58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da

General

Target

58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
Size

86KB
MD5

027d8cca3d1d316e7196071497500ec0
SHA1

34951925b9ee92fa180e02bd2d5881c3c8e100d6
SHA256

58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da
SHA512

5b54d3a0cbb479ee59e8c2962db051c518fae9740e07162559174efaed2c6cc129e5c00c50591abf242f8500f9e1c241abed40563283df02715ff31d26e7882e
SSDEEP

1536:hrUlDSCPWWum6e6mm/ASwwb5RUUgN6FEseVqmyNgNlq3J65SGIGSV:N8DTOWuhe69/Xwwb5RUUgNKYklgNlqVp

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\msmmsgr = "C:\\Windows\\TEMP\\x\\services.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon = "C:\\Windows\\TEMP\\services.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe

description	pid	process	target process
PID 1096 set thread context of 1216	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A2F2E81-42A5-11ED-A448-E20468906380} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003e3b46b2d6d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf0000000002000000000010660000000100002000000060b100b0c9e25245897b282495862e309fe7afd62ab0e81b01fc84de28912ed6000000000e800000000200002000000065036f62e58706ad718ad85c011d45fce5db85309c063fdb56724028c29897ad200000007fd306536c4559348e4edc2c00604a0780eb64aad99a6477667aaf249c817f9440000000d35fda1e8e1ee95eca7bf557b334338faf397d50b7cd3c959cfc733a2512e56ed6d6de3c98c7dff588527a8c2b649df787c8d58411569f0725a0055366523510	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000007c1c77c785c9dba0d12977d766b6ed2bd4cb1398a232a65293ac615118839073000000000e8000000002000020000000a6724eb6bd56d714e82b35f7c6ed39d869540f9348893017a7554575d94bbc0690000000291d233b5dfd11c477c7e213cd2d677699f79280ab88da1c10a5d07b2fc3b1dbf69b512d0c4fff64b773cf5ed3aede95544dd6f3b85d7337914e126a38eb2c5bb09367e70838379e158a48d8836934ad95082d21766ba8064c05410a104d10559289cfa2e6df20bfe2923786863e42cc3a2660de3ffe8f3c01c8caca326e0e2e5b8d3235733d14cb98f5c36a59971077400000009ee6c8b4abd630ffe25cbbd6ff1553dabf2be3cd812a5d69c926abcce080ec9efa1de6131d93292e4087d5455786c0c880a4b5420bc9d0d896219e985d829b7a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371516326"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

1380 reg.exe
628 reg.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

584 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

584 iexplore.exe
584 iexplore.exe
1688 IEXPLORE.EXE
1688 IEXPLORE.EXE
1688 IEXPLORE.EXE
1688 IEXPLORE.EXE

pid	process
1380	reg.exe
628	reg.exe

pid	process
584	iexplore.exe

pid	process
584	iexplore.exe
584	iexplore.exe
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE
1688	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.execmd.execmd.exe58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exeiexplore.exe

description	pid	process	target process
PID 1096 wrote to memory of 1808	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	cmd.exe
PID 1096 wrote to memory of 1808	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	cmd.exe
PID 1096 wrote to memory of 1808	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	cmd.exe
PID 1096 wrote to memory of 1808	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	cmd.exe
PID 1096 wrote to memory of 1548	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	cmd.exe
PID 1096 wrote to memory of 1548	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	cmd.exe
PID 1096 wrote to memory of 1548	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	cmd.exe
PID 1096 wrote to memory of 1548	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	cmd.exe
PID 1096 wrote to memory of 1216	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
PID 1096 wrote to memory of 1216	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
PID 1096 wrote to memory of 1216	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
PID 1096 wrote to memory of 1216	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
PID 1096 wrote to memory of 1216	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
PID 1096 wrote to memory of 1216	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
PID 1096 wrote to memory of 1216	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
PID 1096 wrote to memory of 1216	1096	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
PID 1548 wrote to memory of 1380	1548	cmd.exe	reg.exe
PID 1548 wrote to memory of 1380	1548	cmd.exe	reg.exe
PID 1548 wrote to memory of 1380	1548	cmd.exe	reg.exe
PID 1548 wrote to memory of 1380	1548	cmd.exe	reg.exe
PID 1808 wrote to memory of 628	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 628	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 628	1808	cmd.exe	reg.exe
PID 1808 wrote to memory of 628	1808	cmd.exe	reg.exe
PID 1216 wrote to memory of 584	1216	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	iexplore.exe
PID 1216 wrote to memory of 584	1216	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	iexplore.exe
PID 1216 wrote to memory of 584	1216	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	iexplore.exe
PID 1216 wrote to memory of 584	1216	58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe	iexplore.exe
PID 584 wrote to memory of 1688	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1688	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1688	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 1688	584	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
"C:\Users\Admin\AppData\Local\Temp\58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v msmmsgr /t REG_SZ /d "C:\Windows\TEMP\x\services.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v msmmsgr /t REG_SZ /d "C:\Windows\TEMP\x\services.exe" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:628

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ctfmon /t REG_SZ /d "C:\Windows\TEMP\services.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ctfmon /t REG_SZ /d "C:\Windows\TEMP\services.exe" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1380

C:\Users\Admin\AppData\Local\Temp\58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
C:\Users\Admin\AppData\Local\Temp\58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=58ce17682e4d7dd7e3e3937f796543b1504aa58301561ce45962793ded2fb0da.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TPNH1IPY.txt
Filesize
603B

MD5
4f4b0e8be39f3ac45115374058074750

SHA1
97c4bcc8bb967c61f974ae643fe7bc029b9790e5

SHA256
9e265279e032ee3c49824fe09a8e93d260d1eaad2960096d23e1d76795c8de52

SHA512
009dd7f1e9dc8d8adec3bb4e28f7184f780270f9683d2c89a2ef3bb8afc1ae15980a66afef4fd8b44e01f6ea99f47b641a9c063bd77dbb3b41e27754f6bed46d

Download Submit
memory/628-62-0x0000000000000000-mapping.dmp

Download
memory/1216-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1216-57-0x000000000040C50E-mapping.dmp

Download
memory/1216-59-0x0000000000402000-0x000000000040C600-memory.dmp

Filesize
41KB

Download
memory/1216-60-0x0000000000402000-0x000000000040C600-memory.dmp

Filesize
41KB

Download
memory/1216-63-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1380-61-0x0000000000000000-mapping.dmp

Download
memory/1548-55-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads