Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
02-10-2021 09:27
Static task
static1
URLScan task
urlscan1
Sample
https://qaz.im/load/GADT9F/Bb9GRt
Behavioral task
behavioral1
Sample
https://qaz.im/load/GADT9F/Bb9GRt
Resource
win10-en-20210920
General
-
Target
https://qaz.im/load/GADT9F/Bb9GRt
-
Sample
211002-le22mseba6
Malware Config
Signatures
-
Downloads MZ/PE file
-
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\fdils_kdiwl.mp4.gc2c2hj.partial pyinstaller -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a63109125baed701 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3562591498" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "339948433" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF35BA1A-2362-11EC-AF2E-D6F6AE26EDF0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{23F58E52-8538-4E7E-92B8-2C0CD975D94E}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914415" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30914415" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914415" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339931839" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3554153117" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339980424" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3554153117" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies registry class 2 IoCs
Processes:
iexplore.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 3228 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 760 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 4620 svchost.exe Token: SeRestorePrivilege 4620 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 3732 iexplore.exe 3732 iexplore.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
Processes:
iexplore.exeIEXPLORE.EXEOpenWith.exepid process 3732 iexplore.exe 3732 iexplore.exe 3904 IEXPLORE.EXE 3904 IEXPLORE.EXE 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe 760 OpenWith.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
iexplore.exesvchost.exeOpenWith.exedescription pid process target process PID 3732 wrote to memory of 3904 3732 iexplore.exe IEXPLORE.EXE PID 3732 wrote to memory of 3904 3732 iexplore.exe IEXPLORE.EXE PID 3732 wrote to memory of 3904 3732 iexplore.exe IEXPLORE.EXE PID 4620 wrote to memory of 4520 4620 svchost.exe dashost.exe PID 4620 wrote to memory of 4520 4620 svchost.exe dashost.exe PID 760 wrote to memory of 3228 760 OpenWith.exe NOTEPAD.EXE PID 760 wrote to memory of 3228 760 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://qaz.im/load/GADT9F/Bb9GRt1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3732 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dashost.exedashost.exe {fb40ace3-9205-431e-9d72f8b3b0388487}2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\fdils_kdiwl.mp42⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
3f3551c43887e7b5c182de5cafb20bda
SHA142ce339d805c81a81f2562bc99c302e6fbba0968
SHA256071d4d8c4eab632e8b1dc87b811bf558bb37ba5aa0ade0c380254897bfac6c08
SHA512c98832059737978197b256b2e7578145a9fe1e0a5f8731431eefdc0f7d331010b5fc947afb8eb54adf3728acd16bfff18d6b5eff1c75831e6d347e8f1b55afe1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
266a3c8a054dbed841ac418ee7984adb
SHA19d3e3adb24d5825b70267487f2b4fe5bff0da7f8
SHA25678a2f9491ff795e5c389219df59e7a61a7d76de16b2ddf4f9df557c96359666f
SHA5122b36c91f4fbf61b1b1f2390aee03ee120434d8e6613e1571f1fe9dae32d56233dda3539676fb80c690764b0a92e54930e49549166caa24a39f06a00a1abe2cd7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QD1LE119.cookieMD5
07a9bc582074933634c52b297980a503
SHA1fd134762f1b2910d136b2ceb4af4edf0761f6f7b
SHA2567dd413aacb2bf5a2f239c952bf7653255a71a63630c276f04690234449a025a9
SHA5123a6b535b37e345e3fbf2bf0c0f953efe961251191a9c3efbb9df3d9cbe0e64d8e495288b7608238b54d0072c80824f3c92bc12cf081e19042783c68f4c87f3ce
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VZ7IWFI0.cookieMD5
ea81f3105e4245c6c3c14610f60ecf16
SHA19cac18fe229f824393d83e20351ce992fc1488c9
SHA256e54820704002832523708a68d5974c3453350a1f84d91600f4b5b8f92442e604
SHA51238b5034158b56cb613b37b1747ec5df658d701185fd002079743ba30107d03dc9ae020843d3bb13762cf99b410ea0f90de3b4e3b137380a68259e7706791ccfb
-
C:\Users\Admin\Downloads\fdils_kdiwl.mp4.gc2c2hj.partialMD5
f203e938be3fe17ebf389ade9c6b2c9e
SHA185c697602efae829e8765a671b36e705a7c96662
SHA256f0676c64a2f27a02d7947ad41eecfcd9fde5b47ea8fcb9be2a3838cb7dc86128
SHA512fcb03c204577fc655361610ee27db83eb87a18ed17291055ef0c94de9df5de18e0624972ab4148cc6d3c2ffbcd5e63cc6ceb59292fd468687fac935bafff0030
-
memory/3228-121-0x0000000000000000-mapping.dmp
-
memory/3732-115-0x00007FFC0B190000-0x00007FFC0B1FB000-memory.dmpFilesize
428KB
-
memory/3904-116-0x0000000000000000-mapping.dmp
-
memory/4520-120-0x0000000000000000-mapping.dmp