Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 18:00
Static task
static1
Behavioral task
behavioral1
Sample
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe
Resource
win10v2004-20220414-en
General
-
Target
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe
-
Size
2.0MB
-
MD5
c8cba838e87f76326dff14153ffa7070
-
SHA1
91cd18b7dad6f3e1cbc08fd0c6ac8e552f0b3590
-
SHA256
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde
-
SHA512
2e83f2f8ed6f4688781f3636b41b95040f414d0dc141e66037b039b6d4895c0a56552ef1ad0503356f533753aef8840b312fe81415128853994c14532d401194
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
CoQAwD.exepid process 4476 CoQAwD.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CoQAwD.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation CoQAwD.exe -
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription ioc process File opened for modification \??\PhysicalDrive0 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoQAwD.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zFM.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe CoQAwD.exe File opened for modification C:\Program Files\7-Zip\7zG.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE CoQAwD.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE CoQAwD.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe CoQAwD.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe CoQAwD.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe CoQAwD.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe CoQAwD.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe CoQAwD.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe CoQAwD.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe CoQAwD.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe CoQAwD.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE CoQAwD.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE CoQAwD.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe CoQAwD.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe CoQAwD.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe CoQAwD.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe CoQAwD.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe CoQAwD.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe CoQAwD.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE CoQAwD.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe CoQAwD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Processes:
iexplore.exe5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com\ = "63" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\Total = "63" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960755" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\NumberOfSubdomains = "1" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2723311964" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30960755" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (data) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d44f7c908017924dbb36ebe98e677ce10000000002000000000010660000000100002000000033839391c40be2c7fce9779986caf7c7979bd960c1226f2d7ad0d55b06675425000000000e80000000020000200000007b61310409aadbf3f95b3b49e61de7b1296b87a2f784aa326245e5303b70cd7920000000942be560e468311c0bea7b9e06d5d0d21e8e62b9455ceae42c0909fdf9a81c1240000000de2becee7d98e8bf12065ec4e2f4aa5b5548d12d14eb342015cea2c5799430e71d16145648fc90a329099597addf2625616be9b38dd5dcb00b03a37376da7897 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2724719025" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359834634" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2723311964" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\IESettingSync 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CDF00CC4-D866-11EC-AD90-7A7C173711D6} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30960755" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe Set value (data) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b7b494736cd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exepid process 3164 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe 3164 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 4444 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exedescription pid process Token: SeDebugPrivilege 3164 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4444 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exeiexplore.exeIEXPLORE.EXEpid process 3164 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe 3164 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe 4444 iexplore.exe 4444 iexplore.exe 1248 IEXPLORE.EXE 1248 IEXPLORE.EXE 1248 IEXPLORE.EXE 1248 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exeiexplore.exeCoQAwD.exedescription pid process target process PID 3164 wrote to memory of 4476 3164 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe CoQAwD.exe PID 3164 wrote to memory of 4476 3164 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe CoQAwD.exe PID 3164 wrote to memory of 4476 3164 5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe CoQAwD.exe PID 4444 wrote to memory of 1248 4444 iexplore.exe IEXPLORE.EXE PID 4444 wrote to memory of 1248 4444 iexplore.exe IEXPLORE.EXE PID 4444 wrote to memory of 1248 4444 iexplore.exe IEXPLORE.EXE PID 4476 wrote to memory of 572 4476 CoQAwD.exe cmd.exe PID 4476 wrote to memory of 572 4476 CoQAwD.exe cmd.exe PID 4476 wrote to memory of 572 4476 CoQAwD.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe"C:\Users\Admin\AppData\Local\Temp\5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CoQAwD.exeC:\Users\Admin\AppData\Local\Temp\CoQAwD.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7d662544.bat" "3⤵
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4444 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5fa526918a211e850a6078fb1d00b2045
SHA175bad6b9476e0655e6a2947a682e81df689682f3
SHA256396b94c667643afa59d155ef4d812da6f4d67dd50cec97194e1ca3a1b3ece3fe
SHA51227a3e00ba0e478d8a79cbbd134ef7beaff7fde2fc57aecfaf022806af41c2a85183fda3e1abc2dec38d27a7f22960db3549721b8d821ea659a5592b430de1ed6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
1KB
MD574d7d8843e51e7b4951bd6471e8f34e5
SHA1349f5f1421abc2ced8daa30b29dbc35432e6c95f
SHA256a3b50edef3090d49dfe0e0b927c862c360c670cf26ddadb152c004c19d17cb19
SHA5121bf70c84fa0fdbb42442a44beec539b73586b5183386e0c10fdb672b270cb58cf7db4b3107a9b727c3b66e68e0fc52fadeccef0295ea2d79f4cae6ca88ca5086
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD56eaeb152405600a7b19a7c749459ff58
SHA17b8ab541d4c98166ea394b59c758f22a5a1c5279
SHA256f8cabadace76db0d854de596b6cc344c6247044a70d457fb79f3f2b355ddf29c
SHA512895300ecfa111172b57bf260977d4801d7f4ca97e24eddde5fac90fc5962aa1db1e286009f43c842d69c67faaa7d2d18bbe7b1cdb72e1056e2a9b7c02ce0e657
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
492B
MD5647915081ec2762ce9a9a73fd2746837
SHA1842109e95343abcebcf6ff1c2a2218daf3c51dc5
SHA25638c51da636283c1cd30c63e7c27f989d16b963ce598f22d80144c5193d8fd63a
SHA51202798b08b7584b482c111e0ca300b5f7bff4df8a2ea4a1c265a6860eef5805103f9ee5f7cd22d0ca7684a72d5f4df5b8dc28ce0825395ab40a3eb1ca39aa04ba
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jnqp20o\imagestore.datFilesize
1KB
MD58224c930c119e5c61591b20e3cbcf329
SHA1e210b6b4b5038062b6da8b82136b6b4c31013df4
SHA25609b2284fbe7f2821d2913741b3555f1218255c3df0808b06856c10a12c16530e
SHA512925714330eb3e40f8a4e5955aec90bf5e57f5d393dc275d6c774f508926633f6d053da5730ad7818c9d2fe1f1f0bd98408c4a4481a4ee9acfcdf049f88fdfcd8
-
C:\Users\Admin\AppData\Local\Temp\7d662544.batFilesize
187B
MD59cf3e34179cee3ca65b24ae018aaf1e9
SHA19477624f3ce25273335592ff6648fa244fe8059a
SHA2567ccab45835b391ced2fa347587c8b0bd634bdf8dd903ebebaa63d4d363e9512e
SHA51233d4b4520dd5c180f0e86445e0108b932aac5558cf966f64b12cf8c8d09d53f4aa9bbb402c81ec63168b4a2aa0053f4482eb177c942719f715a11bff503ab110
-
C:\Users\Admin\AppData\Local\Temp\CoQAwD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\CoQAwD.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/572-133-0x0000000000000000-mapping.dmp
-
memory/4476-130-0x0000000000000000-mapping.dmp
-
memory/4476-134-0x00000000009F0000-0x00000000009F9000-memory.dmpFilesize
36KB