medusalocker | 3e526ba55e9dc43928b592e879aa2ea896681e709a22c6b0b8911d6f264ed63c

Analysis

max time kernel
107s
max time network
74s
platform
windows7_x64
resource
win7-en-20210916
submitted
18-09-2021 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

READS.exe
Size

53KB
MD5

9bd839a710177cf31625c09e321418ba
SHA1

82ebafbffb2ff94b91c037d5b51561d726ec32c5
SHA256

3e526ba55e9dc43928b592e879aa2ea896681e709a22c6b0b8911d6f264ed63c
SHA512

d3974db692f256f7733ccbf5d130bdcdcc18d18147b0522e8b0a3c10161604c1ee23e651cd132e3e61d81ff99c8af5a24abf465426aedc6dca1baa7adb53fc34

Score

10^/10

medusalocker persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\how_to_back_files.html

Family

medusalocker

Ransom Note

Your personal ID: ��25 72 7D B8 67 F5 4C 2C DE 48 20 03 97 D7 E1 AB C5 53 16 9E AD C8 43 D1 5D D3 B2 58 1D CA E9 E2 DE 67 74 05 0B BD 33 35 0E 27 AA 14 9D 8D 60 91 BF 49 B6 E9 68 1E 06 1C 5C A7 EB 40 8B EC CC ED 5D BB 8F 37 F8 06 3C CC 0B FA EA E7 6C F7 5C CC 2D A3 9D A7 ED 20 23 99 D7 45 7A 65 7A 70 4D D6 95 52 71 0D 42 44 F5 73 E1 E8 B0 99 B8 70 69 1D CB 69 76 75 76 A9 38 55 A8 4B A7 F9 76 B0 04 DE 12 A4 80 CA 32 1F B5 EB 0F D5 14 8C BE BE C1 78 9A 55 B4 66 F6 60 CA 66 35 8D C4 4B 4C F8 77 F5 E5 5D 89 B7 9A 3D F3 9F 90 04 2D 29 20 FF 7C D4 4B 11 5D A0 A0 5D 4A 72 EE FA BA 48 0C 4E 17 29 61 5B 5B ED B9 AB 98 05 53 17 7F BE BD 36 06 83 7B 05 B8 AF E7 DD EA 2C 9F 12 F0 AA 3C 5C 77 63 2A 15 2C 44 A9 87 03 E4 A1 BC 6F 5D E0 07 24 D2 24 E8 C8 0B 0B 53 81 8A 39 82 53 56 D9 04 C2 30 /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. .onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open .onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. ��

Emails

[email protected] [email protected]

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

READS.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MeasureNew.tif => C:\Users\Admin\Pictures\MeasureNew.tif.read	READS.exe
File renamed	C:\Users\Admin\Pictures\NewTrace.raw => C:\Users\Admin\Pictures\NewTrace.raw.read	READS.exe
File renamed	C:\Users\Admin\Pictures\ReadCompress.raw => C:\Users\Admin\Pictures\ReadCompress.raw.read	READS.exe
File renamed	C:\Users\Admin\Pictures\ResolveInstall.png => C:\Users\Admin\Pictures\ResolveInstall.png.read	READS.exe
File renamed	C:\Users\Admin\Pictures\StartHide.crw => C:\Users\Admin\Pictures\StartHide.crw.read	READS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

READS.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	READS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\READS.exe"	READS.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

READS.exe

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	READS.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	READS.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	READS.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	READS.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	READS.exe

Drops file in Program Files directory 64 IoCs

Processes:

READS.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBARV.POC	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00965_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187881.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01064_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.102\goopdateres_ur.dll	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BillingStatement.xltx	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18187_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234376.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ORG97.SAM	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID	READS.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.102\goopdateres_sr.dll	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEM.CFG	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.DLL.IDX_DLL	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01268_.GIF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHOME.POC	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153313.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Perspective.dotx	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR17F.GIF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198020.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS11.POC	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLLEX.DLL	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297749.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.DPV	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML	READS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\how_to_back_files.html	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SOCIALCONNECTORRES.DLL	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21336_.GIF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05665_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3EN.LEX	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00911_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OMSINTL.DLL	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS2BARB.POC	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10255_.GIF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18250_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00248_.WMF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ogalegit.dll	READS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\how_to_back_files.html	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21435_.GIF	READS.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18231_.WMF	READS.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338729414"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0cf3de2821c1b4396907f218d77eb08000000000200000000001066000000010000200000009003760c52cfa25a16d5f4c46c4e93b0d559b792617609ad6bcd96366572a302000000000e800000000200002000000053fb125d3daf1791eb223b25a0ededc21e4c2ce3e5db2f7522ce6f8927b73c3a2000000041f02bc6ae92ad7c9d42082d194ae29016b0d77a63a8b55fc6dd005797a21aa040000000a8ba0baf0815858f813fea8cb9d361663f6a2d2c36a69c4fdd366460ba69485498249158f34fdc7e5e1908eaa9304cecd4f04106e8d415a9e86abb0fb4a9d9ec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0cf3de2821c1b4396907f218d77eb0800000000020000000000106600000001000020000000002c7c6fefa372621aed8e5cfa08ad75f6e81abc67524f2b9b882191ba87fa25000000000e8000000002000020000000853c1d8ccf7e1b8aafca18a151467dc690290f320f43e98be5da32933acbd60790000000e62b4cdba45085a7f103adea2c7d77c3297d61abeb349028825058894a2ee8717613b903b023cee015c65081e56227ecaad5caebba8eea847fc516e17bb4c0c1a5d1b08aeb12726591f14d3e267229415b9f41a72b5862530c7d9ef72184d3105f4a45296e9616a7cb567e6925f0239ee309aa615fc081951cb6d689ddde78d152dc5b30a13d535c08fdde6b5b824a1e40000000761eaed1c51261678d46a71fba1b19ccb9063503808eaec2f8d8b7e1caf178f09f4c9517d30f5657150be14c458727ff742dc2e516c8331e783a015616268dc8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5F353941-1873-11EC-9E68-561B5893EAF2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 901c213680acd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid	Process
1156	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
1156	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1156	iexplore.exe
1156	iexplore.exe
832	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	Process	procid_target
PID 1156 wrote to memory of 832	1156	iexplore.exe	32
PID 1156 wrote to memory of 832	1156	iexplore.exe	32
PID 1156 wrote to memory of 832	1156	iexplore.exe	32
PID 1156 wrote to memory of 832	1156	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\READS.exe
"C:\Users\Admin\AppData\Local\Temp\READS.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\how_to_back_files.html
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\76W8K2VX.txt

MD5
9ab63e4183d01a873de124e9f9049038

SHA1
5b7b7f84d0d09effb5bb24e7de6f1ca1e2e57341

SHA256
ddbfabf4654f387f43034910e46b4c4408e4597defdd2b3495d75307d1c6fb1a

SHA512
ef0d48acd5ba539b917d96bca8ad7d37ce9ab0857655e1d046400901192088e96b1e64647175513d7ae10da8be935b92deb3b10d5e3fbc844936d3a432c8c042

Download Submit
C:\Users\Admin\Desktop\how_to_back_files.html

MD5
04ed18431943ee32be42f93e9d10564c

SHA1
f3f05d558a63b6d82071cfef31f779c589056813

SHA256
5ad84ae3648012a4dee4ba533fe596c839182f5d41efcdc3d464b6036310e225

SHA512
897d13aad459c43eb15c5397bc9f8b85124df0cc1e89846d8afc479a6c0455573b2b43d30274625da188f63f133d3043c25085464e2ac5736f595e263e5685a9

Download Submit
memory/832-54-0x0000000000000000-mapping.dmp

Download
memory/1676-53-0x0000000074E81000-0x0000000074E83000-memory.dmp

Filesize
8KB

Download