161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040

Analysis

max time kernel
126s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 16:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
Size

500KB
MD5

20fcd20ba9253694dab1577768ac6ca0
SHA1

82ea97856877ba57bcadbe57ff1fde169925fc1e
SHA256

161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040
SHA512

80e6f5a18d56e981ad135025d882588cc6b7e5323ecbf17d05b73dd53abac3e624a8e3c9134b212e0b9f28481b5a4f620962513de17e7cdc3dd4097c33c64019
SSDEEP

6144:lw2EI9rdJKZGvwMegUDPU7cIj2ex+2LQKHK:lwkPx+2L

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE5EE4B1-49C6-11ED-BF27-66397CAA4A34} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00cff8ced3ddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf0000000002000000000010660000000100002000000034fab08838e2d751b6f9cc10bedb8f2149d5a7190737929ef95de48f709a459e000000000e8000000002000020000000ae0ef5a0a9d89c12f9fe04a2425aa0be3c6a48698a2d6981b88ff0b0133c951620000000b5d539b5602cc6010da668fc1e9170e18922d8a0f89f91096c525c8be63311bb4000000077c9504200a4d73927da75273850272b8ea544509ad0225d50d944189eb7e711a88f2bc7f0003c2bf7e435ef9cee0b37980ce0052fd4dca57ce3d0c260313a6e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000002e79cd8400f9ab0344a3455eb01db6bc9298f6f90002272e312d50372310ee3e000000000e8000000002000020000000ecf4e2c90ede93b6684c78fd285674338be04dc3c88b22719faa87e08065a9cb90000000ad35ad5e6921ef3c2e365fbfc078b2a99e33f42338d853085537afc75e5bad681a9b88f37afe09c166d2ee61aefdee1ea3a8f3fede62baa1ba65a470539aa1f99ba6f904dac09e0f8fb88d0c70acaf3e7676e507457941ce6136d7503571a6a2810cc1815eece35b5bf3d6d001498f3b693469ffef946cc568b160afc369088c86da7bb115b12917987256b6d48729eb40000000ed39b5d626c97efc2aab45b6e4bfd0267500c107d9a0ee12d0a20dc99f1c3061bff15a2dd67a2ff6a461d0a3f8b63ddcfccf9cd138c4b0486cc6757236abe514	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372300410"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1720	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
1720	iexplore.exe
1720	iexplore.exe
328	IEXPLORE.EXE
328	IEXPLORE.EXE
328	IEXPLORE.EXE
328	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1720	1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe	28
PID 1992 wrote to memory of 1720	1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe	28
PID 1992 wrote to memory of 1720	1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe	28
PID 1992 wrote to memory of 1720	1992	161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe	28
PID 1720 wrote to memory of 328	1720	iexplore.exe	30
PID 1720 wrote to memory of 328	1720	iexplore.exe	30
PID 1720 wrote to memory of 328	1720	iexplore.exe	30
PID 1720 wrote to memory of 328	1720	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe
"C:\Users\Admin\AppData\Local\Temp\161f43d1be9396c84ba47654921864272015cbb9807786a5b6a3e6a194051040.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=xIxBiVwDdxE&feature=player_embedded
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
1f68285a82a4c312f4a7a48b0fb2b4ba

SHA1
47e29a96d417b57c51269cfdedf860047fa71f31

SHA256
471a078b0a154fd0c3cca268ce5d46cc1d19d946e584c37f1c147a63312e07d4

SHA512
34d6221afe595e7c194fa783ee5958ec5db315cbc663631185e659a266ab0662639117a6df7b4067e95e1cde0c82eb11f5e784dc4fb0df38fea2f39a8087b211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
5KB

MD5
c11d636831f13f2ef3e26ecede81c510

SHA1
4f985a5c3f91edfb367992fb03d3f254f22388e8

SHA256
624728084a50e416e8c1436aad37d8c87bf47349b3ac84e5ec6f3f43f89528e7

SHA512
a2d35a41b4ae7e119415f45bb191ee8162d3f4714ba90ce743cd8bedda2c38de27c83d8b85dfe21ae5ce480b5d94179458341f6b2f700b928d021b5b7f87e100

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UE8R8351.txt

Filesize
608B

MD5
43988d4241f8412b592a0afc5033c95a

SHA1
5f3d94bf127832b6188a268cd77b03ad73e2d5e2

SHA256
46617cecd0127c54a1fcf0c8a99ebb23c4494b590872a5480e3eac39ad1c5294

SHA512
7dbecfb08cddb22f6998eff03584652e08a6fc2aade3ee7e71ba989b6795662bf4edf72e3e964798325d5063e4f3f9beaae5ff90932eac3b0ce2f295fb63c2ae

Download Submit
memory/1992-56-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1992-57-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1992-58-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download