Analysis
-
max time kernel
87s -
max time network
144s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
23-09-2022 06:47
General
-
Target
.html
-
Size
1KB
-
MD5
891cd2a44baaea87f4f56dd8d95af4de
-
SHA1
f7fc28e202ed36f8a6c0bcb3cbd9fa122812ce6b
-
SHA256
b52423f169c4db034baa7150f8af045cf62111826e6da718944748e4c277398a
-
SHA512
f2a1f7959d7a1c22ae3aaa208f1d328ffdfcd853aa5ba8b0740faddd5cfdae13a7ec1b358f9dea7dc81c963d69c1e363197a2953862d84cce646902a92c54cfd
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 23 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 49 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\.html1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3824 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U78J56H1\reshacker_setup.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U78J56H1\reshacker_setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-9NC18.tmp\reshacker_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-9NC18.tmp\reshacker_setup.tmp" /SL5="$20236,3411549,870400,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U78J56H1\reshacker_setup.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD515afcebf1b296be7a78fac9d3700ef3d
SHA1c2210c056209dc67b283c3e5b5963e134479e4c3
SHA2564cab446eedf9d32c7e41482cac22a453dabcdbb0abb924801aefcc3c364636cb
SHA512ae33f97863d9de21fe642d432a0983aba3206b00e15f9430728a03127067424749d88a51ed1f59ffa6cd8428fb10701ed83b148f4f57ca0cd61553086c68c551
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD58fcac0e81caddc3ade796d60915e02b5
SHA139e2dd79c37bde603b708b4ee4b12fdef7f7aa25
SHA25643099763ecab4552e85ba1280d0bff407ad152a9d844f7b8e77ad688cc1cc3f5
SHA51275418f289cf8ad6f398bc0e80c44de94322662aa85e6ed742651ae2816843bca900782f3ac687b74b4e6dbeab40cb8542bba15322357888a582d3d6afdd2fe7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U78J56H1\reshacker_setup.exeFilesize
4.0MB
MD5e846ef7353af351ad4a6e1d49638b500
SHA1c08392c797fcea5147b3f0d7e07f57eedc323911
SHA256080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66
SHA512e73bd521a157af4388b7c0d3bff5b34a4a547b8083137a4b48d0c232562d5932c7bb89b6700778246b895d7b9d1ba59050f3a631dfd436f64b5ff9ecf7934ec5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U78J56H1\reshacker_setup.exe.h3v6wni.partialFilesize
4.0MB
MD5e846ef7353af351ad4a6e1d49638b500
SHA1c08392c797fcea5147b3f0d7e07f57eedc323911
SHA256080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66
SHA512e73bd521a157af4388b7c0d3bff5b34a4a547b8083137a4b48d0c232562d5932c7bb89b6700778246b895d7b9d1ba59050f3a631dfd436f64b5ff9ecf7934ec5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3UAFFBUC.cookieFilesize
606B
MD5e2ea65f60869e312d8942acc6b20ac19
SHA196efcd588b01620b628735e2cba6db71bb3a8385
SHA256c5a2a7706551c6de12a409953d1d4d32308863df26231721de6cf60a82f97b69
SHA5124c492451d2e847a7612528a3435a664d700311c49122bf9bb98c060b995a18129e216efa343a5f759434d89a32c8bb05676c6dab3fb72dd39c2ae2ceedbc1836
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EL9HT129.cookieFilesize
605B
MD5606ab1e220ff115012fefb7291b48d99
SHA19e8e822eed36046ad8b59939cb6c04a2c44ffc18
SHA256486d9cbef176eb043d7cf6a91692aef8d30f370e6c9fc160c31e9531e01e740e
SHA512327faf22d6806b5fe32fbbeed17c03fbbd1d9e13fdfca4949c55ea8f4f28414f48cd51bbbf9f88f0a805eca9fe376c325a270eeeecc132490d2e8a5153e1cfb3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YQPIM10S.cookieFilesize
415B
MD597cd0566acb6dc0ece8b8bcd8d12d99f
SHA1f2333fc50aafc60a300217f97aaab874ba2bfc07
SHA256ed5607205dedaad1522adfedfe51908fd34e557f5b4cafc33aff39e782d440f5
SHA51279a5a87a02fdd74974cd0b7e78ed45f978dd4a0109f3f6d258c4207e359162e69c168b39bc515b0c107e2e6458bdd6aeacd754821313e6e506b90920621faa18
-
C:\Users\Admin\AppData\Local\Temp\is-9NC18.tmp\reshacker_setup.tmpFilesize
2.5MB
MD53baaf568aa5142e9eeed4ec6cdd764b7
SHA1089ec2257a57c0f2ee913a94e61c1c8272de6290
SHA256153efbe85cecec3149664254a856440fbb6a3c8f3f287a97f373b3353e816268
SHA5124a30732ea3c5a2e8529eab69761a25862c87935fc3842b48d515901669725ff070527ccd61dd602dfced94cd504b7ff2861f43ffba1ead6569b8b26544845287
-
C:\Users\Admin\AppData\Local\Temp\is-9NC18.tmp\reshacker_setup.tmpFilesize
2.5MB
MD53baaf568aa5142e9eeed4ec6cdd764b7
SHA1089ec2257a57c0f2ee913a94e61c1c8272de6290
SHA256153efbe85cecec3149664254a856440fbb6a3c8f3f287a97f373b3353e816268
SHA5124a30732ea3c5a2e8529eab69761a25862c87935fc3842b48d515901669725ff070527ccd61dd602dfced94cd504b7ff2861f43ffba1ead6569b8b26544845287
-
memory/3312-156-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-162-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-129-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-130-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-131-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-132-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-134-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-133-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-135-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-137-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-139-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-138-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-136-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-142-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-141-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-143-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-144-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-140-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-145-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-146-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-147-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-148-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-149-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-150-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-151-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-152-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-153-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-154-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-155-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-127-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-157-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-158-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-159-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/3312-128-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-161-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/3312-163-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-164-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-165-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/3312-243-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/3312-124-0x0000000000000000-mapping.dmp
-
memory/3312-224-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/3312-126-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-183-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-173-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-184-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-185-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-175-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-176-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-177-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-178-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-179-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-180-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-181-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-182-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-192-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-172-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-174-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-186-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-187-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-188-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-189-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-191-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-190-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-170-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-169-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-166-0x0000000000000000-mapping.dmp
-
memory/4016-168-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB
-
memory/4016-171-0x0000000077600000-0x000000007778E000-memory.dmpFilesize
1.6MB