44a54c5dcb72af535061fd5fa1ddfe270ea50c822602c1f9334a5fed2a544733

Analysis

max time kernel
110s
max time network
172s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 05:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

44a54c5dcb72af535061fd5fa1ddfe270ea50c822602c1f9334a5fed2a544733.exe
Size

52KB
MD5

5f4569a1c0573b952bd9f61de1f5d57c
SHA1

ba8e16241def5674b9025521af4d1dbcef95a798
SHA256

44a54c5dcb72af535061fd5fa1ddfe270ea50c822602c1f9334a5fed2a544733
SHA512

ac76478f329e30c771c637aed7d36266486ee67ac9b59905673fa02f21ceca29fde3c9cb2edc419c9b60702427fafbc32016ed05365c800b6405d4d4e1f0f249
SSDEEP

768:ilrwIOTV4bmeeIyF6o4RQn8xBw+Wwwwwwwwww+:iKebbeCoSQUa+

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0ef5c5808ccd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000f99af75ca1930b737552528283469d204b58dbbb5a60ab2b97a91cd6b62c3de6000000000e80000000020000200000002d1e4a138a524f4e6306c7eb43920ef9649c8e48f7c3990bdaee302e6c1f706790000000ef2ffffbd8bed4683c837679620dd66ca1aeec7e790b51bf817717e9d67083731b2978ebb38ec1f7e9a470b10062ffb16306b2b6f86b93a38620a22dd60c85e30917d38b492b5654d4d1656d908d93f8a0acd9b97418c01f4e742d874894fbd569bc34e09003c9fbd4e1e22fd502bb8aff3e646cd400f2bc9e424f6ff2f2e81aed3c699a11c572a94742d790c44ec44b4000000025596a78a9c636c24c274593060f4a2121b6d790ac9023662fbd1481152883396cd4444193f19713cea6b1499fb09de77c70de3c72a6af215ef1ea8a6be13de7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7254EA41-37FB-11ED-A50E-C6457FCBF3CF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000084d64a6b7e73b9ece926039aaa1c6da64bb076baafa518c19e4370e02d1bb220000000000e8000000002000020000000ce9d7cf51287a9dd0bed2b9d4e61bfeb1b3e9a0714c23d5b094e90ed1310bd5220000000a08ba9ba7f3ebe1b9bb88d9f8d3243ef2f9b20d3dc4731c4c1879dfa2bbc80e1400000009db6a9f4c8384658c8b399b748ab7918361887c463d33ca6050bdd7ffb797bb800d94a491c31c46fd5f8a72d1d39e6baf1c399b2d4c013f3887a18581262db4a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370343842"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
888	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
888	iexplore.exe
888	iexplore.exe
692	IEXPLORE.EXE
692	IEXPLORE.EXE
692	IEXPLORE.EXE
692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 888	1632	44a54c5dcb72af535061fd5fa1ddfe270ea50c822602c1f9334a5fed2a544733.exe	27
PID 1632 wrote to memory of 888	1632	44a54c5dcb72af535061fd5fa1ddfe270ea50c822602c1f9334a5fed2a544733.exe	27
PID 1632 wrote to memory of 888	1632	44a54c5dcb72af535061fd5fa1ddfe270ea50c822602c1f9334a5fed2a544733.exe	27
PID 1632 wrote to memory of 888	1632	44a54c5dcb72af535061fd5fa1ddfe270ea50c822602c1f9334a5fed2a544733.exe	27
PID 888 wrote to memory of 692	888	iexplore.exe	29
PID 888 wrote to memory of 692	888	iexplore.exe	29
PID 888 wrote to memory of 692	888	iexplore.exe	29
PID 888 wrote to memory of 692	888	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\44a54c5dcb72af535061fd5fa1ddfe270ea50c822602c1f9334a5fed2a544733.exe
"C:\Users\Admin\AppData\Local\Temp\44a54c5dcb72af535061fd5fa1ddfe270ea50c822602c1f9334a5fed2a544733.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.choijh.net/onair/2/2.php?search=bl¸ðÀ½
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:888 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3A73M5GW.txt

Filesize
607B

MD5
f31673dbba6ded6249675f4fa74bd899

SHA1
56f0c857419a6d6d65fcf7d30761b92ff2f52010

SHA256
47872a39ffc72fcc31d77fec7d5d63170ec586f63d6c97d336d939ccaa319334

SHA512
7441e6338c806f9f6653e373b28badf35e21601253b75d4c24a3d4d942097fe0145f254154939338268cff8c83aa1e93d2ae93253586bb4bf9c3fd61e66d63d3

Download Submit
memory/1632-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download