3e8a6cdec188c0ec8a963c6069a585cda2121c2cd66bbee0e9a8c02b7710f183

General

Target

New Fax Receiνed For.htm
Size

710KB
MD5

cc600e0ae18f94b7317b73f49b119fbd
SHA1

ec1eff7473bd7743658c75555b3f3b467ea9fb85
SHA256

3e8a6cdec188c0ec8a963c6069a585cda2121c2cd66bbee0e9a8c02b7710f183
SHA512

63a14ad8b0a3c2a134616ce97657d921924b74356bd4a2faf7153c170a6f280e1325ac67bb32e4b0deec726ca13720f6f7057e7f5ddbe479d8bc93a058a27a66

Score

7^/10

microsoft phishing

Malware Config

Signatures

Loads dropped DLL 3 IoCs

Processes:

helper.exe

pid process

3912 helper.exe
3912 helper.exe
3912 helper.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3548 3640 WerFault.exe iexplore.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

pid	process
3912	helper.exe
3912	helper.exe
3912	helper.exe

pid	pid_target	process	target process
3548	3640	WerFault.exe	iexplore.exe

Drops file in Windows directory 3 IoCs

Processes:

SystemSettings.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\3060194815\335381474.pri	SystemSettings.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	SystemSettings.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3619723222"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c3000000000200000000001066000000010000200000004afb73aa7fe6b2f7bb33315037b45bcc442a168bfa4d69dd8a77ff044a2d33df000000000e8000000002000020000000d94ae8083f74ce4d90fbc450a4d9c4c7ced0c09dfa9add24e6ba72946cfced90200000000b488790c609734ba7cc4d6e809a19cc840adc632a4db075c34dac6198bcfdba4000000036111c1b208fb28bcba915c427d847fdd874425fa57eb69a40a20d6fe2318fca12b074e1845694018e6bd0a72e52b1dddc074d163bac9deb820caa8a49efaa48	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{027E9C37-43CB-11EC-B34F-EA01281C3059} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30922711"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "343494951"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30922711"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "343543536"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10dcaadad7d7d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "343511545"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3619723222"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405895dad7d7d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30922711"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002b5b008aa2024f4581a8e5e30df850c3000000000200000000001066000000010000200000009b3397b541d1d414ba832107f67e51690ec9acf4f2d828c9a746fdccfa1b48a0000000000e80000000020000200000000e8d30e0025c2379cb7f6bdca2a232b44de1cda9bffbebd48ed51b50d15145f520000000a905514fd083fa43a4ede97c15f97ede1bd25462b6f4e64f09f54ab144a39f6c40000000d8cdef0d674bb50bf9e9da662e74b106e64b0347e93078b60593ee85a4b7cfc3941eb96583319a17fb46e99838afa1a0c985e458a9171864ad2251a4da3a5e25	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009acbbc286be63c4682a409f320de94d7	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3624723028"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 2 IoCs

Processes:

firefox.exeSystemSettings.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings	SystemSettings.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe
3548	WerFault.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WerFault.exehelper.exeSystemSettings.exe

description	pid	process
Token: SeDebugPrivilege	3548	WerFault.exe
Token: SeDebugPrivilege	3912	helper.exe
Token: SeDebugPrivilege	3912	helper.exe
Token: SeShutdownPrivilege	4220	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4220	SystemSettings.exe
Token: SeShutdownPrivilege	4220	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4220	SystemSettings.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

iexplore.exefirefox.exe

pid process

3844 iexplore.exe
3980 firefox.exe
3980 firefox.exe
3980 firefox.exe
3980 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3980 firefox.exe
3980 firefox.exe
3980 firefox.exe

pid	process
3980	firefox.exe
3980	firefox.exe
3980	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEfirefox.exeSystemSettings.exe

pid	process
3844	iexplore.exe
3844	iexplore.exe
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
3980	firefox.exe
4220	SystemSettings.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3844 wrote to memory of 1124	3844	iexplore.exe	IEXPLORE.EXE
PID 3844 wrote to memory of 1124	3844	iexplore.exe	IEXPLORE.EXE
PID 3844 wrote to memory of 1124	3844	iexplore.exe	IEXPLORE.EXE
PID 3844 wrote to memory of 3640	3844	iexplore.exe	iexplore.exe
PID 3844 wrote to memory of 3640	3844	iexplore.exe	iexplore.exe
PID 2428 wrote to memory of 3980	2428	firefox.exe	firefox.exe
PID 2428 wrote to memory of 3980	2428	firefox.exe	firefox.exe
PID 2428 wrote to memory of 3980	2428	firefox.exe	firefox.exe
PID 2428 wrote to memory of 3980	2428	firefox.exe	firefox.exe
PID 2428 wrote to memory of 3980	2428	firefox.exe	firefox.exe
PID 2428 wrote to memory of 3980	2428	firefox.exe	firefox.exe
PID 2428 wrote to memory of 3980	2428	firefox.exe	firefox.exe
PID 2428 wrote to memory of 3980	2428	firefox.exe	firefox.exe
PID 2428 wrote to memory of 3980	2428	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1216	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 3480	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1792	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1792	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1792	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1792	3980	firefox.exe	firefox.exe
PID 3980 wrote to memory of 1792	3980	firefox.exe	firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\New Fax Receiνed For.htm"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3844 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3844 CREDAT:82950 /prefetch:2
2⤵
- Modifies Internet Explorer settings
PID:3640

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3640 -s 2448
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.0.1807600935\861625193" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1516 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 1604 gpu
3⤵
PID:1216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.3.1138400698\346968049" -childID 1 -isForBrowser -prefsHandle 2252 -prefMapHandle 2160 -prefsLen 122 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 2264 tab
3⤵
PID:3480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.13.1403333682\1310206986" -childID 2 -isForBrowser -prefsHandle 3340 -prefMapHandle 3336 -prefsLen 6979 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 3320 tab
3⤵
PID:1792

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.20.1460645197\1294217566" -childID 3 -isForBrowser -prefsHandle 4444 -prefMapHandle 4468 -prefsLen 7684 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 2708 tab
3⤵
PID:1092

C:\Program Files\Mozilla Firefox\uninstall\helper.exe
"C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1c3ed22c003b0e1724a802f750244f60

SHA1
c83f95230ea4d3ac58c4f5d5a7504b0f5eedf0ad

SHA256
f24de6edda835df45daadcce85ecfeaa1f5a363a16faeff1c16ae55ec57dcb6b

SHA512
7f9f0395307b63d4bda636b132533f5e62b36bfa78ff0850c5ba0a2ebe3f426b0a18232993a35bfe9166d9f86d2dfe2ad6429fc864265a0bdf6d4f1f25d26297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
e2cf535d36d4727db08e73304b62e16f

SHA1
552ffe409551cd3413ac0f8400e81463839ac0d5

SHA256
4aca051e3e8339fa8d2c0562490bf80b77c8d876209a0493d60aae0a0bb0aeed

SHA512
412cf853bc08358feb74eb802cc8d08a77005b3919798c1bac9819b7d3aec66fa27848305da46ae3a38ae87db7b39268d2c18f1ab3b1f05891aa88a4edc6f46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\13X0AX0A.cookie
MD5
9f32ac2b56775aa3d28c680910468b99

SHA1
727897a7a18ba04f5256808a96f733ee5514d287

SHA256
a954b58d11c66a9bc2b3d7f24c5d0e0250285ce27a495803f3955f1ac275102c

SHA512
0a859870a239a948afc2da5b8407a80fb5723b6daadba67e0f108afb054f5ee156d24e441012e066927d1bf74d5f61a7783a034afba3f69aac7d326dba7ced43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SPQJV2C9.cookie
MD5
0855efbe43a66ae08eb32d9693c32b6a

SHA1
d6047778f1fdb96ad79d99980d7375fbf98ac7ff

SHA256
11e7bdfcf715e4795358fc646e5f62665ddcddf9d515e97689e0414faab39072

SHA512
a5f097ad3f92c6c6a313282e6afc5b36800ba941495151a1d9610cf480bc30305dbe153538e9ff67dcc1f8b7547fa803c1a4e604d120a6774681c63d3cf14b78

Download Submit
\Users\Admin\AppData\Local\Temp\nsxD464.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsxD464.tmp\CityHash.dll
MD5
737379945745bb94f8a0dadcc18cad8d

SHA1
6a1f497b4dc007f5935b66ec83b00e5a394332c6

SHA256
d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

SHA512
c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

Download Submit
\Users\Admin\AppData\Local\Temp\nsxD464.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/1124-144-0x0000000000000000-mapping.dmp

Download
memory/3640-183-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3640-180-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3640-179-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3640-178-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3640-177-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3640-176-0x0000000000000000-mapping.dmp

Download
memory/3844-134-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-168-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-138-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-139-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-140-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-141-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-143-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-136-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-146-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-148-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-149-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-151-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-153-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-154-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-155-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-159-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-160-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-161-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-167-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-137-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-169-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-171-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-170-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-172-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-118-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-131-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-132-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-130-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-127-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-128-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-126-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-125-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-124-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-123-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-119-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-122-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3844-120-0x00007FF8A95D0000-0x00007FF8A963B000-memory.dmp

Filesize
428KB

Download
memory/3912-261-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads