3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab

General

Target

3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
Size

639KB
MD5

009872fe86f55ab2f3bcebf4d081dd80
SHA1

cf88738f8659153105c1902af9de9c6b5f5aadc9
SHA256

3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab
SHA512

76781a64d2fe12570c55b3eb022f94fb2aca800fa553089c3741ed7ed517718d7bd8f92edf88b667447d0ac001f20462849cf22ca0d4d878611bb63c5122ea8b
SSDEEP

12288:khkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aq+g:8RmJkcoQricOIQxiZY1iaqh

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe

description	pid	process	target process
PID 1480 set thread context of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371540306"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000db43f9a48628b6d2640408b61038c0e51249cdcee82f04646cbe60406f586275000000000e800000000200002000000047e96fb10cb420a0262d0ed61855a7ce48d895c3c2465242be5ecb204ea66f6a20000000d3104a1d60bbb3d76a48041544493a00b16ca268530f2e1cfc369f15f020362240000000771aad9e569e41f6f53876a8f53da0fe345da4dc2d7bf020af3adbf352a9abacb5ee4068b221d391093b8c406cdf5b244ccfa65f4244fa40cececbca477a7303	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{30E2A9C1-42DD-11ED-BD75-FAF5FAF3A79A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30edbe1eead6d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000bb88fce33b89a778fc0897f9f8ff0c35b9cf3fc44aefa3d56a21768acfda4568000000000e8000000002000020000000e0c7ea08b4a22e58eaa2a36e61f55a3969efe53e61db3cc74b316d4327d62d6f90000000e408798e7e51aebea23f81ad752016d453331e56dbcf6bf0ea46c4c863ab144173b2512b5fe2628d6a18791d242b5822e505167b525715d1016555d39ac08a41ec5efd5f9396e2a18829449c65109e2d9bc5da9bc96c421a63936f235aa2b3990a6b722ba48c2c9d4db7466008b07e17a24dc4c1e51dae6b574fbf9e7a374f3be4fd659c2b0dfcc8ff8f1707b9111d8740000000427e164b9e547401cfc41b43063314db70ff31e7ae4172952a1a6a38e1e4c548f920fb43f35488cd9503ca7522ea1e317b8d44bb683d260c77b24292150233aa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1984 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1984 iexplore.exe
1984 iexplore.exe
1284 IEXPLORE.EXE
1284 IEXPLORE.EXE
1284 IEXPLORE.EXE
1284 IEXPLORE.EXE

pid	process
1984	iexplore.exe

pid	process
1984	iexplore.exe
1984	iexplore.exe
1284	IEXPLORE.EXE
1284	IEXPLORE.EXE
1284	IEXPLORE.EXE
1284	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exeiexplore.exe

description	pid	process	target process
PID 1480 wrote to memory of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
PID 1480 wrote to memory of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
PID 1480 wrote to memory of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
PID 1480 wrote to memory of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
PID 1480 wrote to memory of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
PID 1480 wrote to memory of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
PID 1480 wrote to memory of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
PID 1480 wrote to memory of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
PID 1480 wrote to memory of 1996	1480	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
PID 1996 wrote to memory of 1984	1996	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	iexplore.exe
PID 1996 wrote to memory of 1984	1996	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	iexplore.exe
PID 1996 wrote to memory of 1984	1996	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	iexplore.exe
PID 1996 wrote to memory of 1984	1996	3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe	iexplore.exe
PID 1984 wrote to memory of 1284	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1284	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1284	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 1284	1984	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
"C:\Users\Admin\AppData\Local\Temp\3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe
"C:\Users\Admin\AppData\Local\Temp\3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=3b132272fb572796f70c1d34719d2e9e2f9e16f1dc02274716ca62fd705160ab.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HUURYA16.txt
Filesize
603B

MD5
390d504548f64d499c3c67433be39c29

SHA1
159f3c08ba768995654f3655a2ebcf9aec3edbee

SHA256
de8691e033c56aec14a5ade8b17d64bff79f85a82b9183e8bbcdcb7d4781a8f5

SHA512
3ffaf541c2c245ded123761e9a1f05f4165be526ab06b78f1f9cbc7d0c13c119d770653f66888dcfaba2505b80ae749d1dbbc29beb7f6a677b4fecf97ff2b6fb

Download Submit
memory/1480-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1996-61-0x000000000040656E-mapping.dmp

Download
memory/1996-64-0x0000000000402000-0x0000000000407000-memory.dmp

Filesize
20KB

Download
memory/1996-63-0x0000000000402000-0x0000000000407000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads