4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538

General

Target

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe
Size

3.0MB
MD5

3764c0988b8db6e3d927326129b3765b
SHA1

61a223bf9938e0e1c494098ce9b8fb277568474c
SHA256

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538
SHA512

2a86dfee1b87a20b29a47a26d0f637815138316345c063635fff2999f3bc963ef43386b7eee73a6eec2a9bdb7764e406dab2203593f44aa024e93d68503c00c8

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1320-55-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-57-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-59-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-61-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-63-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-65-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-67-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-71-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-73-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-75-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-77-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-81-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-83-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-85-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-87-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-89-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-91-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-93-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-95-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-79-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-69-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-56-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-97-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral1/memory/1320-98-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

description ioc process

File opened for modification \??\PhysicalDrive0 4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b0000000002000000000010660000000100002000000089a83384dd2ad02e1a2308af799764bb30a3a14da473d724eccf48cb76d4b758000000000e80000000020000200000005edaf0602bb570d322631ef3aefd6dd4ee34f708eda560584c9b12ac43f42ba320000000dd87355131a81fda050d704a11273a57ed2f1e0b5c24df60b8c6afdd71c3f8254000000080c9d63fd494aab2e4526e392504d246347598ba6a0fb6975c6e73467c13f8e77659eadfa9a98a3df4016cd231c751d516424a1745c48e17523c6736542dcbf5	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1AEB42E1-DBC6-11EC-A292-D637792D7258} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\goodgq.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.goodgq.com\ = "29"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.goodgq.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303675f3d26fd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b000000000200000000001066000000010000200000006cc3eefd0ee0f1d49bf1fd4b162e800dd8167ef0f243b06d57fcfb8174ad4b0e000000000e80000000020000200000008a13287bec44828e3965e6eb9fc71a0ca0efd1b0cb0cf7a28f7832f8120f071090000000a82adce4d21c5d89dbd148cc4246f54de3e0085d2c079d5050329387fd6ac34e847d8b4c68da2f29136bc6bc94e289deca09d7294e11bd9330597b64e333c4d55cd9a5805feb5dd639b745962cb2aef0062a056409b753019dada765df3054c95d3733609416654d68185f15ba50641f3f0a037405e41361a57a432986e92c7c72abca7bb42888a85513c7b2dd6518c04000000047a10d612d9de2e6c1986a287fe615ae228929ad11b4a0a3399149ff1c634efb790a4bf68581450a950e97a54ab51ee13d82c6b08ac14beb42d56422a2eeb8fa	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360205419"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\goodgq.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\goodgq.com\Total = "29"	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

pid	process
1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe
1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1800 IEXPLORE.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

description pid process

Token: SeSystemtimePrivilege 1320 4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exeIEXPLORE.EXE

pid process

1320 4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe
1828 IEXPLORE.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

pid process

1320 4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

pid	process
1800	IEXPLORE.EXE

description	pid	process
Token: SeSystemtimePrivilege	1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe
1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe
1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe
1828	IEXPLORE.EXE
1828	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE
1800	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exeIEXPLORE.EXE

description	pid	process	target process
PID 1320 wrote to memory of 1828	1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe	IEXPLORE.EXE
PID 1320 wrote to memory of 1828	1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe	IEXPLORE.EXE
PID 1320 wrote to memory of 1828	1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe	IEXPLORE.EXE
PID 1320 wrote to memory of 1828	1320	4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe	IEXPLORE.EXE
PID 1828 wrote to memory of 1800	1828	IEXPLORE.EXE	IEXPLORE.EXE
PID 1828 wrote to memory of 1800	1828	IEXPLORE.EXE	IEXPLORE.EXE
PID 1828 wrote to memory of 1800	1828	IEXPLORE.EXE	IEXPLORE.EXE
PID 1828 wrote to memory of 1800	1828	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe
"C:\Users\Admin\AppData\Local\Temp\4cff67a22ffa77854115368fb25f30a7033b71e8ebc21a6e9c5f018d2cbd0538.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.goodgq.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1828 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_28699ABAC9273C08DCF1E93A8F6BFD1D

Filesize
471B

MD5
196a1094edb471f6766e58ac768c5288

SHA1
94d71160cbd87ebe1330411bb9ef13b10216ef1d

SHA256
f7d32ba7422f9863e177686f7e4082aead6d612ad70ad680a9f496c4c80a14b7

SHA512
30352f4710a01ff3ed8b567b68f1cf44f8ed01aa5eee013af758a904a6eb809b461a76e251073d0197e6fd6aa5f732947afa444c355a58c52054eb98679862b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
786a11932954d3d2df2a8ace9fb2946a

SHA1
c5381b5cc255e370814112f2a17e973b63127d15

SHA256
75a1ba4b2928c4769d91014e3b22c162d7f857446991c7b79ca780718ca286d9

SHA512
55a26b955e752b3c1c6a709c195b74dff79fb5421a96d49e682947ac77d2f4c0b3cba0c83c3ff31e6df7db43824a6019d27eb27f3e10ff42aff5212f986fe9fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_28699ABAC9273C08DCF1E93A8F6BFD1D

Filesize
430B

MD5
c3d3d18d00cad7a49d1c3083339588a0

SHA1
f39513eb72cec347a6507756c2d7fd79bbf48022

SHA256
6c135a3f77c6eb14cb87a318f5ac3e2fd8d7c8f01bf59117ee8b70f0174e8cd2

SHA512
024e5f160ae4ff8bd9ad7be5b3ec438576de4044f581decd87cba3734d46943dece68492ddf30bfabe7ceea99310f03f4037dde31a54546920dfc5080cd9288e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat

Filesize
8KB

MD5
532a692e67699597cfc37ffdd33a5325

SHA1
2489b5bdd818e96a01aa2ca91c2b215a1c44d104

SHA256
96756abcf90e19642f7b9f27366ea9ed4bc309b9be18c8a8ae7d7f3882c20fe7

SHA512
27dcbdb896ab2a0ffd5b906fd7662b211ec6760888d452a9aaec8291b32acd3d812d27ff7c743c56c21bc740f4fb1a5f988801636f3787819f7d3f570950ad45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3TF4HDHZ.txt

Filesize
595B

MD5
fc29ee12a68922a885d3135c4323e3a3

SHA1
8ce94cef635e9f02e1f417af11c32349884f4ef4

SHA256
1330a2ab54882ba7d5d7580be04d502fe8cdd315093ff06933619cb24b48c3e1

SHA512
93c8211f63540a452b2a5e4af74843598bf746ea2ce8ba047bb76146ed951099ad141f315d6e0f91c4734e83690f802b1e4eaacea89c8d29c7e9b5dc6556b965

Download Submit
memory/1320-85-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-93-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-67-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-71-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-73-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-75-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-77-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-81-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-83-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1320-87-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-89-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-91-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-65-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-95-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-79-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-69-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-56-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-97-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-98-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-63-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-61-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-59-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-57-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/1320-55-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads