote to memory of 2136 2100 cmd.exe taskkill.exe PID 2100 wrote to memory of 2136 2100 cmd.exe taskkill.exe PID 2100 wrote to memory of 2220 2100 cmd.exe PING.EXE PID 2100 wrote to memory of 2220 2100 cmd.exe PING.EXE PID 2100 wrote to memory of 2220 2100 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe"C:\Users\Admin\AppData\Local\Temp\60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exe"C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "fontview.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "fontview.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "60f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {47FF9DB7-50A7-4EDB-AAA8-3F8EAD952934} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exeC:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:328 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5741⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
6495de4cf1ef03bb9d9b4e168e54f4be
SHA12451675f5fd908f8e8658fb93e7af89c1997c8b3
SHA25614117ce6cf59af2d16b9f2d69d814920e864e6dd1db71f175687f9ebb974c308
SHA512e039e6861460cdbbca3419b04616ca30722629c0ec088e782d97aae6f2486fbb46a599516be6053777ed74e94ebb594b511cc9e96add3daf2a7e3e04fa02694e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0703AF01-21FD-11EB-8489-EE45CAFA0C11}.datMD5
3f0f98ed6376ba2be2706ef708ad1dc8
SHA178b1ce7d473199b3c432f1b572d519f3fbed192f
SHA256068494544c3f96f7c4c795d63ee8c8a093dc5b3e647155f75bc2cda332f5ad30
SHA5124bb01026f5effb6ea728a8fa8d88217588a175705118b6f35a058206c13cf08f17483d5d716398f7a9a6594410bbbed877e5a8c8e5b8678a558a7a0bb4b7ce8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A0KEWUBD.txtMD5
b79f6ad4e58869a83020e7b3c5a193ae
SHA1da6fafef10949beabe0bf55e4dea4fa61122738f
SHA2569f42c8d95d32992d045f264e78225b9a71c25a097245327413568428fd26d35b
SHA512c23ff921443c907d445fa744cdb70bad7530561912bae44acf7e62ebada4d58154d6e406562a1ed82e12ad8b57124576fac04613678ca803bf4fde7c10141390
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\fontview.lnkMD5
229e08676d9eed3c382326612216ef19
SHA1c5b0562e53d34669a5d8dc9c28e92c043c050c64
SHA2564f3336a26afbeedce0c4667135da1e07c779687e352ee7bf946e02c870cb4a47
SHA512a7a80f581599c471feed490761eb3cb109fb7a3a91ca74880931fc41fd804c749a1caadb29b3a1385299ecbddc590c6a259e224cdb947572bd291a233ac258b4
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exeMD5
4b75efc2a9c47bbbf2cc1f9761922cb2
SHA1f2218540985d22624021b4acb9966d20d480edff
SHA25660f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
SHA51246e396830520c4acbc8d156428cc4ab7141d5815f1215c914ac86b35e6c0ad90433becca6b818d8d7fbeea6e85d8a52dd47e0e92e83f7dc6a35b2bb31e67354e
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exeMD5
4b75efc2a9c47bbbf2cc1f9761922cb2
SHA1f2218540985d22624021b4acb9966d20d480edff
SHA25660f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
SHA51246e396830520c4acbc8d156428cc4ab7141d5815f1215c914ac86b35e6c0ad90433becca6b818d8d7fbeea6e85d8a52dd47e0e92e83f7dc6a35b2bb31e67354e
-
C:\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exeMD5
4b75efc2a9c47bbbf2cc1f9761922cb2
SHA1f2218540985d22624021b4acb9966d20d480edff
SHA25660f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
SHA51246e396830520c4acbc8d156428cc4ab7141d5815f1215c914ac86b35e6c0ad90433becca6b818d8d7fbeea6e85d8a52dd47e0e92e83f7dc6a35b2bb31e67354e
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.htmlMD5
4b9eeae8a185b20abb867861086cea45
SHA1689c03f4c061c8d80656a4c05acd67356556c87d
SHA256884ed6d6fa66e95816464a12786bc23c300525b0b348c3be7233a300e024feb4
SHA5121f21f514a45ecf50d1e162576c34c3f1644a14f3bf58266ee8a782179fa1eb15aab63e8db1737d62eb13cf0bf2a1d5fa1bf913551d4bb5754a3b01659094d83d
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txtMD5
8e68c9f915698443b7727b54077e369d
SHA1c1c80ccec62b869e640bfb02b6d7b9b385a72061
SHA25689ca9294258747846db84ba40ff66869c9b874c9e2089bf15847e7086fd0f30c
SHA5122cf1dbe07f87e165e3fd3dce22ba5df1feb80b44051d0d0e7c0b29e94ccb220d00e7759d12cc65728c292aeac4ce300d7defc134d0507223dc851f81046a2888
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.urlMD5
030d375ec3a4a3bad664c44d64fe8b27
SHA1d9e998f54af7d6c012b66944fb124ff80f6f4e56
SHA25657fe672cb62da6f247a659a84c21977f195a1b97c10cc0bde18c472441e0c36c
SHA5120a2f872ed53d401391bfb192233ced0196ceb5830f018c913add2969867c18dc31130e5517b7ef10d9af9189ec13aea009cc81bedba522687d471cc459f9fcc3
-
C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbsMD5
1c2a24505278e661eca32666d4311ce5
SHA1d1deb57023bbe38a33f0894b6a9a7bbffbfdeeee
SHA2563f0dc6126cf33e7aa725df926a1b7d434eaf62a69f42e1b8ae4c110fd3572628
SHA512ce866f2c4b96c6c7c090f4bf1708bfebdfcd58ce65a23bdc124a13402ef4941377c7e286e6156a28bd229e422685454052382f1f532545bc2edf07be4861b36c
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exeMD5
4b75efc2a9c47bbbf2cc1f9761922cb2
SHA1f2218540985d22624021b4acb9966d20d480edff
SHA25660f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
SHA51246e396830520c4acbc8d156428cc4ab7141d5815f1215c914ac86b35e6c0ad90433becca6b818d8d7fbeea6e85d8a52dd47e0e92e83f7dc6a35b2bb31e67354e
-
\Users\Admin\AppData\Roaming\{9E67C82F-C7A5-CEBB-D215-2DD654B83DB5}\fontview.exeMD5
4b75efc2a9c47bbbf2cc1f9761922cb2
SHA1f2218540985d22624021b4acb9966d20d480edff
SHA25660f8b6d462659f2e33e2d80ee76961e809b631b29958472be6d16304631f7b44
SHA51246e396830520c4acbc8d156428cc4ab7141d5815f1215c914ac86b35e6c0ad90433becca6b818d8d7fbeea6e85d8a52dd47e0e92e83f7dc6a35b2bb31e67354e
-
memory/676-7-0x0000000000000000-mapping.dmp
-
memory/752-6-0x000007FEF6680000-0x000007FEF68FA000-memory.dmpFilesize
2.5MB
-
memory/840-13-0x0000000000000000-mapping.dmp
-
memory/980-15-0x0000000000000000-mapping.dmp
-
memory/1388-1-0x0000000000000000-mapping.dmp
-
memory/1404-20-0x0000000000000000-mapping.dmp
-
memory/1792-12-0x0000000000000000-mapping.dmp
-
memory/1904-4-0x0000000000000000-mapping.dmp
-
memory/1940-16-0x0000000000000000-mapping.dmp
-
memory/1992-3-0x0000000000000000-mapping.dmp
-
memory/2004-9-0x0000000000000000-mapping.dmp
-
memory/2100-26-0x0000000000000000-mapping.dmp
-
memory/2136-27-0x0000000000000000-mapping.dmp
-
memory/2220-28-0x0000000000000000-mapping.dmp