Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 18:00
Static task
static1
Behavioral task
behavioral1
Sample
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe
Resource
win10v2004-20220414-en
General
-
Target
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe
-
Size
2.0MB
-
MD5
c8cba838e87f76326dff14153ffa7070
-
SHA1
91cd18b7dad6f3e1cbc08fd0c6ac8e552f0b3590
-
SHA256
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde
-
SHA512
2e83f2f8ed6f4688781f3636b41b95040f414d0dc141e66037b039b6d4895c0a56552ef1ad0503356f533753aef8840b312fe81415128853994c14532d401194
Malware Config
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\CoQAwD.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\CoQAwD.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
CoQAwD.exepid process 1916 CoQAwD.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Loads dropped DLL 2 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exepid process 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription ioc process File opened for modification \??\PhysicalDrive0 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoQAwD.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE CoQAwD.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE CoQAwD.exe File opened for modification C:\Program Files\7-Zip\7z.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE CoQAwD.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe CoQAwD.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe CoQAwD.exe File opened for modification C:\Program Files\7-Zip\7zG.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe CoQAwD.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE CoQAwD.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe CoQAwD.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe CoQAwD.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe CoQAwD.exe File opened for modification C:\Program Files\Windows Mail\wab.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE CoQAwD.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE CoQAwD.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe CoQAwD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Processes:
iexplore.exe5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D05FB601-D866-11EC-A2A7-5AC3572C4626} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000008675ed41aac952a57d6dca5d6608a886211afd7edda08236ba227d304279bbac000000000e80000000020000200000001ba8285d27672a226b3bc0e5bff97d06096c6a2a42c1c2f0cb113bc0327e33bb9000000051c0250d1f19c94f99ab3b763698c1172a83c5c1308f8d0316d72a65e3ba6d42069d613d0d2012356240e3d3c89dba773942f09fcabb54226ed34f16e049b66b20e5432f2db839abed1a414ccf42a3f3417b3fa5eaca0cba72f22324b2f15c15d67a8481cb886a1f111137ed152ee431b2b65536efc65db83b521ef41f3e7f91b6e6f2d5d7a607497a66409917e49b8740000000758b9848d6d605e49a17a6bcb3a2b6a9c38229d1fac02cda07b436b9057ed6193ead768557c27689cd3356bf907225da1ad43ae87fffb7c09a328dfd8dc292ff iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359834638" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000f14b03d77722d012aa09000421ec0de06b39f7f1a1886377dea9986409980875000000000e80000000020000200000008851da3fd43784e81a259baffa01875f8190fd8dac7712488c120eba98135f73200000005463bad649aed6575b7e94372400dd191c6349e8ac4515da636aa9fa58cc210640000000ea562ce4da1c4b30a86e6486c476805d0c869a713ac74029f84695be9a63f6105901d12f019786b6360a4ac1fc8565bca6332b3b1198f5dfbe78f16903abdcca iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\Total = "63" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0eaf4a5736cd801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\NumberOfSubdomains = "1" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com\ = "63" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exepid process 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription pid process Token: SeDebugPrivilege 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 320 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exeiexplore.exeIEXPLORE.EXEpid process 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe 320 iexplore.exe 320 iexplore.exe 1908 IEXPLORE.EXE 1908 IEXPLORE.EXE 1908 IEXPLORE.EXE 1908 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exeCoQAwD.exeiexplore.exedescription pid process target process PID 388 wrote to memory of 1916 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe CoQAwD.exe PID 388 wrote to memory of 1916 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe CoQAwD.exe PID 388 wrote to memory of 1916 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe CoQAwD.exe PID 388 wrote to memory of 1916 388 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe CoQAwD.exe PID 1916 wrote to memory of 1532 1916 CoQAwD.exe cmd.exe PID 1916 wrote to memory of 1532 1916 CoQAwD.exe cmd.exe PID 1916 wrote to memory of 1532 1916 CoQAwD.exe cmd.exe PID 1916 wrote to memory of 1532 1916 CoQAwD.exe cmd.exe PID 320 wrote to memory of 1908 320 iexplore.exe IEXPLORE.EXE PID 320 wrote to memory of 1908 320 iexplore.exe IEXPLORE.EXE PID 320 wrote to memory of 1908 320 iexplore.exe IEXPLORE.EXE PID 320 wrote to memory of 1908 320 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe"C:\Users\Admin\AppData\Local\Temp\5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CoQAwD.exeC:\Users\Admin\AppData\Local\Temp\CoQAwD.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\69ed2ecb.bat" "3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
1KB
MD574d7d8843e51e7b4951bd6471e8f34e5
SHA1349f5f1421abc2ced8daa30b29dbc35432e6c95f
SHA256a3b50edef3090d49dfe0e0b927c862c360c670cf26ddadb152c004c19d17cb19
SHA5121bf70c84fa0fdbb42442a44beec539b73586b5183386e0c10fdb672b270cb58cf7db4b3107a9b727c3b66e68e0fc52fadeccef0295ea2d79f4cae6ca88ca5086
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5087fc191b2248d1f3ea537c76e0a6e3a
SHA198c728ec05d12410ba91648aa0af3aa82eda2b08
SHA256e1569a9836e64be72e8779b07666cca8445f488944bb055a3864e251433f147f
SHA5123704d7cda4fc3156fa0f7c61ac557a22d37f92fb0bf0592d0dd594c66150d93bbffa68993e09d0cc8298962271dc7b43782e2662df12a96fd537060f96851b32
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
492B
MD523ddf6d75278840afe90e582f8d15aac
SHA19361909c7148b377ea2e40633762d8e14dfc9816
SHA256fe92f64764107c513d77c597ce9bcc0d4381e39913ce894ca9b45e0e1bab4f6d
SHA51236c649229fc17c8b4af4c6833fed72a9462210b294087144464981f5d5fdb63ad3d6e37ff2774dddf2fc5ade1c7eb2d127cefda1a0514e29f39f851e6968ac3a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.datFilesize
5KB
MD5e060e56adb718637aeae705375cd8efd
SHA1dd062e2b046b9d8e01a64a605f600fa57f8e04f1
SHA256db0a678c441e1424cb95a06b179d9771f7a2ba1f6f23c93260ef90684b36c20d
SHA5126aadc7d97b5e7748e763b0958973ee7674727b5def023d727506306c39c00598bb7cbabeea9117127d46a1896f0d4a85b509ce1838346c2b071fe52a7fadc54e
-
C:\Users\Admin\AppData\Local\Temp\69ed2ecb.batFilesize
187B
MD5296f0a38fd3d3262f0d1d18c51a2660d
SHA1a0d0f8152377cd768a193fbe2884ad847288965d
SHA25664a7ffb3e5e1467c8df3319f682f11cc19c1cea45be519444007846c0817ad14
SHA5121f9783d82bd502252d8be28d7b83e33821a04db966fe33c9b9c8753020d5f88b47ed1981fc0d8b58e15addd8922e10a5b276fa3d969b23b54f148d047d56fe66
-
C:\Users\Admin\AppData\Local\Temp\CoQAwD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\CoQAwD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IPOM61HD.txtFilesize
606B
MD59ede860668f418c458198043a121e2f6
SHA1599b91033df961e1682642729c48bfca7ca24942
SHA2566dcc7f27661ac20c1fcd783fa7f18b063ef8cfc06f3d65f5c1d97b0fed54c4e1
SHA512dc4a8b1fac5e6ae2348c4136bb7421f6e033b5f6f2b7d001d797412055cde1502b7fcdb5f911ceab71afffa337dfae51e664482dca8d30a5dbd4a57911401d1c
-
\Users\Admin\AppData\Local\Temp\CoQAwD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\CoQAwD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/388-74-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/1532-66-0x0000000000000000-mapping.dmp
-
memory/1916-57-0x0000000000000000-mapping.dmp
-
memory/1916-67-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB