Overview

overview

8

Static

static

URLScan

urlscan

http://192.3.26.118/...

windows10_x64

8

Resubmissions

21-04-2021 07:08

210421-tvszcna2rn 10

20-04-2021 15:45

210420-ltq5yewapn 8

20-04-2021 15:36

210420-agthzw54hx 8

Analysis

  • max time kernel
    137s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    20-04-2021 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://192.3.26.118/klok.exe

  • Sample

    210420-agthzw54hx

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://192.3.26.118/klok.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1892 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    b8c8b0ee955b46a4df1dd71c75753947

    SHA1

    0e023de5f301a023eb9b130dc8c0ee6812b1b77f

    SHA256

    05e68df5ac57af6fef221d1431996178da03315ea5c9fe26d9fc624aa8078ebf

    SHA512

    f844fa669fbf9417cb8c5689957e2981fe40f94e800159656211b170f595aadf563446e6fb0b37ff7d788bde28233591d8d837d16f0e3c80459c4223112c6720

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    6c5b4605f9b568dd76a059cf32f150e7

    SHA1

    c693ff3ce0069001d62a16c267d4fa83571a5ad5

    SHA256

    724f989958fe6c86c8c1737fff05e01acc2918f51f5f9a7fdb928357e1f5c160

    SHA512

    7d9752a195e3d7d464fa1f351010ba2f2abea830f841f342fc0100e7c41ff8fefbe837659fb15b22d54b25601a4ebaa807cf49e7a805b05126b5a56fbd3cd854

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\8TUO2BAQ.cookie
    MD5

    f08d0f829a976705edb0386d2899e790

    SHA1

    964e1d1be6e1f1f327cfd4e682125bbbfaf26d5f

    SHA256

    36357557f8dbcf48f6f68412fc70d359e0804f823a715b71d432111cbbac7971

    SHA512

    9e98e0562467711fa0282695a96f425e718fd19d7933fbdc17f0ebca119e2acfdcdac0ea7cd24d720f0ff469d107b7b49c3e5e2aae74bce1c7192592921c9ee3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MAYMI3VU.cookie
    MD5

    125a6ce4ff517211a0939d6fb8d9e7ba

    SHA1

    a2fcdfa97d3573c65765407e360f84a9c6e165d3

    SHA256

    392b54009b83ad9e27530988dd37c6f8301e08e969878d496c134f4573bbcf84

    SHA512

    20e9c412c301692a7890cdc3c9d3becaeadda6d5a1c82c4071ea476d84f6266e53b0dcdac9a8c17badea56bc6e1e4043d9bb509a59b363d4bf8a6ebb99db149d

    Download Submit
  • memory/684-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1892-114-0x00007FF905310000-0x00007FF90537B000-memory.dmp
    Filesize

    428KB

    Download