c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2

Analysis

max time kernel
126s
max time network
180s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
Size

67KB
MD5

409ea944e54b81d80ea7f859c89a9682
SHA1

d30b01947275d5e89b1a35c2a2077b416e8522be
SHA256

c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2
SHA512

7709905143bb2e3349b80e62a2e0b8a08d9c97256061f21ee6852e6eb0d8df4bd2c5415ff649a3ce46fe9d2427f7692be5cfe742b1128855742c9c530dcf6976
SSDEEP

768:HTRF+gPaZbKyj9lFaGmx/gAmO1s04N/4aklbISfhaGDgVm75/dWWyXYrfGWDbX0t:HtNyMyhl5fAVs06/4a0k+H1lyIVDLTW

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000d055cafb25f273bea32ba91c4caab526fab36f887b17717d3ea1ce08883701ad000000000e80000000020000200000003a86a0e0f87e452fca38c03897e04fd7fab6e4bcf212189ec2b4e07e3f8773b8900000000655c4282fa30988502e89b9cf05442cc3a05a13977070f7100572f5b604e9ffa39231c0e43747cb1c214b7e84918ebfd838570148e7e053a03393bd77dc1f63b704dec2428ff2c0b0b1666445ef9e7871de9e2db59282da5073d472deea0f4a19f85d02823f4321cdce6f552c3d3e3ecf411657a9969456b8f2a0204cb03cd50ecdb3214893c1ff9ae644cb7d8958ee400000005bfc9d41d1a46435fa0d73377a217b4ed158b756ad300bd3841b7f0739af7387a9f5531db4242ce3e669fab6311f4e090046813f1c0120cf18446346e336eed0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370392231"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502fb80779ccd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15921CD1-386C-11ED-AA01-6AB3F8C7EA51} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000a1cc76d6d3f71a103fee4e288c4728383ab7545a7d1212e337645c82fd829664000000000e8000000002000020000000412867c4691162743f1c63ad595800bbb749aaf8f27ddddb687fdc630ad8f2a520000000fa1179cf17af47a82300146876464721304f8f68641b5965d0962545ded092054000000024b7857a5df7e03d19165ddd5bf3113eca237ef47e70ec6b7056317fc7b6fa280661036e7988b0c37125984f73cde69faded930b5a601ef17bca5bee78d820d1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2024	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
2024	iexplore.exe
2024	iexplore.exe
564	IEXPLORE.EXE
564	IEXPLORE.EXE
564	IEXPLORE.EXE
564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2024	1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe	28
PID 1644 wrote to memory of 2024	1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe	28
PID 1644 wrote to memory of 2024	1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe	28
PID 1644 wrote to memory of 2024	1644	c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe	28
PID 2024 wrote to memory of 564	2024	iexplore.exe	30
PID 2024 wrote to memory of 564	2024	iexplore.exe	30
PID 2024 wrote to memory of 564	2024	iexplore.exe	30
PID 2024 wrote to memory of 564	2024	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe
"C:\Users\Admin\AppData\Local\Temp\c140a8bc9bf918862c193280c09dcbdbc1daca0804266fed3f02e0eadab93fa2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=ZvizXaqutWM
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
845085b97ac53320f34892b96634cdac

SHA1
b17ff3542e93ea18feeb996add3e4ddc588e0813

SHA256
b1c9b56489bcc0e3bf4d8babbd4da5cc0a13c5d48104b5b30b858fabecb63a0b

SHA512
20f5be124be270dc9da6336781b1644848e227fba8f687df8f69ee00e55b62368dd835fedcbf22ce0ca023699dd5aff72b7f19bb2b11397904e2d619db816f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

Filesize
5KB

MD5
48ac26d7fb09679abc27dd8f2178a25a

SHA1
3bdba18530016de7775a20911b4edde4f1c7dcd3

SHA256
91a4618448ad515f6af89a4dcb1d7216ea12f9077e9e4b1a5f945429d99cb9fe

SHA512
7cb4d766eb3209757401c47ff698ee6151ee4e7e242113c62140c82a939d1d8c6d829fb87b9d66381fd9d63c7d7cafa6591e6cf783f16a30e9e15174307a0f35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KBFJADFE.txt

Filesize
603B

MD5
f5148b82a55d74de4fab986b0004dbca

SHA1
2a184e4f49f5e53a220bc3b42c0606996395de90

SHA256
e9d70152ba71ef216bcdba24de96137ec37b04e3362a33a0e1479eeb76caaa12

SHA512
6b9ea4203ca3cc49e283de1603ca1be4558359ac9a5c89efbf64655ffb2376ce44ce67dec9749050e42d0979d4e1b3a6d886ed9baabe0b11d4a16231045e3dc7

Download Submit
memory/1644-54-0x0000000000400000-0x0000000000440DC5-memory.dmp

Filesize
259KB

Download
memory/1644-58-0x0000000000400000-0x0000000000440DC5-memory.dmp

Filesize
259KB

Download
memory/1644-59-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1644-60-0x0000000000400000-0x0000000000440DC5-memory.dmp

Filesize
259KB

Download