Analysis
-
max time kernel
110s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
25-08-2021 15:51
Static task
static1
URLScan task
urlscan1
Sample
https://cdn.discordapp.com/attachments/880094120226480198/880117156560392212/deneme.zip
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/880094120226480198/880117156560392212/deneme.zip
Resource
win7v20210408
Behavioral task
behavioral2
Sample
https://cdn.discordapp.com/attachments/880094120226480198/880117156560392212/deneme.zip
Resource
win11
General
Malware Config
Signatures
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 6ead5207ab2cd701 iexplore.exe -
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{B95B7E60-C1A7-482B-9D19-1D04AA8C0687}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30906841" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "336678671" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9D5BB7A5-05CC-11EC-B2DB-C6C375B36C85} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1926282416" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1969233708" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30906841" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "336695265" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "336727257" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1926282416" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30906841" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe -
Modifies registry class 1 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings iexplore.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
deneme.exedescription pid process Token: SeIncreaseQuotaPrivilege 1092 deneme.exe Token: SeSecurityPrivilege 1092 deneme.exe Token: SeTakeOwnershipPrivilege 1092 deneme.exe Token: SeLoadDriverPrivilege 1092 deneme.exe Token: SeSystemProfilePrivilege 1092 deneme.exe Token: SeSystemtimePrivilege 1092 deneme.exe Token: SeProfSingleProcessPrivilege 1092 deneme.exe Token: SeIncBasePriorityPrivilege 1092 deneme.exe Token: SeCreatePagefilePrivilege 1092 deneme.exe Token: SeBackupPrivilege 1092 deneme.exe Token: SeRestorePrivilege 1092 deneme.exe Token: SeShutdownPrivilege 1092 deneme.exe Token: SeDebugPrivilege 1092 deneme.exe Token: SeSystemEnvironmentPrivilege 1092 deneme.exe Token: SeChangeNotifyPrivilege 1092 deneme.exe Token: SeRemoteShutdownPrivilege 1092 deneme.exe Token: SeUndockPrivilege 1092 deneme.exe Token: SeManageVolumePrivilege 1092 deneme.exe Token: SeImpersonatePrivilege 1092 deneme.exe Token: SeCreateGlobalPrivilege 1092 deneme.exe Token: 33 1092 deneme.exe Token: 34 1092 deneme.exe Token: 35 1092 deneme.exe Token: 36 1092 deneme.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exepid process 4036 iexplore.exe 4036 iexplore.exe 4036 iexplore.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
iexplore.exeIEXPLORE.EXEdeneme.exepid process 4036 iexplore.exe 4036 iexplore.exe 1904 IEXPLORE.EXE 1904 IEXPLORE.EXE 1092 deneme.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
iexplore.exedescription pid process target process PID 4036 wrote to memory of 1904 4036 iexplore.exe IEXPLORE.EXE PID 4036 wrote to memory of 1904 4036 iexplore.exe IEXPLORE.EXE PID 4036 wrote to memory of 1904 4036 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/880094120226480198/880117156560392212/deneme.zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4036 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\deneme.exe"C:\Users\Admin\Desktop\deneme.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
cfc0d637e36187355616fc9e8e41b828
SHA1268c9f323b848d8ae8b39f720a92bfbd464a2d3d
SHA2565b7390dce5abe5066b2a93897093bedd9ff8e9873192378ae19faf2520393a13
SHA512a7f6b8b8ff674382825595ae4e8216259eeaa6a45ead79653a81578083450e72b4f2f347a672116d52cf953f52c7942fe9da22fb4026f37cd468e7ddd12e14c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
cfadbc37613859fdfc450320c7c54db0
SHA1dc5c26c89cc450b322d553cbea067111ada257e7
SHA2563fe0d6052853b517eb424d09de03aab8e7523f5aca57ea39acd851da728de61f
SHA512bf53e4a332db329a61ffe9b01c6a8f01263220460363395e58c4d5ceab9ec457c4c6cc1de1a8e59ffd96095a747e475b3916f187cfb6ab31520a754584816c2d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JJTXMBUI.cookieMD5
f017eaeef7a48d71a27c3ec40076a78d
SHA1df625c5552d9eca6c3de3a631ad2e0778fcc0f4e
SHA2565b4aff33e3ef60d446db326c9fdf679ba346d6edc7218ed0836b637da564cc5f
SHA51237deb90fc9e0db7ccdfb96eec1ab85dff4cd518d86128a0a72776e23ebd3f2db2b053e519f9ca6af02b158d1ec18e17ece1e1d56a857509ffbb3d3915a9d5100
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SH4ODNSV.cookieMD5
b935016247f764c17eaa1110bcfdb397
SHA15c646c4a05000496560eddd3ce9bb86afb43b78f
SHA256395365e21e5463d52645ce29391b52d92120aa8db70b9358e1f00c36f56e7858
SHA512dd60c379bf935acabd14d60fef53fdc0b512c6a0c836c9b0f752aad8386ae15c182faf98541804db6e4417d5ac37a1265919a879070e89607f61fa311bf32b27
-
C:\Users\Admin\Downloads\deneme.zip.dqgtffb.partialMD5
97e6782dd88eb5e13f1a49872e37da34
SHA1e4f1b607ce8b07ea2e90d3337ce32601c5363d1a
SHA2564478eddcc10d4f78916239fc3b547296a9e8ccc3e85197dea90c993a66c865df
SHA5122308f837cd4b69cd6ba09fe928bd3f86254fcbb8618a2e7b9720c3391f86857173b0e5646c9e86a0811782df3c15acc860865a7cb4da358ab4754a84eca1905f
-
memory/1092-117-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/1904-115-0x0000000000000000-mapping.dmp
-
memory/4036-114-0x00007FFAC04B0000-0x00007FFAC051B000-memory.dmpFilesize
428KB