Analysis
-
max time kernel
22s -
max time network
24s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-11-2020 13:15
Errors
General
-
Target
https://www.google.com/search?q=virusmaker&rlz=1C1AVFC_enCZ881CZ881&oq=virusmaker&aqs=chrome..69i57j0i10l2j0i10i30l3j5i30i44.3750j0j7&sourceid=chrome&ie=UTF-8
-
Sample
201129-9shn594mbs
Malware Config
Signatures
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=virusmaker&rlz=1C1AVFC_enCZ881CZ881&oq=virusmaker&aqs=chrome..69i57j0i10l2j0i10i30l3j5i30i44.3750j0j7&sourceid=chrome&ie=UTF-81⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad4055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_00822B812F3071D0A5AB02FB7D4F1DF9MD5
b3d3f7c1b582b91c5d622859bbc87728
SHA11ea9fb376fa864c79d0f345793ed95ba8137a693
SHA256653765af61c4cee631d122323aef2348f12e58ef3066f797f98e15b636ffa36a
SHA51283b4ce8023c7a9894c5c13b2ac4d22b3d4d7b52015ba3b84319b848a61c4ac4f3748d9ba95d95502753db2d92bb2849dc925a23ab405078c54ec5463df16c58d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288BMD5
48d7b88f7986388169c9f46bd8d48050
SHA1f34113edae5d2fe7046d9250a019bc19cf6534cc
SHA256679a3247b5f50991c3aef6f491cd5a5b0c55f11693a886f6a7cfed811f108cc8
SHA512fb43568a8419777a45ebf4a6325e3c256ce0c464fc9ecb88fd924709aa0ab2b631c027fc258e66e1fc5616f4d252029d926d31b29c445c8af31e4aa70fb0d21c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_00822B812F3071D0A5AB02FB7D4F1DF9MD5
4f53919c6293378a879ea19e3566eb28
SHA1d3c2b0680d5d709b3f2715eefb392a9f28226929
SHA2560d3933f294d9cab6f8abebe066824f0086162f6bda652ff867d4132008a38614
SHA5127e9d24ed6929057083d009ed7ff848062707dac2e0e837b20bf8aa3b525f9453afc4dff3b7212ef5ac8ab4e7116363e3a0499ac22502d101b5bbcbdcc03d7a4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288BMD5
20cd723388077c204f4df722d15e1fdc
SHA16ca3e2b142aac52568e79eed4010ec430b6f0f70
SHA256fc1089242c1c8385d08944c76cbdb94fc911d86819d6abb4039d2e51ce2d4a26
SHA5127547893435f0645be8d1211cff34e8baf93879b4fdd106cadb05d72056c0a72ed17404a02da21d39243254269e5e8c506d96ef17c0642b8df75dd4a246df8ec3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YWDWY1F9.cookieMD5
d3ba8bb7f30ad79f6dbb00bf8ae21e5d
SHA164b5003932102411b93ffbc6b05e7113ecb4d657
SHA25619a046dae4549bac67f8e67dd5c57a7273bb17c69b247bb939c062c0e2889caa
SHA51268179b674e38437892132fd47e5c027aa59af0286d495c7483f2c9a8a3efbe6b697f4ecc8befee55124c0460677e34bc5b7ed7249b532f61090519abc025abf0
-
memory/4036-2-0x0000000000000000-mapping.dmp