f3df8e1ce954fb9435e11c7408a999ae502a9116a550fb4ad77b1f01c75f518b

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/09/2022, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

umaagNllnma.html
Size

792KB
MD5

aa0bb07bb5e703e51786ec44dab22b8d
SHA1

4f3aa8c45281905af663d18a5331ab82cbc86ff1
SHA256

5b3d7924ba151028bf8d35adbc77371084bc0a3aec9e30b0d05ee6584a6d004a
SHA512

bccda7f9a206d7990fccc9ff46e3b65b9e9ebb02f41555d647b1d625dd7f3a98801f13383ef6d39cc8cb1857b8c25bd7bcaa16fbc6ff9309335d49c1857dbbb2
SSDEEP

12288:My6pbKJG1cNTFC8dujWEi+iVWG9P7mkETzWUyUrAQVJ+FBynqfctDRGPAknRx:MPbLGNJTdujWDZhmtxykAQViBghtDatX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = c06e8cc964d2d801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a30000000002000000000010660000000100002000000068a33267a1eac2124103903f649f257cc57eb1d30a0ec9a8440e68c7ec824585000000000e8000000002000020000000100e04e22521e7051eed9d62755d193c75299b1b57e188cdc32fd4860301aac390000000775f56ce6d047f00b05191ffa7c34b3e7a74c52beb2750cbbc06aecdcb30d18397444a3b6ad8744c63347de354bd016909d0c411d42388eb3c50ca2172694b3ce4e5cf0b67cff270c94ba18268282c082fe8ff43a54b99058c0b319173ab6add2711bb57fc2cc13ac9ce1dd173845cd1c16f54909cf6d5569d7142122c454ee0d17a13e7ce044073cff60e31a9bc981440000000cfd978d98995018866634584a5e243b7ad1c63fd6dd44fb2bae7a72bd801b82d43f7eb4aa2f4fac6793de9548453c86093b1198a39dff25453142e3687941eb1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371043312"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05E2D7B1-3E58-11ED-808D-42A98B637845} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a3000000000200000000001066000000010000200000009bb42af7831233015bdadcc1f73215bab2d400c4693cd70aacfad9d59ba08a7d000000000e8000000002000020000000ccf9a24cef245a93d9b4472627eacc3d755272fe38a282f55353c7c153cee3a12000000087b44bb725a39500d3b5f9b10b005b3bcaec2afb2f3336659b4e532f5c13d39f400000003e8b6319b5cd2964c5cc7c6fc603a1f2f88323656aa094ca0379b4e13b40af1c7c0747598f2c0cfa33c66b8f238d49ac46f3bb1bd722770a842adee3acf71662	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 504fc8db64d2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1744	7zFM.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	1744	7zFM.exe
Token: 35	1744	7zFM.exe
Token: SeSecurityPrivilege	1744	7zFM.exe
Token: SeRestorePrivilege	1700	7zG.exe
Token: 35	1700	7zG.exe
Token: SeSecurityPrivilege	1700	7zG.exe
Token: SeSecurityPrivilege	1700	7zG.exe
Token: 33	1056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1056	AUDIODG.EXE
Token: 33	1056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1056	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1664	iexplore.exe
1664	iexplore.exe
1744	7zFM.exe
1744	7zFM.exe
1744	7zFM.exe
1700	7zG.exe
2012	Notepad.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1664	iexplore.exe
1664	iexplore.exe
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2036	1664	iexplore.exe	29
PID 1664 wrote to memory of 2036	1664	iexplore.exe	29
PID 1664 wrote to memory of 2036	1664	iexplore.exe	29
PID 1664 wrote to memory of 2036	1664	iexplore.exe	29

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\umaagNllnma.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2036

C:\Windows\System32\isoburn.exe
"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Art#8878(Sept2622).zip\Art#8878.iso"
1⤵
PID:1056

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Art#8878.iso"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1744

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Art#8878\" -spe -an -ai#7zMap18732:74:7zEvent25933
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\Art#8878\banners\interviewedProbability.js
1⤵
- Suspicious use of FindShellTrayWindow
PID:2012

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Art#8878\banners\commuterFlagon.cmd
1⤵
PID:804

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Art#8878\banners\urbanely.db
1⤵
PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\Art#8878(Sept2622).zip.811kjvl.partial

Filesize
592KB

MD5
46c005e8c933667941e57c75c52022e7

SHA1
04162e57bce21243ed365fa1e02959202c34070c

SHA256
e4f5ed0da12a679402a4d09aa1680bf4d640b173960487bb6d3c110a8f0fb5d1

SHA512
2dbe61411a0120506c14acbabb1df9ac71a317f38ccc7bf3b40afa9803afbcf156c211a9e12fcb90466938506459df9bc54e5deee962c51a22972acf0a5d04dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5UZS3LXH.txt

Filesize
608B

MD5
7a5663699c186b7749ebf993c01f19e9

SHA1
53ef28994c04db1c475fde7546ae25155283b02d

SHA256
78a0526d725aa8bed763187ea4c90df0768f4a9786c071da1c2e2e198d9de6b9

SHA512
39e24285b81e9dbb400bac7554c5f95c8596401d674beefacb86de41ab7a159f7b27ad473eabd426764fc7383d513471f5b18054830c1db131c71da1cf2cbccb

Download Submit
C:\Users\Admin\Desktop\Art#8878\banners\commuterFlagon.cmd

Filesize
44B

MD5
4ea3b2be6956e9051290b28ea057f59d

SHA1
9ed4ec2d77d89fcd6734558ffda49f215366ddcb

SHA256
57369dfd2b2123951c3c4b5bff3ab9995e395469eb60e318544e54d2db1bd33b

SHA512
c525fad16f5e44ce09067ab56326303a966da10de068785b35d723623c361011bbbda3d0fb8b13756060bedcbbc186bc5963c72bd5eb7a0013cae53bbd1dc357

Download Submit
C:\Users\Admin\Desktop\Art#8878\banners\interviewedProbability.js

Filesize
221B

MD5
876179df2cec275629379ed330131c1c

SHA1
fcb114c9d5da8ebb8c01cca878f56c803fec63fd

SHA256
ac9a91d9401c8a1c961c3aa67d6b9494eb00fccf5e04096e50628c2dbd5fe89f

SHA512
7d3331013df42473e6c722ac5e0546f854f6d59697363fbcef7cd42aa8c2e797ca7258021c849077dc8383da06f6c861b57db98b8510bf8c06a5feecd1e11af0

Download Submit
memory/1056-55-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads