Overview

overview

10

Static

static

URLScan

urlscan

1

https://65.108.20.18...

windows7-x64

8

https://65.108.20.18...

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 14:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://65.108.20.187/download.php?file=download

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 11 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://65.108.20.187/download.php?file=download
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:656
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\install (17).msi"
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1600
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DCC1F1C4DDAD638685C703B738A7B657
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:456
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssE6DA.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiE6C7.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrE6C8.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrE6C9.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1512
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1664
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C4" "0000000000000300"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    d15aaa7c9be910a9898260767e2490e1

    SHA1

    2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

    SHA256

    f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

    SHA512

    7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cb7a7168bc09795bea0f29f2fe935980

    SHA1

    3287502c466ad4629c114b24b1de970d450ebb69

    SHA256

    365e0454dc3c7ce902974e3fe7b5634789bc66240222cd4fe1fefd01f9fe0b28

    SHA512

    a95f9469fde14ed11c8b81bb74143489557fd1ce01d90d3028bc7a7797c4a195c271ee20187d62f84f155b80c07afba5c0b6aaf765f9b25ad6005214108eeb7d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    aa907759bc74fc87898d6084a2164e28

    SHA1

    6482e1145cff46b57fd647e987e226dc5d724cb2

    SHA256

    60e663979208add58be76be09d484dcabcc64d179300b22069c61e4a35fc19a4

    SHA512

    8a685aa2ab288c64f5a874ea2ad4e5f03c157ff675d4c950724f0298f84830a075187c080c7f66fb2f6de9c09fc69afe585dff9e3378ca0ff8a0f0a68fa7a1bf

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f36ec35ed6042e5c1a0255201636ef01

    SHA1

    06bdb321b5156088e97ad5bce6e75868cafe9fc2

    SHA256

    4f96dec757e01797489b006e7d7c97cee5b1bc77e748cb308153b6aeca979686

    SHA512

    7bf98546e5e1a4509b93ceabc9608e33166a23a016c5fbb9e8abc1398eaf7f03067c4d0a29ed55a25bdc2a5028bcd37921794fdcf358a0777459c362a316ab18

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    d5dedcbddec62d4d1d65d12b1c08146e

    SHA1

    f63ffdd1c18a8c21d891a92bf7871cba5f108f3c

    SHA256

    642209de21352aa835d7b3893698b47a70eb7e0838655384c0de52884b05bfcf

    SHA512

    3e0c8a7ff6a7f1a168a177318880bf59d74442b1919c38364fa99ead08460531c19705d09e0cc26becf907f747ac3020a054acd0f6f8f4c24b397c8b35eeb03e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\install (17).msi.ja3cipj.partial
    Filesize

    108.2MB

    MD5

    eb08d7dccd364f80ca9fb8b9cfafbb40

    SHA1

    28f5e795224743134b60be71d33e1588fef19d6a

    SHA256

    f6d4d2a28f7b1dffed44f1a7681bf1b07e2ceb8fad1769d82b691ebd3f59b6aa

    SHA512

    f206595a6c306e2ecbdf5c9bbf789511a13b87f662a06ab468a8bdf387142481a6977e290532266bfd28e1b66b3f826551e283df554a9f926bcfa1164b1ae6b7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pssE6DA.ps1
    Filesize

    5KB

    MD5

    8f69da7a9f4b3c2d0f423583b262ed49

    SHA1

    b6d2ceb18fe78d279f76f412e4660bff5f6a88c7

    SHA256

    dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43

    SHA512

    71782d54137e87ec8d4311adf83b9b269aadfcba55b753ce8562d0fe74cc95f00118b01f3139b8ff0a142156d6461bececfc38380e9acd0c117b2fff0e846edf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\scrE6C8.ps1
    Filesize

    938B

    MD5

    6d89e53b71a3642d04bb3142ec665649

    SHA1

    9bbbf249e6059dd52e0100e75d4f51cb3d3c3b33

    SHA256

    0dbfc61349ddf6e6df2a46463b9320963b2f556c83fda03610d74f2a6e06e0fd

    SHA512

    227d6271af70884365a4ac6d16d5b6af8e56dbfb80d9a0465bc64dd5ff96358e29db2007d1340982a5e16b7e6e4b8c108bfb4fb1b1ee78feb624d8066914e29a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6WAF5ZKE.txt
    Filesize

    608B

    MD5

    20ef8978f3aaa360f442def423b82cec

    SHA1

    7a0fb0d945da245aa9b86f99427e7f4eebce3ec1

    SHA256

    133d3591cf808e276cbbbde9d5a1d22c3a1da941c18fccb1d55b53e462e78e15

    SHA512

    80e2c93afdec97600e14f59a7f66bf9be45550c02c743ea1950ccdf5ccb324d1e4544d916542670b46c77678a8c858119c06dca5a52363946cf057e7c339ec80

    Download Submit
  • C:\Windows\Installer\MSIBF28.tmp
    Filesize

    268KB

    MD5

    b862a8faa3bdfd0dc181010c58460340

    SHA1

    855626e83f2f2364ce663ef280e2479d10963d0f

    SHA256

    4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

    SHA512

    b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

    Download Submit
  • C:\Windows\Installer\MSIE63B.tmp
    Filesize

    670KB

    MD5

    846afe3ed676561d5f2cb293177f6c03

    SHA1

    bd31e948dca976ab54f8a01b87cbd6920659dc92

    SHA256

    d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

    SHA512

    e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

    Download Submit
  • \??\PIPE\lsarpc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \??\PIPE\samr
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • \Windows\Installer\MSIBF28.tmp
    Filesize

    268KB

    MD5

    b862a8faa3bdfd0dc181010c58460340

    SHA1

    855626e83f2f2364ce663ef280e2479d10963d0f

    SHA256

    4b588e4342713920a31acbd249e55e0287cfb562860164506ac047fc70617ef1

    SHA512

    b6350e82edd993f16d899f6664acee913a8355c621e418568d30c3dc7689b399bb7b565173929f2827e3acb2377ddf35a22d50d714556b31d19d9c48313d7f8f

    Download Submit
  • \Windows\Installer\MSIE63B.tmp
    Filesize

    670KB

    MD5

    846afe3ed676561d5f2cb293177f6c03

    SHA1

    bd31e948dca976ab54f8a01b87cbd6920659dc92

    SHA256

    d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

    SHA512

    e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

    Download Submit
  • memory/456-68-0x0000000075A71000-0x0000000075A73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/456-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1512-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1512-77-0x0000000072B30000-0x0000000074058000-memory.dmp
    Filesize

    21.2MB

    Download
  • memory/1600-59-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1600-58-0x0000000000000000-mapping.dmp
    Download