Resubmissions

08-09-2022 17:44

220908-wblklafbe7 3

07-09-2022 00:27

220907-arqnlaafh7 1

05-09-2022 16:52

220905-vdthjsehd3 3

05-09-2022 16:42

220905-t7p7jsegc2 7

05-09-2022 16:37

220905-t49f1sefh3 3

31-08-2022 06:37

220831-hdwlpabhc7 1

31-08-2022 06:32

220831-haw32sabhk 10

31-08-2022 05:40

220831-gcy5rahffl 10

Analysis

  • max time kernel
    243s
  • max time network
    230s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2022 16:52

General

  • Target

    http://20.7.14.99/server/

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Modifies registry class 34 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://20.7.14.99/server/
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3472 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1476
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2608
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\venom.bat"
      1⤵
        PID:5084
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 5084 -s 284
          2⤵
          • Program crash
          PID:2236
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 432 -p 5084 -ip 5084
        1⤵
          PID:3564

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Defense Evasion

        Modify Registry

        2
        T1112

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ru1r3yf\imagestore.dat
          Filesize

          30KB

          MD5

          35e27378b018198a6dc07257300c5b9e

          SHA1

          3c46353f6a5967aed5bfd535485276a3fd509d55

          SHA256

          148392175bbe92eab20152940944c2fe1211810c4d8b51b536ff5ed4d715778a

          SHA512

          5aa9e9a00d041c52feda5f2aa81d1025129800a8bf63bdb61dcb074c055719ff94dac4379d8c23cbb1f2b1c12c43b30cb24b06404b3126504f91f8bd7a29c3b7

        • C:\Users\Admin\Downloads\venom.txt.oatgkuw.partial
          Filesize

          1.2MB

          MD5

          2bbcd1faee00d305e114aa3f2572579b

          SHA1

          b5d5839d358e4d372e8001a4f6365c4cc6168f71

          SHA256

          07b79e5de98fc1b9ae0ddc3c8c50458ba4d7cb303c24fd5f9a061b6c9527127f

          SHA512

          b34cd7ee59d47cf8dd3d89768ed8be1be0fc52e98462545bdd6d2607d5836b78a40ece5639bd89f707d33f20ad7cbb66ea4a2bc7a29d148aed429d5f688e2934