9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e

General

Target

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe
Size

2.8MB
MD5

b644cc5effa3145014406503c54f9229
SHA1

a99c5f9f855832c10214832a56dac7c6d0b60bbc
SHA256

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e
SHA512

4a63060db979374089054f42ccad888d1f3ab8b277909ec921e701532934c2d9a67d72a166f226200fffd11e57dce9ee45837550e5bb0e8d658056ebe4870f40

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/536-55-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-56-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-57-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-59-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-61-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-63-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-65-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-67-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-69-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-73-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-75-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-79-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-81-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-83-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-85-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-87-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-91-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-93-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-95-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-97-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-89-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-77-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-71-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/536-98-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

description ioc process

File opened for modification \??\PhysicalDrive0 9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360227608"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C49F1B81-DBF9-11EC-8FE9-F2D3CC06C800} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\goodgq.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\goodgq.com\Total = "29"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\goodgq.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000f4d5a407abc9fb360d2669f90626e69e5308ec0e7705589b72ba9deaf4d38fe9000000000e80000000020000200000007c6351fd0c2d98b32e642dbf6426a5384c96a0919eb06349839a2ff6ec41329890000000421dbc9420f921c67ce8325a80df446c12383a1661d93bc8254357d4f1c02b7ef8c8a7eee49c0fad68901284ff1a0712006a2f88591e00b8e11d4477931ca342d22ed0541cde3eb5319993569d02ae870cab1f20806eb781250f780fc71d08906a6a86fa3d7cfd016d0b4bb939cdae4185c94f249664a727a606da485d17fbed1235ae258029aa8d28d1819e68ed69d8400000004f851100f67e84521a4cce03f635ec17b3cbd23002e8f4a02c56d5d90a7d2bd39b55ecd01bb1a25cbb9512aa281b600150f127b6b5552da6a3780c47031b1467	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30e0429d0670d801	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.goodgq.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.goodgq.com\ = "29"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b00000000020000000000106600000001000020000000712cc3dcab4e1e59616406b4e33bd1bee0d0c90f570c28e6d1e0323ec07bb573000000000e80000000020000200000009235742c42418e55abcf13d098c279fa2771354951c33a17e6a3c097de4f4d4f20000000952bac7a3194baa8963d4eb001346f2bd899716c0f5be2da1760dbce69008bcc4000000035c8120d8026d20945eec12d65fcfb05c95c36e433e0f7491c9cebbe057a92cbf9fa4bcb846566c77cb7505404446dcc7e6b00a2f5c4a2c5cdc6030fe047efe3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

pid	process
536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe
536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

300 IEXPLORE.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

description pid process

Token: SeSystemtimePrivilege 536 9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exeIEXPLORE.EXE

pid process

536 9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe
1112 IEXPLORE.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

pid process

536 9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

pid	process
300	IEXPLORE.EXE

description	pid	process
Token: SeSystemtimePrivilege	536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe
536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe
536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe
1112	IEXPLORE.EXE
1112	IEXPLORE.EXE
300	IEXPLORE.EXE
300	IEXPLORE.EXE
300	IEXPLORE.EXE
300	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exeIEXPLORE.EXE

description	pid	process	target process
PID 536 wrote to memory of 1112	536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1112	536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1112	536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe	IEXPLORE.EXE
PID 536 wrote to memory of 1112	536	9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe	IEXPLORE.EXE
PID 1112 wrote to memory of 300	1112	IEXPLORE.EXE	IEXPLORE.EXE
PID 1112 wrote to memory of 300	1112	IEXPLORE.EXE	IEXPLORE.EXE
PID 1112 wrote to memory of 300	1112	IEXPLORE.EXE	IEXPLORE.EXE
PID 1112 wrote to memory of 300	1112	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe
"C:\Users\Admin\AppData\Local\Temp\9677aa0ae678108ebcaf4fbb202c888b1fc9324f258755c5d0e13e700cdb465e.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.goodgq.com/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_28699ABAC9273C08DCF1E93A8F6BFD1D
Filesize
471B

MD5
196a1094edb471f6766e58ac768c5288

SHA1
94d71160cbd87ebe1330411bb9ef13b10216ef1d

SHA256
f7d32ba7422f9863e177686f7e4082aead6d612ad70ad680a9f496c4c80a14b7

SHA512
30352f4710a01ff3ed8b567b68f1cf44f8ed01aa5eee013af758a904a6eb809b461a76e251073d0197e6fd6aa5f732947afa444c355a58c52054eb98679862b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e6971cb5572ab4022c81e306993e906c

SHA1
844f21dd8ef72c76f192fe8dc85e04beeccf08bd

SHA256
150917fa8f63c7f5c480043c55b29327795811dfe94bc7ad6f3848cf3fca59b0

SHA512
0b624a8fffc534188edd295df280abadedaed97431763fc673e072dc20c58ca62e988f8eb039ffb0e4d11d3f1fc75801ec301b2b851f9387a1ce2117c5b21ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_28699ABAC9273C08DCF1E93A8F6BFD1D
Filesize
430B

MD5
f5d6821d616b101d3f41f21cd910f1a0

SHA1
5501b3bef1b8b7ab9dc96cf91ad2726a937096f5

SHA256
dae4e69d1efa0a7937f7ba65c0952f7ed0abb782ee5d2beb846ccab6e0fac2c3

SHA512
dcced908dd9ce892038e49d46b7a34d2c6d13b3b59ff8c2b5d332952f536d821b2605a071adb6e37c390aeac450c8a7c6a25b0e3ba9e3963698f0eb9b727f16f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
Filesize
8KB

MD5
6a4e497dbb81e906648223436656cfe6

SHA1
511353735a0853456d20f9ac264b1cc8a7c5a506

SHA256
4ab91781d4cf3366d2a78a6f40f6ff569c4e572bd2360f6b67b24f5458c3701b

SHA512
73f100f673437e8c4d1cdd077f9e7cecb0dc3c5c9e304b76b6b934cd1b5cac23f147d6fda1e3941bf53b0422766b1fbfe5729625a47eedf29b7cb9d7c66c2970

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\87WT1S87.txt
Filesize
606B

MD5
924ea521a2663b95749182b2335c26f2

SHA1
38766ba3a7b0b48dda5add5d6f9da98a9c095431

SHA256
89cfdbb8579f0fda955c9a83bd61489edf6cd492583f397cef8a329255757725

SHA512
3b737dfc1877534772de8986dc054552d58ecc3370b8df2d77eaef403e23d5667cc3bd2c7364354e3e6248f5dbf0374a43272dfd9843bb2e4e7cf450a176a1ac

Download Submit
memory/536-83-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-93-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-65-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-67-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-69-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-73-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-75-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-79-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-81-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/536-85-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-87-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-91-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-63-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-95-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-97-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-89-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-77-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-71-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-98-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-61-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-59-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-57-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-56-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/536-55-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads