dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df

General

Target

dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df.exe
Size

1.0MB
MD5

dc3888f8f615863eb4af911cc01d26e8
SHA1

466524fa471f1c2e386f97ec2117292983294fc6
SHA256

dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df
SHA512

c3c3e09276bc6115a56373d8450b1d1d2784dfd267625fbed8ec21e21b44a177226e10ea067d23c141ebb02c11f3caa66e141fe7784b5c5c4dc1b01f689c49bb

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000c4cdce2f0f83d3eabb5c685e1c142e558e600599fe7ba2a9efb0a1a2ba6677ea000000000e80000000020000200000000d69d7d5f231b2a025557ba6893060d6dfb95104c2add5042f78a6a5289e92b220000000adaf2d38513c1f80ca4c2cc472f8fbc1f9ff2e901afa1a8a380f012b66c14c9f40000000c886a2ccc3c96a6f5b9ffc72aed0e8f34f753e717a2611ff2119ecd009580e90123616c00e9a9a65dcad1eabe9e7049d45f312fc9a7468e171d691ba547806c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b072a3bd20d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "351510123"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C9D113D1-8CB0-11EC-A1A9-E2EFF2F4E71D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000029a8fa03d77d0143b95f148165a5bc9200000000020000000000106600000001000020000000f08f69f9d81fa7fdf4da01916fde11f58c842ed5e7d096b3651f88c7bab540ac000000000e8000000002000020000000e42bbab5b70b3cd23eb962dea7508af19696c0e9573e1e55433e9569153479ce9000000043f7008a34e8d98f9dfcb3a8e7ecffb43043d3764c1066077dfd588093f145a3c2e1a0b613ab0a6c2c10b71488ce08456bbd7696833b439c853ade9f358a3e03b57348b813a1d71d51ac747ddf0f4b1b886f4ef1f6340b66e09185bf8c4b2bb110df410a46aebeea9773511c96af4dc461e734ad60714c4f4e0b9b1a16e2c93e18a0628dbea05c9f096db9e4c1d51731400000002a701c66015d4da2839e5f15a5818fbc9b484c9c7bb3816887d4e85052a55ead51cfa299c85fa712e361960825849198488413d5a4152cfcefed4b8e2cd9b996	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1224 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1224 iexplore.exe
1224 iexplore.exe
828 IEXPLORE.EXE
828 IEXPLORE.EXE
828 IEXPLORE.EXE
828 IEXPLORE.EXE

pid	process
1224	iexplore.exe

pid	process
1224	iexplore.exe
1224	iexplore.exe
828	IEXPLORE.EXE
828	IEXPLORE.EXE
828	IEXPLORE.EXE
828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df.exeiexplore.exe

description	pid	process	target process
PID 1416 wrote to memory of 1224	1416	dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df.exe	iexplore.exe
PID 1416 wrote to memory of 1224	1416	dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df.exe	iexplore.exe
PID 1416 wrote to memory of 1224	1416	dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df.exe	iexplore.exe
PID 1416 wrote to memory of 1224	1416	dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df.exe	iexplore.exe
PID 1224 wrote to memory of 828	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 828	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 828	1224	iexplore.exe	IEXPLORE.EXE
PID 1224 wrote to memory of 828	1224	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df.exe
"C:\Users\Admin\AppData\Local\Temp\dc906442e88ca7efd9c957defbace7e17cc8e7eb97de956381d9e9df2b27a6df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
474b80682b06eccb1a8151007062b5db

SHA1
c0326770afccd809bce1082f38a45c7290ff3747

SHA256
e3b6fb70ba3462443b2377e01abb939903362da9158db944367d1141b521e397

SHA512
6aabdf48eb1b12cf14c5d9c99c799f2dde276556b3f94eea161636c771b25cdcb046e9d5f254bbce887b0f3f8912d41187a7e8b5553d649e8bac4041f6b6611c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\o5rwqiw\imagestore.dat
MD5
3c6675093d9ea1cd8fa4b8e2f793db75

SHA1
af5282dfd90843dd4deca0abba4e508328b2f77e

SHA256
9b46bc9dd12b2d6a0f55d3b3048ad8508bd2cb92e312c5296c8711a6e4b0af45

SHA512
1fec76e81b42172bac4b287a758ea64c462a701822f41e6d93429d9eec713a89445f656c0a2424da973067e036455f54abf50949bd033efe136dddda0e566856

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W3EEST8P.txt
MD5
63c96fca78902244f0a6c301e1c61939

SHA1
b93f8de9564f04fa2406dbdacb5bd44547f3b306

SHA256
025103701aebce3b44bcb15becee94883aec46b36e83f8b4666243cabc819c3b

SHA512
8130a88d746dd09b126e568be745771c24ca75639d0caf9c4af9313933b7374e455e72d83e8e29e0e1a11875053cb7d96c36fe3f7417c66de132554c5283839e

Download Submit
memory/1416-53-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1416-54-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing