Analysis

  • max time kernel
    142s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-08-2021 11:18

General

  • Target

    https://nawa-store.com/shopinside

  • Sample

    210818-n1gz5j7lfa

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 22 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://nawa-store.com/shopinside
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1332
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:340994 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:436
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:603143 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1604
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:209964 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1688
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:4076569 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    722d2ef73f5d127f8077f375fc2c6a0c

    SHA1

    d38dbc2f2d9a9fac9f8ef27953e2df0ed4524c33

    SHA256

    75ed5d20b786828ff4ea745f073bba5837219a2e6d03919e813ac476464a343c

    SHA512

    2dd53b4284ca55d65967291500ac3c7242a4da533f59bbbb37a06e00cd27e6fa742ac70366e96169048972db42ba0fcf73a33b784baf5c312a25ada37913a786

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V13U08N9\6DE2CV80.htm
    MD5

    ee9a86cca4b0fffd089c6ed2568ff81a

    SHA1

    5d6141fd2d802311e3eae1867973bf17c1eb4c27

    SHA256

    eb69cbc03c576c17d12c6e42ca318e6fa092a6e1bf9805d0e556540b01863ae3

    SHA512

    2b395e04c296093f822db29d9fee924f70b593319f0d8af0f805c91ad0063d8b1a51a3127aa607bd753cc682aaf9c5e974143abcc557006745b02b76d11b08b8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V13U08N9\O4WC40D8.htm
    MD5

    8166bd61ec43a8d2b653e67895fda988

    SHA1

    1c4ee77e15d3b76a9ef212349701b5202670ed74

    SHA256

    5530617be9db93b85264b158e59aece47cc2af57a1d08d7ce581cfe482571013

    SHA512

    bfb13a1cf9cf6ba00da31242271e7ca0932a8fbc8a47106898d5314efa8883c2c963fc462b56bb2a2e67cac18ffabf65834e9d76c49964af17627eb6971b302f

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZJL1OKS0\Q9A5POAL.htm
    MD5

    02c2a6e544ddb41a688e6ac8209e1bfe

    SHA1

    a623f4d84ce9947a93c0ac60170e37d3ed90e355

    SHA256

    8ac8b5d28d356ea2de36b351b9f62b916540cdd60d08398e72ed8b1291ca22f8

    SHA512

    01723293e2fded8721552fdf9504e2243deb53b585cacc505b636a4a0c9628510d82f373c31881d3b708f571aa63aa9735f31f06e088040074fe723ca0942b36

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R94UPKMA.txt
    MD5

    5eb09ac75a5ee6764fa123410f37c248

    SHA1

    0eb04b40f46c1ede2a0f1524ff106f2f967e4ecc

    SHA256

    6b581855e3d2aa21bf48c26aa41c51e23e346f4163446ca771984493e02dad36

    SHA512

    adb3e32c9e7322a26bc84196326a1f3eed106bdd53af91dedc9c83bb80ab177cad0e78d39089a1d1fdd34c0e659ec785325225a6ecfce465d7922635c402a554

  • memory/436-63-0x0000000000000000-mapping.dmp
  • memory/820-72-0x0000000000000000-mapping.dmp
  • memory/1332-61-0x0000000000000000-mapping.dmp
  • memory/1332-62-0x0000000074F31000-0x0000000074F33000-memory.dmp
    Filesize

    8KB

  • memory/1604-65-0x0000000000000000-mapping.dmp
  • memory/1660-60-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp
    Filesize

    8KB

  • memory/1688-68-0x0000000000000000-mapping.dmp