5162a9211b246b3c4c16958d54ddbc6728200c71839d8550112a92cf34ceacd8

General

Target

8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exe

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "355258413"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000f8abbfea154a935ae9c433b87ae9b2d4851d90ce71d6a00b9b7525fa9d59fdca000000000e800000000200002000000008d3468129f76bb4c0828615dd5f5f3b0180de929f24f2ce0979d7080280c122900000003f5d7746b7548f26ce8d1d97dc5892a0e83a7387be0a9f04af0be0ef5721554f4892876716acea2fc2eede623a84c43780c051a8f0abfc9e34227289ff7a1d94e679bb4bfee9723cc4796fb685ccc561a4d7da2c3aba8b90a5543b3257042f242fb87be2aad79cf8b9d8102fab37ba8fd3e16b512bf6f42d2e7c0c8521529c30a4dde1c143dce5004ed59e0f03a8f4e440000000ade43e6b06bf9208d3f8daed911d4a5ae829f91907080b96db500b174d38899baf7a9d91425e732d564c469dafdb6b92ed5a99f8b6e415387309cb19fa5b6278	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F4ABA7D1-AEC7-11EC-8FB8-C27F05204187} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004dda8e4cddf84341b86bc814e98354e500000000020000000000106600000001000020000000db339a30dca62b74d28627a2f0fff328c843ceeb5af4a2b19393abb60899fd7d000000000e80000000020000200000008aa4a90c62a8354fb54f696047364ee5c666334613b5e0a1e55aba000917ecdd200000005b806e64d746117e04df615c774f26ea256a5c9caee9c9349d9ba128379b0e3640000000a4d3ad15937b0defdddc83cca46f4826e175c678ffa5a389a5f81724a59d58bdb196597b94b9e47171653c4a12d75771334bf566819b8f576a54bf706194855d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608d75ced442d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1936 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1936 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1936 iexplore.exe
1936 iexplore.exe
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE

pid	process
1936	iexplore.exe

pid	process
1936	iexplore.exe

pid	process
1936	iexplore.exe
1936	iexplore.exe
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exeiexplore.exe

description	pid	process	target process
PID 1724 wrote to memory of 1936	1724	8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exe	iexplore.exe
PID 1724 wrote to memory of 1936	1724	8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exe	iexplore.exe
PID 1724 wrote to memory of 1936	1724	8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exe	iexplore.exe
PID 1724 wrote to memory of 1972	1724	8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exe	cmd.exe
PID 1724 wrote to memory of 1972	1724	8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exe	cmd.exe
PID 1724 wrote to memory of 1972	1724	8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exe	cmd.exe
PID 1936 wrote to memory of 2044	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2044	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2044	1936	iexplore.exe	IEXPLORE.EXE
PID 1936 wrote to memory of 2044	1936	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exe
"C:\Users\Admin\AppData\Local\Temp\8a30d72bb314ae7eab1952c7bef22a34147680166cf451c5d5843179fadfa154.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/klija
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
020e27a7b552ab0a63bb42f98841b807

SHA1
f7a7df04cb4e1e929bc324b2d41da66440db1f57

SHA256
17ee291f40d578c0c68417c1475c1605586aed3bb2dd53e7fbeb60d96e70db29

SHA512
1fd268152fc94de67b222071770278ac6e2a0d41f9e2312b5d168da0d5c2805ff57f6d0578e1fcd7ea0964ad496fee8117b18ce1346d4f4124dc65e9134ad644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat
Filesize
28KB

MD5
328f934524db8501184db5c9cab951ad

SHA1
266702ba72872f5378fb67c655db89cb410f9362

SHA256
9f21546701d5b469282596af7afab953896204500295709f4685a45076c2f3de

SHA512
38151955d3aabb1cf4daf5a941f61bb2d6aecc2fe5fe80220df17276cd37a6772281471c22326b2253431cc99b38ff9107fdd1a1a637ddeee04c95db73aae925

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\69LHZA1W.txt
Filesize
608B

MD5
033aa19d9ee7476efee933dfe06ca742

SHA1
8f0b2b61d7d104bfcb9b8698038f8734d7e918bf

SHA256
1084ea07c81658642410451a59a7711b5e1521a68898c06a12bfb944633adfda

SHA512
54228176614cbac0a403307ed3a368044d0e068be45bae8299be073b31cb03be3c0d4bbaaa6dc68a39b462e2a5fd23b63155c854e3db00a73622c92af57679f4

Download Submit
memory/1724-54-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing