8a516f2df2e8f496a4bf7866036797959e63bbb6658e1f82b671b85227afecb5

General

Target

Grossly Minecraft 1..exe
Size

8.4MB
MD5

7c6c6b9e9111447af1236378c02566c2
SHA1

21340606037756badc4332a8217545dd47e9f24b
SHA256

8a516f2df2e8f496a4bf7866036797959e63bbb6658e1f82b671b85227afecb5
SHA512

2a64e4d159cfc1748eb4768d6072df5c6014a01c81681d26aa35ec9ec1e9346fd3961f51d3db5ff424120ee01486b7f92685d0ec8e935488f2b82cd2b40a2745

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "333"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "227"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\trustarc.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "333"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C80953B1-C62D-11EB-9117-4E8833708825} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "329683524"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "222"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "227"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "42"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f0000000002000000000010660000000100002000000022dcdea0622609ab8446d800ea149fd2af8c0a1d929b9b85f429bcd2b130313c000000000e80000000020000200000008445c0d33d6bdc5aff914b93799bd8b1c1721ce029fcae6b6eae265788f863fb20000000f33c4cffa4f9eef27a04ddbb48c8843514160dd21a2c9eb912d72323067135b9400000000cf522be4e40beab967b2d8556c4ef23d3ec95133157a657d8c3ae447315ff63611e88850db4929a891a815ce8db671f932f3ae64ebea820b8d1de0d1dceb92c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f000000000200000000001066000000010000200000001909828b142cd389ec3f4e57f409f7eacc5b9aa9f05c3a49917be065e04ebab0000000000e8000000002000020000000268d6eef6aa0e4c918618af1ea0c65f31a9923f95ad2d7eb8c5f4b26f3443030200100006ccde96e48b3c377259e893e1a773b10947bc03c770eabf4b3e7297af2de29954e022fcbdbe56c8737b7b344fa7e0ff983530bfd4e0b2eb2b2fb0d66f9c45074eda9d1d9a9ccb412be5ecd013c8029858b4878fbf41f38a3bb8e54e44d91635e8bd3ae9e47c51186d8c3a9c55097c8c85848d3751e65be95e8b3e2e14f1f6d70f30f5a08d727ab6ca1f0b631984a4bb5e83605215282a460788e6dd6575e169a74ff440263293f46bf17c63763739a33be4f98f5a1d4ad272d4870cfbffff75ee81df206e066e5232b8bf7cff97799cb19740aaaadceb014000b24826ec8339e6ae00568fabe86785117e21632704bcd7ecdc36b06226c80f1d9bbb1a3487ccbc490a01a6241ee3dc45408a8cb7d02716c82939ed255008369be1ab4a1895d1e4000000020bcd8ecae9fd1fa6bc0e14fd9725e0c55188b62ad6f1fbaabd964557c9ecefa7d4e3a06020994b54b4fbc26fefe60692b9147fe9b789c83c09cd163818f2604	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "227"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "333"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\trustarc.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "222"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1140 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1140 iexplore.exe
1140 iexplore.exe
1736 IEXPLORE.EXE
1736 IEXPLORE.EXE

pid	process
1140	iexplore.exe

pid	process
1140	iexplore.exe
1140	iexplore.exe
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Grossly Minecraft 1..exeiexplore.exe

description	pid	process	target process
PID 368 wrote to memory of 1140	368	Grossly Minecraft 1..exe	iexplore.exe
PID 368 wrote to memory of 1140	368	Grossly Minecraft 1..exe	iexplore.exe
PID 368 wrote to memory of 1140	368	Grossly Minecraft 1..exe	iexplore.exe
PID 368 wrote to memory of 1140	368	Grossly Minecraft 1..exe	iexplore.exe
PID 1140 wrote to memory of 1736	1140	iexplore.exe	IEXPLORE.EXE
PID 1140 wrote to memory of 1736	1140	iexplore.exe	IEXPLORE.EXE
PID 1140 wrote to memory of 1736	1140	iexplore.exe	IEXPLORE.EXE
PID 1140 wrote to memory of 1736	1140	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Grossly Minecraft 1..exe
"C:\Users\Admin\AppData\Local\Temp\Grossly Minecraft 1..exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
6045baccf49e1eba0e674945311a06e6

SHA1
379c6234849eecede26fad192c2ee59e0f0221cb

SHA256
65830a65cb913bee83258e4ac3e140faf131e7eb084d39f7020c7acc825b0a58

SHA512
da32af6a730884e73956e4eb6bff61a1326b3ef8ba0a213b5b4aad6de4fbd471b3550b6ac2110f1d0b2091e33c70d44e498f897376f8e1998b1d2afac789abeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
1a4fb171586472f96229ef66e41cb9fa

SHA1
070e3aee9453f83a0a8bb15a3d302c1678dabe00

SHA256
67c0d6d77d7599a74d5c2ecf6e6b2a37fc7239373b2511e2fc8bf4f631ccb4ad

SHA512
7dfae7a2ccce9f7a187e41b185f42f44bc1b40090388607764377ac941e85f56cad088172a90fdfd60a965dac37aebabbc31fc7a0ed5249a446116e6f8c481b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
aae61ae698bcedd3c8d48e754b56950b

SHA1
480b1266d5af5838714c7b9d551d77a257e2f949

SHA256
998990544e88a3f0b7c027f9e233b7cfe38817b12864f981971d201121b55011

SHA512
bfe90b26f64fc0f8495bc7c590ccba7c1fa71e3e683c7e46ee7ccaf720dd19d9dc1e869ce99a1a8fd8af12fb2a2166019c4296c709d5243906ef78628e9132b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3HUKAVNJ.txt
MD5
c528d636c5e0da61be13ee6b1df391b7

SHA1
c748fa79ca3589cf900d91f096fe99aed6649c44

SHA256
5d3f013f6c1b390075402ee9ef5f7a104a1e088fdfefe9130b07e189719836e9

SHA512
483708d5945ce757948d3eda30ba954fa60d1052db8c090066660ef2a5613114c7c47bee877774eed8945adfc6749e00d3d4213e48b517ad908f9a9428585601

Download Submit
memory/368-59-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/1140-60-0x0000000000000000-mapping.dmp

Download
memory/1140-61-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/1736-62-0x0000000000000000-mapping.dmp

Download
memory/1736-64-0x0000000000550000-0x0000000000552000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing