evilnum | 75ae7bbdbfccde37a545a6b316e885e9a6d1ecf3c069fa48594a6db6f30c41d0

Analysis

max time kernel
157s
max time network
170s
platform
windows7_x64
resource
win7-en-20211208
submitted
30-01-2022 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75ae7bbdbfccde37a545a6b316e885e9a6d1ecf3c069fa48594a6db6f30c41d0.js
Size

19KB
MD5

835d94b0490831da27d9bf4e9f4b429c
SHA1

4d97d776c40daf28201bac7b09ec199353f52059
SHA256

75ae7bbdbfccde37a545a6b316e885e9a6d1ecf3c069fa48594a6db6f30c41d0
SHA512

adbf433c5c5959e6d203b582ded180e86caa3259daf0ffe5650cc225e3397223155d8da5a415d4ba407c288f79803ab558ec70f40179732a41637c8ed48a7e95

Score

10^/10

evilnum trojan

Malware Config

Signatures

EvilNum JS Component 2 IoCs

resource	yara_rule
behavioral1/files/0x00060000000140a3-55.dat	evilnum_js
behavioral1/files/0x0006000000014158-57.dat	evilnum_js

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum

Deletes itself 1 IoCs

pid	Process
1700	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	reg.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "1"	reg.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	reg.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	reg.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-VersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\VersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395178327"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListPreviousDownloadUrl = "https://iecvlist.microsoft.com/IE11/1379465767093/iecompatviewlist.xml"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-VendorId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000004fd2d00fd2ddd3686d5e75fb649f59b90aba9318d9cb7d6c95c11894a10100bb000000000e8000000002000020000000fbb463570c9004e32697124802b4208c0499e2ee20db5e93019b556b8399322780020000b94426b36aa83f26d302daf77fcb2182c0f319db20df71106ed11bb89b72b9768a2b51952bf957e5bb9e4933f1bbc064ded0252f6f0ecd5d5041f7445ab192410b263be3d92f67b99576166bdb92fdf6275eefb35e4288e5425be4f9daf39775a0f76d24711b6b53890a3c38437470e39c71798ad8a2d1cbe10d14d645eabbf71fd9546dc812d7f2b4a34d57a9e31e1bdee8101e9a041697c0a60c9daebaa16838f4003cb77c80329b2daca075957ebaf3223bb67e3ae290ad9c7fb57b0941d377d94c0cfa7c82c67b332ad2f0eda58a43b9c4aecfd76fc4b4668bf752bb89122b1c726a593148038822c2a466e16338b82e746398071fe58cea2ce537d27576432cad9fb4f5bbeb8363263ee4c92d0c70f1666008f750747bd64e8d2d405dd58811f62a62d424e62d71800773ea1dbfa00c40ed4d8f59b6ac87adfbd3a8af49dcb4161cde46bf236ef921fea0a00aab44e8c9986d7736dc3d66defcfdb184357357caf6c6624625c6669bacf25b902cfbc8ea8e05d34638c26d24b0e9b6a1d1b3d56eb6d5dc479967255d0a65e9c8d45f24618ceeec6d25e1565af30c838d3ad022f5c366cf1a5b8c152e0fc43fc9e1beeb25ab3f8b48ab999fe069432dd536abf9ec2a421b2880ce988dab8e252b47fa9692361db80aebd0d4f71ed8c8a4fcb358469dac667e172beee964a403fe29a211b9be96fa5ba16c0b4069a7fe6fd55ccb4cd71f5add688b7f702dcf27c83126af2f8f74082eb8fda1e66b4ce7cda0ce3a14fefaa0294600c5c77faae5ed741f9d01f6a620de09ea780557a1cffcff6d64ba53d667be30edead3b5901d1f2138449b41cfcb4622aef5c1d6b6a28bd03b85b1e5d17952a2c133925169a30bdadfe510e9699638e3dee62596cb5b784d400000006adaf200cbdfd76b8cd3cdcd4e8fa1c618e7b4e192b010b4e69478497955b676ccfc0c66654dd5295aa715ed6772dc24e8e44b2f4dd91073678a509bac163611	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000960ae89365b56096a2d8b54f69223a260b41372ec5809dc7b3771f0f43be86e1000000000e80000000020000200000002c764e6af0c9cd42a79c32db97cf3ef6acd9228f69cd26954dcb9ae65bd56f8c8002000009840785e45fe5e22da1b4c12db0ae79759489c61a29e6c4e1494f9b95860d0fde975f310c60ff53c3588d31e0ab5c3024859885defcd7687802a2e0a831a36a107dbea1f242c5ac2aa82f4c4972e2f333fe7c91a0619e1dda44a5424a9992688393cbfabe740c020e508aab17feaef95f944658c5d2619e2cf91aa1c7ad687d0ac9dc9fcfeba59cf7d73e7148b9e757e03e24186439d0ebd7b0dc3e92297bdfef6f05f19fbbdecba32d9a4cde6eca20cf69681fcff897bbecd7c4a13e5cae76d9073882d5fda465b6d29bfdce60b9248df237d18c17b1526d1c46f4a45bb9b0bfa830086e03d452e718b6caaf5220a1ad64bb3358de2ab36b090e7e6ece5f65864d69f135bbf6347fa7055ac15d8befbfc7a9bbd00c650b3d300dff516536aab42c8eb7a8ee9fca021b58118190df9d0ca3b0a9bb8ed5f30c602556639d8cae43f89c03b2cad234af64631f90e301628627dcad4e1ee2559e176b2976a45c5164293c2c30ed361358df580878e0912f0c418e8940d24aabf21ad78a7cebd74605d4b3d3c8bb193dfed304ccf4963a0b5088f986f26063c4615fcd5128768f4334a127348d13ec46fa9f4f32297fcab201a1a3346d81bf351986b27fc372b10c988fde8516bccff5c8ad21b75106b692c2c0a7c92275d1e16d2522f2d8d48bc7e7fc0e29068704b2b1b6a4688f1cefc8b15cd82bf32564ab71ffb4aaca07671052874ae4f7ffa96a4b2cf0ad72764e0eab1678870c115ac92a182b88740a03627d130b2d286f183c23ff7fe56676fc09e9ce51aa334ba4f267c6259f5db99f43265ee4f2d619298e4f2f7782552fd698915dc4cd1d134fa8bc29b1c2e50238fde2c08d1cc26c1455fa0c1d503adbe0e26a1e56ff1e4ab804d9c998e9d8c7b53f40000000108558ff571b3818c4f918bdb32f0b1545bb92d4693448846b9a1f9e3655f43e37b6ec063fd56619f44c5c5deda14177c7a58ec9b319a651ed02126a7f59ef6d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\IE10RunOncePerInstallCompleted = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc92000000000200000000001066000000010000200000006b58a0a8cb597984ec520b9ef592f526ac037fa87a0437877b7d53c9c00a44d2000000000e8000000002000020000000ff5c99eb1f45f505f43ceaec5ccaa65b78a409222e7af79eb8f4bc6967513d49c00100004fd60bdf86abd6c66e68ae3f88d65ac5daefdbf86daee880598efb2edf81ad33f9fba286da5f10a2076f30966a23207584d85ad544b93fd33950030d0d03ba887ae831a7cc202b19517c749e08b6650eea4203a577695e663ebdf1267e1721536b7f8ff806d61a04c0a2272af97f3c2244b4f221718c644398a3e4309a2bad66022f96e9df670fae27f26f0b27874d17b87ad3e05b1932a3cc9e67621b609eb51db8b901e70d71e81bbd593efdef455827b24f837d348967867628e92b609efec435201b07f4f785430f4a96e29094e26152fc4014706e34c5f102d7624ef9926810632995302be8e5592c7ef9f06d6d4077c95ce6a8b9db20d9ec30e3cc83651225dba5df56cdded8897d6dad32166ee4ae3c3076de06922e60d8cfb6f73a9b7b089af3b675e1e6f1ca049c4f17c3172ad82e2512284b0cbcfa72ada0f35a5c19fe1e12aee782217dd2b90bafa16cf327d323c1586e9b1c983351b77051dfcdff1575cb965f433ccd23acadaa219b948eb2088b9ab9c543515dbbb3cc6cdbfed2196bb50f885cab6ba04afe428200fc9efac22d405aaf7ce8c18b3684c1b009d82707f4a50bac7370ba0f534cf48f7624e8117d04f65034fa2e600265976bfb40000000d54c849e50cf1770e5f25f77d4c915599d861224c44809ca4b76466e6442d0d4512d8108cfa5762263d249d7ee92a0b276681d0236a81aaec262038c599bc06a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000d433350eb8fd240e6dbf879c9d6396aa9f6cd109d699e9e1859c575d309de0e1000000000e8000000002000020000000a47024730e04e51a6f92c9b0d63b412c3a3aed4b0f7feef852727846e9057d2620000000181a658e5dbcb6c6c0a3e1acce06d451d394e6b1e57a5d0e9bffd14b0dd3b73e40000000824c58bc6ed62f421f5994b72aa60af2a32f06968b2d684de626651290ebdb4ea33f7bbb8d34577466afe5ce6e9da6ca5da6220bfb42cb1e8c2704d251f252e5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\VersionHigh = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000b4f1e17bf804573aa752827e16dee6d7ec9ece1a4e70c014f3225b73b996778c000000000e8000000002000020000000b2d9313e5db826e04c102821fd6c03e754686e04402938ec36f80d3a2e986a8d80020000e1fa6df909782dcea41c71636ad3f7fec2929348675750c88df5e70cf746e90f5def892388b10f1f0c96bdf096f322607e93577133a80c48d2bdb05701dbb38b35cbda325062289f6695dfbe6fae7e902470edab5062c603fb5206bda7d8adb11bd0ee79f8e53ffa9a15c1ba52e8d22cc4cad8b8b173b847bf3d7837431e1b1c2683b29f7cb64e2b2a65a2974162cbf6d41da9d5e67141dc8eef52b9fafaf65bd2aed79e411209c707bc104b310986c778ca3acca2bdfb735aa2c899db05f13f8b5a9cd8c8d6190163366a3c9e29ae68c42a80644c7b5d0067c64cf01d3d9c783f09f22ec08d084d1065cfe12cf8c6e1fbcfa9a01219a56a6434b17a26f2f0aac9606d5c0d7fbdf6bcf8bebdce37b1ace58cb9bee4ef2aed854a3e6eb0e921aaec23d888a41360c9974d5acdb9aff6c3ae916ccb9d1e9d94a7c909c79a4f768dc324b58c324b7f452f578571e237f62fd306913380e42cdacdd576f35d2778fdceb697f3dfad4d87a58e25c6ac30acbc96ba6ec6bc99da93b03772a2c3708b56ac23e4ce42013e74b0cce3892f395a0cc301a6ac618c24d6866919486beab475c2ea457b3a7b76342f200f422d0d27a042015206fbabad3fa4291ada0138fde0438689756b9ac23c89eda3911e21a990ff9647c6e9cebd5bab2e6665a0021e9a652b98e0e5460ba4535b58b15fb1292c79130521b70b9c239f240d16d70366b610d2c3ab15040443e2ac83ef3fff99e863b582b59a8a2c97e49029aa97766886f694b3a9440abd66647f8799801048f46afeb6fadb4fb4ad9e879d2eaebccd9157f7afcbe9a81c64dee40bcc4c3e374f5fac5af0685c20e80a04b6a206d25a657b62464cd8caa3aeebf554e95e2feb0ee0204d515b49ecc5823ec132aff591914000000011cc5f7445c109d18c0e34b30f14ec2c86c53341c927b82e407a1a3883f7efd950b30cadd4090f75843268c1cc424b08f4191ed9cacb6413666bb88c9a92ffe6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000c995a18ece298b1cfe68648b4b3d7f09d365a314b90a6713f8afda6132cc1e0f000000000e800000000200002000000029984dff2e4af5cb3c431cae1a3d44099b28ea1ae0d58f52492051d4e8e0dcbf8002000087d1675f874e5a370e7d51b51c0d0b21b8444fe0eefe7c40be0e82d984909b3a7e481dd20330f3b9836e30ae2c2d40dcff401b92475c13a29a4e2fc5d59a8ee7ddaa95225c149eee1fcb836472068c82935bbb0b9c413a0378f3161bd0ee849fb52a4b6748336ffe0b13878c1ad984e99ed644087e09f99eb60ea358d665664b93b683139457616985da50e9c6b1c6d94f9d3ec74207ad24db07935c338d51b8d9c209c1c0dcd59f2ea7ab125fd7d94895058eaecae0730cce3b8877de5ad61e0bf0d0c0b07dc61abc68fe2372e66ed1d684b7ff3ca6a8b5ba1a48b0c6438163ecf538e3b4ebec4796bcd672ddb2b69a90e15ae5eabf9ba5eda7362ae91b2f06eff3dbdb947c8e7dd4a361739b38ad82b60b45136cd12c873318b2f990b88c8a095fdad4100ef7b99ba48f57e77cceeadb9aa555b1241fcf7e4ca30f65d4d8ff56bcafcee05f93a5f81c6e4078eb3bacf071dcef2a1e0560d4b6b2f7028384d3b2ad06c5aba76fe1642c2af355380ec9e2539f300b18b4d117e7044aca108600dca6716e6e083a12e3b5caacbe75ca8c4895dbe840b9a2c965cccaf40c47605fbc9b3f03ab33e225c0522993bea4282239190e113e009f51253ad03619b8c8a1f321462f937fe83c5ace36a6e8a7aa9fc8ba0a0d67d858981e1a0e108e439fa5c353a9eeeb22688b3a56400d81026fed674dc16c65d3bf0adbdf9eacc6522abaa660a02124aa7f44dffbf0edc30add369a8c08ac5fdbef7023021c717f5f5e890e58a05be2e27a6651a44281bac8b0840659904227585f88398da1b469f47711cd69689e4307c9cc0d332f695a3da112766b479c954de834df7aa880981561461cd7f7ffa84444af3f6d59e034def7f5a533b7b7a4af3fc628a61a8424919a85400000005fa0eddb2ef4886dd1bc691babe2d3f77e01887b1a630378cf73695a769720ed1479b245a6040968bb2e7bc1839b7594cf8b2f6632869923104bca85e0342f38	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000225d414bbcc550a9b55f1336d86246e833ad468804de112a7eec27715e9f66c4000000000e800000000200002000000044ef29c4a96ad8fca80dbaa23e8c49c2a1f0ef9d3df385fd6bbc2499347fe6a980020000d80edcffe9e9b498048cc74bfcacd7465229453f5dee14c708d25d5bbcac4450c3b9d0f15c43cb2832a270a90ea9a8b8174ff84f2737c4488faf60167d15152d55a0c6a3fd5e688bc9ffe6682f6f5555c317a7e06252b1635108115ffdcfd377ea7e16967c0849e6863ac3ea335908441a05e0fc83cf1318336807a4374330a0fd4fb98af4ee7c48fc9715748684b344b135381fd311ae13d8ef81114cfddda7c4b70325e5119ab1b317dbb787979b136803ca27bd1aaad36529757e3f2bdb27f8182c20bbb4ae5a9ba3b933ff10d4d7c3e707dc89e64b145314c4a4edff33664e494768acf0fef77b6d751d257a9b38109e6f0a621b8bf289855af76d36c92f07b691c10acf98e289928c68779838ac8198adccce8d72ef41cf330904da3c1e6f913e60bdff0dd2d5b5156b3e5d5f2cab4d31db1c13e4d6d9448e388c79fa4e0f4b9ae8ba19dc3e1a22be9e002fa48401d081f42c384986bf37761d282ab0cf269e0a6fe706fdf1e8c18db15fe2bf64b17121ef80f95990b12e1b7aa1ce2c4a4e6d8ef47798219e4477e9f44363ba00f0262ed4deadd52800fff6d38205532e3457b8d079b14b3584fd4e60dc79e526c25c1403ae08b1df64426a419541cad4b43d479fceaef713cb493a2a50efa4f9472854044a61386c747c9363bf155b0946013b6e4cbf9307fccdeb5cb0b47879aa48a8d222deffda8bda203a7f68e51354812543cce757c6b140dd4a6e7cc1a0f9b4ff44f80bfd9a85c19ec81c0eb1d019aaf4779daf25cb4b70d669a16fae685e0dfc938aca7c1f1d0232da69af1677337834b62f7948834cd35355539fc0954c037af86e3afde529da42f1885c366f772af347ba375e787b1e515cb9f19a4dfeeb8cec8ee06df10b65aa925aa607e04000000042089d8a90b82c88411685ba98a91e112214f7ffa4f09e54b8b9681f64c04f38b4d2ddfc00cca8ccf6cd198172ccfd405414def81cb442430690f62d872207aa	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000ba8f657729557c62aa10a7f5537498860b95b328564a46c1c978388c37b00aab000000000e80000000020000200000003fed8dc3c84e4ae21ba1a5588d5c134cdd4175e7aed22b1e8f6a60541a2d9b2f80020000f8c08058d318c79b8dc5735387f8ac4b3f2d38bb07093179713635183c95e24094cc5d287bde37b64d98f907a549162b5ba897ed2e274272539bc1e0139e4c4680788a976f94483481f8d1d7996966e270c333abe3f69bd88c2c7c6569cafb9c1bed2e3d58df3e13d4577260149bd8ec2b37b88c663a300646afad9c169a86d86b56a08bbd860929456942291469343f3c88afbc7a21f69d6262832210ce22abc3c0ee19f28e0abf69dd5560af7595c42e7172e6bd9a290d521b6b604238a77ad38537f95017254793d50d6f091a0b01ee4baa0d88ca51a66edf91e220c6d6d30dd0f5e05c8abd5cbe19641fb98bd48e23c7ec3a93db7b5f603a14ace5776c39e34827d8d467a088a7272801a58b2b67536f10ab3de6390c721503f5087fc09d965a7bbb24866e23214d77307c03695d88f868c2cc3c5f146851731808d051e22e7a7e76132484eb0b4aedba2b5a715a469a64acdb086f16c07c60130ae6e4aff143d22571f027c0f62d8214b2603ebd4a0763d8b7d708b9a91c1b32eb0fb262db28ac0ca622ee39265ea4c7a42c82a01a4c2ac7f78e0c73311093ca71c12e8c08259b49d2a946f0742e6be140dab852b86318cacd91feabc20008d03c4142d86841cf4b753ba3cc1d233753d7c5ab57aeae25f23937b5ad2ae8d1e6ba1ef14d5d5fe66fc5bd5eed4bc695c9f441faa6354747b12b9cb5c6011b45df19e7916e97dd510586ff37433ffa101d49528ed15336cb0b55db3d0b89c90535eab61d828ac6cd150b3c7f4f7dc511f2d0a3829c8a3448bd6adbfb8fbd1d01cfb9bf72f22d5b42f4f82f3b3d55b92ea06a70a9eefb1c027315b0ddfbcce1888dfc975f791742b06d5a0e7ee30aaef0d1077c3c5c5d52990afe567577444be9aff2a2dd75400000001a83cbf20c6b9543fe32f846797ecd2530b61b7a515cd2bd6e38230d3ffb2f872da87036bb13ff3775cf01dbf3f1b9f70746a3141d2bc0771a7f11f6f403662c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000758ad30feb67621b228b566159b4a9060b5c3d95aafe00defe10f5ffee2e63ee000000000e80000000020000200000004107d02fc45b81526c598e0e5e87c3c0149c353cc62ce716b8b8a68acf69c9ac800200000c23a8436e55034eaec783ab9a063995e5a3d58668f564073198bca93393a68beba9adab7f949ba2e025af972d983551346168d3f721449f46e10f2b0d2f1e7d6253b592cdf8e67eea4eb8e1a1ec5663f0a793151ae3ed71e93a675b06599fb2796c19ca33a162e84520927680b1d31e6bfe2b1d60d7f02a120c36b074e74e581acb6ee2715a3b5862df445e5e72ae899605aca7bbd5f6d1d9dc222d42c54a233b507540645c1585b288be7da8e4a3bb06198d4e69d3b8f27444ba25b79435f64dc06c4a028ba695fd2eb428945a11abf6ea678d756a9ad20173480b3927e5a6cd1fe45efd572ce243c468a6ea060250e8272c1f035c065105737bfbb92a1dacf843eb1755aafc5115e81fe48a0d1c9b73252749422d92c0d0c844510e942b16874cb85d643d8914419b66f0d85e58c7091d899bda9c0020d80e73fc1c8c38b8b723e5f534fa8fc01e0e0c397ef2ab1e98b8efc1d7bd54fd6f170225174e7b4cefd182fe42d1261fe1708c31ed9d3a41d3a4422f33502585184740c0ffde3b991a7f7b3de62aa7f15880bac51e237e14cbf46e506a503b193c0d00470e590140cebf25d282c768c19dc15a679f3824a2b1440d9d47b8dcd53542f7d8a574a54188ef78b24c9535c2f6863eff5a3234a236f3c740eae19fdb202c3f4e60e403fecbd30babb4da3ed1a4205e3c9e25de3762fe9292cad6775bb7a8e65f0c0ed4f951f6d0b991ca39ff5210713b6ed10650e222bb41c5ef0c7dcf21049b1a10fe426ab17a8087ee287b54662aeb42f04038cfa53000e6de528b2faa9d024d5d618d9ce8a98c554399aa64f7ad068d19ff28c6ab2f468e8fa018dbe4e4ddbb78fdf5342466128695aa2d15ae75728613b5f3ab17b610ed21c9e2aa46c71a88ec7e5340000000c0a228631d089a3fff611fb4ded9f3660826b90f276b70e807dcd62360598e6f6125275d6a5230443a37e7ad1f516dd3a7f8eda7ce5e5ac4b8032432c6763265	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListLastUpdateTime = "3691117"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "350315285"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-DeviceId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\DXFeatureLevel = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU\Wow64-VersionLow = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000b942870d8e2ba2172866760a9aa7c184e81bdabed4ad60f4091c50cd761eed65000000000e8000000002000020000000a80677faae3ab834f00aba540003cb8ce98f05a72f90223a037cb01245a2e36380020000830c64eb7425fb46ddfce4117fe063b7ce70c798763452a47ff0cd706120dcaf7b1c13f300ceb1302dcc52271afb217cf38c118b8da2b0e8d8e94a7ee765a38b8e7fdd0221fbf6b84d9a8786839b34d8711f724d64ce3c8850896405f5528a2910c2db6e1cffdb38307b56e484214f961534c79f249a7dd5eebda058df704242ddbca6bf93f9dd3b06bdf18bf555a8faf89dc4722bce410ddd83a34a47a1069e50caead07b9214060d3494d41256be8a3e0ca0583c840561ca79572796560cd20c25437501a03c68139043dd363225fb8dc7b1fc1c48789dd269d2f5ebdde8672baf409e8ee0e275379cf13afa96ade1174a014f48419627c2b3e316857b6defc3c31f4a8beeaca3dab2a389d8a02993aebc60039412f097eb94fdd617bab6b42eb0f990b4d3589ed5e5a17064cdb63bfed4add2ef239f50d7eea8f78522b4acdd464790659fcd00f2b2b53e540f92d6aca61755407788802b49edaa4f05cb77ceda90c3520dabc38043edb6624cce803b6664b5536232c5c0cad51a9b1a5e289a56a54bf6fa2c6219af7e3916df92c430407302d8a50249d6c0bb3323b3ac587b77bffb2c1337b33ad5305c526e9e3291d3b7c623c67ab84264889eda543e53ffbb93f9954d44047f694ddc64836575b654cd6ec33a16afa353c27722719ad9667e6a4b7611d83ab525383520dffabac5588d018d62201597834395be592dcc92ef985e415a3af6b76e4264849067da47b37863baf309153834ded7ed7de47417e658b4028d1fd07a14c5ee2a6cf2760f2656be9b051a0d8d9316a10f9735a5cc858ba57e80125573179d6cb6565f7c75c3fc62a84c8de6922bf9632af8483cd682f75dd6677c5913b8e423347f12874f4d702ad5d31eb09a9bb89381789860400000008651fa9751d4266487c8c54d701f7209b5382c2864c382af8efb20f4c713fc15c2379342b9426c7723265d04dd752065a36d3fd37e85f9fdd213ec7c001154ae	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2036	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2036	iexplore.exe
2036	iexplore.exe
880	IEXPLORE.EXE
880	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 472	1700	wscript.exe	28
PID 1700 wrote to memory of 472	1700	wscript.exe	28
PID 1700 wrote to memory of 472	1700	wscript.exe	28
PID 472 wrote to memory of 548	472	cscript.exe	29
PID 472 wrote to memory of 548	472	cscript.exe	29
PID 472 wrote to memory of 548	472	cscript.exe	29
PID 548 wrote to memory of 1376	548	cscript.exe	33
PID 548 wrote to memory of 1376	548	cscript.exe	33
PID 548 wrote to memory of 1376	548	cscript.exe	33
PID 548 wrote to memory of 1088	548	cscript.exe	34
PID 548 wrote to memory of 1088	548	cscript.exe	34
PID 548 wrote to memory of 1088	548	cscript.exe	34
PID 548 wrote to memory of 912	548	cscript.exe	37
PID 548 wrote to memory of 912	548	cscript.exe	37
PID 548 wrote to memory of 912	548	cscript.exe	37
PID 2036 wrote to memory of 880	2036	iexplore.exe	41
PID 2036 wrote to memory of 880	2036	iexplore.exe	41
PID 2036 wrote to memory of 880	2036	iexplore.exe	41
PID 2036 wrote to memory of 880	2036	iexplore.exe	41

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\75ae7bbdbfccde37a545a6b316e885e9a6d1ecf3c069fa48594a6db6f30c41d0.js
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\System32\cscript.exe
  "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\media.reg
      4⤵
      PID:1376
  - - C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" import C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\MediaPlayer\MediaManager\mediaIE.reg
      4⤵
      Modifies Internet Explorer Automatic Crash Recovery
      Modifies Internet Explorer Phishing Filter
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer Protected Mode Banner
      Modifies Internet Explorer settings
      PID:1088
  - - C:\Windows\System32\cscript.exe
      "C:\Windows\System32\cscript.exe" C:\Users\Admin\AppData\Local\Temp\reportapi.js
      4⤵
      PID:912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-63-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/1700-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads