be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde

General

Target

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
Size

425KB
MD5

c486aedae4bb88c1bd5064f12df7e188
SHA1

9880e8a0655cf1d0dad855703b85e1bb9bd4db82
SHA256

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde
SHA512

fbcccfbc92782740ad542038b2ae3b0d6926d87deeaed6f25dbcf1db4bc00a36af1fe8e74a642fd6a40ee625199b210fad119afbc2a5b7c87c96f603343b2f16

Score

8^/10

ransomware spyware

Malware Config

Signatures

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SetConvertFrom.raw => C:\Users\Admin\Pictures\SetConvertFrom.raw.7F09C1E8BA5162798BEE61DDE2FC86E3F48FE3B9DDF49B3B77C15A14799D081D	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\WaitFind.tif => C:\Users\Admin\Pictures\WaitFind.tif.1F88F70016AF0B151EF9E3994BEF2493A41853CFAFD8455008942DD19F475F19	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\AddUnlock.tif => C:\Users\Admin\Pictures\AddUnlock.tif.4ABBE7247EABE418C58D43E5E1B5072CEFB40596FC23870B00F8F1C6ABA1410F	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\PushMount.crw => C:\Users\Admin\Pictures\PushMount.crw.A35D714593C4DE8F8B1ECE11B588EF5F77E25997F78C35A97C1A1DADA573EB40	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\CompressStop.tif => C:\Users\Admin\Pictures\CompressStop.tif.FA3DBC73B10045E7CF6312F5945F15F2BBB1AFE182BA72316F170EAC6DB0432F	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveStop.tiff	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RemoveStop.tiff => C:\Users\Admin\Pictures\RemoveStop.tiff.B8FA245BDBA1B1AC3C8A49F55902E22F600B0A3CE7A71EC66A287CAC956FA80E	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\UninstallReceive.raw => C:\Users\Admin\Pictures\UninstallReceive.raw.5711915AD34B8DC436F0E90AB8C931B3FC95BC5062A464393FFD3B745E53C67E	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\BackupInvoke.tiff	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\BackupInvoke.tiff => C:\Users\Admin\Pictures\BackupInvoke.tiff.2B9E054B027503D123C3783A53F2874DA30359B2D440744B7F763F2A19CEF13B	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 35 IoCs

Processes:

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Public\Documents\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

description	ioc	process
File opened (read-only)	\??\K:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\V:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\M:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\R:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\E:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\Y:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\U:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\F:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\J:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\L:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\Z:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\W:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\O:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\P:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\S:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\G:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\N:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\T:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\I:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\H:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\X:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\B:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
File opened (read-only)	\??\Q:	be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a600000000002000000000010660000000100002000000084343c834f27900e27ef9005bba052321ad5b4810cdcf86b6e052a9714f1e675000000000e80000000020000200000007f491ae892ef418cf40eee9fc12197c583a40f9f014863769ca766a26e4996b190000000549c0bfa9f051c1f89f7bd565396284bfac8fecc8b9005c554ceeb4f7845a8d47b4f79bda539716523ca7a26e24453d3ac40c78043cba02ba6bf189e317915929a636c96601ccdba672f311b2477e1cbe378ed81f5435b7265587f0d9659d2b7d4ed9b7b4b10817590cfcbcb846c64ae12189b22d8df06b0a51f18cd1a82fea6b2d361e0cc19639ccebe189d0afc1f7640000000104607b5e4ebd7519950570ccb3b3e9d6b6e382db18005892a4cdfedddfab96320f7a9056f02909579b53ac843cc1a72dba3b14db41630fe33fbcfb63276698b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000000093bbd1d983b48eda401720beab5d7da18242e46daff7226ad9478a05b0a706000000000e8000000002000020000000936954e0f2bd9d44ec2eab4eb081b6d4d8ce7cf21fe9f270bcf7636901ddaa7c20000000ccfd8c82e0848d083a159ee167c42baf3cb1cc512199092652f0e2edaaeed08240000000d49d68ce71071e01a855033235cd2cb9340a3e694ce81a1ad86d762ae16c42d89267ab88ad76c122a4cd657c124ef29cac62d659ab47c4b345420430cbeee42d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b05bb8e8e6d9d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "315573845"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1F7A08D1-45DA-11EB-BA33-6280D915632E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

iexplore.exe

pid process

1900 iexplore.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 744 vssvc.exe
Token: SeRestorePrivilege 744 vssvc.exe
Token: SeAuditPrivilege 744 vssvc.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1900 iexplore.exe

description	pid	process
Token: SeBackupPrivilege	744	vssvc.exe
Token: SeRestorePrivilege	744	vssvc.exe
Token: SeAuditPrivilege	744	vssvc.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1900	iexplore.exe
1900	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1760	IEXPLORE.EXE
1900	iexplore.exe
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE
204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1900 wrote to memory of 204	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 204	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 204	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 204	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 1760	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 1760	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 1760	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 1760	1900	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
PID:1068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:204

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275466 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\YOUR_FILES_ARE_ENCRYPTED.HTML
MD5
6778b2816344ffb5c9595dbe9baf8278

SHA1
c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

SHA256
f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

SHA512
af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\YOUR_FILES_ARE_ENCRYPTED.HTML
MD5
6778b2816344ffb5c9595dbe9baf8278

SHA1
c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

SHA256
f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

SHA512
af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\YOUR_FILES_ARE_ENCRYPTED.HTML
MD5
6778b2816344ffb5c9595dbe9baf8278

SHA1
c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

SHA256
f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

SHA512
af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H4AAY2AR.txt
MD5
839ad1dc20362e030ad901672375e51d

SHA1
0ce94608ba170892b56a700bc7a213e268071b9c

SHA256
9b0eab81dbf0aeb8ba8e68eb7390c20fb1d7cfc9a5b2c380ab9d94cd42c8fb89

SHA512
76905537022eaf580eae6c7143bd3f5d695eabd6d5518d734e9498bb5585d34003947e8219d6160487395319b1b863f49ba8414543f9efb22bde7b0b9d4fa5ca

Download Submit
C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
MD5
6778b2816344ffb5c9595dbe9baf8278

SHA1
c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

SHA256
f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

SHA512
af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

Download Submit
memory/204-3-0x0000000000000000-mapping.dmp

Download
memory/1732-2-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

Filesize
2.5MB

Download
memory/1760-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads