eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf

General

Target

eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf.exe
Size

44KB
MD5

0a376abb3320642841e1e930c782b823
SHA1

da9ab9dc83b0871e3f0927a2160f3e1a9f0fe0d7
SHA256

eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf
SHA512

423d9f20372dbe5f4ff0a79614743da4f6171cb3a8a45895ac4ed6128fde13e0abd82fec094f18d096df049549e56008ee0e406f1c2b59be09f511e7e68c8c85
SSDEEP

384:DKUMFZnXUq8vagN7aCY8CtBcelBcowX0SeCXZ1ocHzoMPnMWmLrEeBodtXx/hGsF:DMFZkq8C/uZ1G/E+StXxkdzZBZTnKB

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000c19b05de0fbbae7cbadadf39da0973f5844e394c6e61a0f7e67b18651797d2e2000000000e8000000002000020000000ebe4c0546de460d07ec63ee9d6e99b57a596e1dd160122cd4d140827cddf2ba5200000006d99389e31a7161ba9f4bb735c204bea9cd7c31fa8f2fa9e40cedc029329af4340000000d4468c9d1d49d3702c9d126d9f8b990d9aa6c911805dd0e64a1c6287b3ff9063ec7af89118427346cc4bf6a1057a98fb566199d27d32e87c014be6c3f9fb6923	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0d2f2e428d8d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000763b279846afe05317cefb042f5b6bff4549d463714666515b70877b3b52b60a000000000e80000000020000200000006adb189259cf7834ae3313a75fed00d6226a20986a79850428f8966fa6938c4b90000000d0fa925b2ddb203ef91015defeaad695c944621c3c41b2cddff7828b8b4328ee66082a59953f252545a56cfac7d068f8f97553ea742cce218d2b973377c5d85c77461c1e2b2ee3a179fd710e062027684213d3b4795544e969f586635b635efc7bedf9a29d632af9c0ede8237e384d30fb3fddcad2eb7e98f73eac98c7a34fc868c034c8fd8ff8b4d1a5c749b65d85b6400000002fa01110d6f2c524467b296544601413333ba7aa87a57b9b88b642ad51fcf2f68a4f335600dcf52108ca1181e502e8110f0854e260a8eb1fb4ae4d2a5e9c4fe5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371677244"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03AD9CE1-441C-11ED-8B83-6A6CB2F85B9F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2020 iexplore.exe
2020 iexplore.exe
612 IEXPLORE.EXE
612 IEXPLORE.EXE
612 IEXPLORE.EXE
612 IEXPLORE.EXE

pid	process
2020	iexplore.exe

pid	process
2020	iexplore.exe
2020	iexplore.exe
612	IEXPLORE.EXE
612	IEXPLORE.EXE
612	IEXPLORE.EXE
612	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf.exeiexplore.exe

description	pid	process	target process
PID 1752 wrote to memory of 2020	1752	eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf.exe	iexplore.exe
PID 1752 wrote to memory of 2020	1752	eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf.exe	iexplore.exe
PID 1752 wrote to memory of 2020	1752	eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf.exe	iexplore.exe
PID 1752 wrote to memory of 2020	1752	eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf.exe	iexplore.exe
PID 2020 wrote to memory of 612	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 612	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 612	2020	iexplore.exe	IEXPLORE.EXE
PID 2020 wrote to memory of 612	2020	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf.exe
"C:\Users\Admin\AppData\Local\Temp\eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=eb12b3e0e80061ae8cc6cccb048b505dc95e8709f6d6a23f86f7d33d6ec3fbdf.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TNL0WTO8.txt
Filesize
606B

MD5
04eebe63bb49c6abe31d5b85f9c4cb9b

SHA1
4bd959b627d4ef4c7e916bff7e9496be34dab4dc

SHA256
5b16fb2447a502ac62f3570c01f9954c281089d536556f342288173c427e75dc

SHA512
7bdbeb78e598f21d4b7028d61926a9bf9a6ef91cb083ad2926c46acb87c8c2aab66c255e19d1d1576bd5470104a5af6e397346b98df74b7322b229951be4cf6d

Download Submit
memory/1752-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing