79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3

General

Target

79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3.exe
Size

552KB
MD5

34f2cc16d84f7522f05d5333ed3913dd
SHA1

b7eed00ff0aa9da390e3f3aca0eaecd6bd685006
SHA256

79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3
SHA512

f0efd072e7718390aa0371879a2a9eabe01ea29d49063a77df04f37bd9bbfb250fdec95b3df7a1874182aec3af5dd4de78fd6dbb87bbb594fc66243a6765b1f8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000928306506a8cba7fa9946956d0ee769dee6ab3aef88b7c323a6595243e50ced0000000000e80000000020000200000004fb10a1b321043fea65f2df047e4e6efc1e366346a1288eb321b54d524b27e8990000000461754f16ac1185ee87abaf4288c90198e75d09e7a3546c880f3f1f0829c7fbe2a52cd8dcf53f5ac39f391646935b7f803e35284e80abb2c31f669c17afb7de862eb40c1b55ee7b754fefe46c7e8993db1ebb1e02612ed53bb5ba24958353eb921271c131b3ca7517c0a1d6dafadacb535e523259f74f8eb84eba44509b04c3985069c71e1445ee06c1ed469edccedae4000000005bcfbf57cdeabf0a7b81440aff8f58216529c6c2f369dbcdafe23f744a29a8290758eccc301746367c79eb71dff51f622456d4109f98fcebdbaaf54d8e0ca27	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10cffa955236d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BDC54CF1-A245-11EC-9547-6600847C1211} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000a52d8635ff37206ea494aa711e40c3406100a025e8fd0e26388f315d2e8fa130000000000e80000000020000200000009d5f36848d0f792af39c13ddd8dd789b9328082c5ee327afd368e8880c8d5a002000000059c118b443847704408307c55ca918df9ce68249f2162298c842dc4e205a69bd40000000478aaa8df9b24f9856b0fe2c070cb8c9b1ec0c841be0191905315c480e301b9919db0fef2b245d760fad271932182960abf443c7f512472ca0815ac652764e28	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "353883070"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1924 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1924 iexplore.exe
1924 iexplore.exe
740 IEXPLORE.EXE
740 IEXPLORE.EXE

pid	process
1924	iexplore.exe

pid	process
1924	iexplore.exe
1924	iexplore.exe
740	IEXPLORE.EXE
740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3.exeiexplore.exe

description	pid	process	target process
PID 1392 wrote to memory of 1924	1392	79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3.exe	iexplore.exe
PID 1392 wrote to memory of 1924	1392	79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3.exe	iexplore.exe
PID 1392 wrote to memory of 1924	1392	79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3.exe	iexplore.exe
PID 1392 wrote to memory of 1924	1392	79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3.exe	iexplore.exe
PID 1924 wrote to memory of 740	1924	iexplore.exe	IEXPLORE.EXE
PID 1924 wrote to memory of 740	1924	iexplore.exe	IEXPLORE.EXE
PID 1924 wrote to memory of 740	1924	iexplore.exe	IEXPLORE.EXE
PID 1924 wrote to memory of 740	1924	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3.exe
"C:\Users\Admin\AppData\Local\Temp\79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=79c87d552858845eecce7d11c6ef681dfa2d647c2aef20a1ad33be2507d415c3.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
78a6f1a7abd83bf226edc71a6857511e

SHA1
9d68225dc52a5c284ddd39a35789fd8b4c6d2848

SHA256
7a2ad3338f5f027d0304c41401afe9df1d8b9103de79feb2ae423570c5c344ce

SHA512
be801aa05f0fb5f25c52f52e5508490d7c018c1f784ae6f3766f3fd6062252d9dea71558d7c10b28c1b1b71f7f47eb45491071e9ebf27542b8c2abc9590b0f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\shpg9mq\imagestore.dat

MD5
b5aa7f4a4848d14ff3059092ff3f3242

SHA1
442a6d29baa4f9360a0fa7679c5c276905ffcba2

SHA256
79de127fc93e79d866602a2b8c2b8156e57e2206a9c989e42491a3307df77bc0

SHA512
e5694e5dc2726261b8874cd16b9d7466811b8d864132241384ee0183bb358eb12b036a5fe1e27f8d3bb3b6ad8f46cee0c180d137dedf922198a3faf363ec9270

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NJNE38T8.txt

MD5
fad340da5253e6dfbd12158004a987b6

SHA1
6c351f4e2befa02549e17ee088b92d44faf21780

SHA256
716a0a250627f62abf979b449d1027b7abf2942296aa29de5b25fbd3d556d0d8

SHA512
22f79910758825a264d0e34e821d111bc766bb0efec83d7d25fa628b89332a8e52abf6b70c58c3c8dd32c587a4c65d1001013bac2bfa8580ccf62c6d1d5a8005

Download Submit
memory/1392-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing