10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3

Analysis

max time kernel
106s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
Size

156KB
MD5

51c310181e3fed26d58655bd3cf171c0
SHA1

c2d050a868da1143e3627c81c41a1ba5420645d9
SHA256

10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3
SHA512

391d43e4477ca907c7af228f48f5021b16d70551e2e87f303edd74b7f853608fb4641d6fc4ba8027b43bf63554af872641333c17a33efcb841d36354946ca74b
SSDEEP

3072:O6M0dATPzlXJjHL/F9BRqKY5ntwexnLEHCGv:OMEzlZjHL/F9B0KY5ntP1EHtv

Score

8^/10

evasion

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 2 IoCs

pid	Process
3216	IEXPLORE.EXE
3216	IEXPLORE.EXE

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\xpsp11res.dll	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
File created	C:\Program Files (x86)\Common Files\xpsp11tdi.sys	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
File created	C:\Program Files (x86)\Common Files\xpsp11reg.sys	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
File created	C:\Program Files (x86)\Common Files\xp11update.exe	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
File opened for modification	C:\Program Files (x86)\Common Files\xp11update.exe	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3028	sc.exe
3872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993432"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3608319505"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373869386"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3602536520"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993432"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993432"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{023B588D-580C-11ED-A0EE-E6C35CACCF0B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3602536520"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4468	IEXPLORE.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4468	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
4468	IEXPLORE.EXE
4468	IEXPLORE.EXE
3216	IEXPLORE.EXE
3216	IEXPLORE.EXE
1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
3216	IEXPLORE.EXE
3216	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3028	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	84
PID 1496 wrote to memory of 3028	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	84
PID 1496 wrote to memory of 3028	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	84
PID 1496 wrote to memory of 3872	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	85
PID 1496 wrote to memory of 3872	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	85
PID 1496 wrote to memory of 3872	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	85
PID 1496 wrote to memory of 2020	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	88
PID 1496 wrote to memory of 2020	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	88
PID 1496 wrote to memory of 2020	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	88
PID 2020 wrote to memory of 4468	2020	IEXPLORE.EXE	89
PID 2020 wrote to memory of 4468	2020	IEXPLORE.EXE	89
PID 4468 wrote to memory of 3216	4468	IEXPLORE.EXE	90
PID 4468 wrote to memory of 3216	4468	IEXPLORE.EXE	90
PID 4468 wrote to memory of 3216	4468	IEXPLORE.EXE	90
PID 1496 wrote to memory of 3216	1496	10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe	90

C:\Users\Admin\AppData\Local\Temp\10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe
"C:\Users\Admin\AppData\Local\Temp\10293781bfa499552dffa54967f919aa9cbc9b308c1f8ac497c451c84278eda3.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\SysWOW64\sc.exe
  sc.exe stop KWatchSvc
  2⤵
  - Launches sc.exe
  PID:3028
- C:\Windows\SysWOW64\sc.exe
  sc.exe delete KWatchSvc
  2⤵
  - Launches sc.exe
  PID:3872
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4468 CREDAT:17410 /prefetch:2
      4⤵
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\xpsp11res.dll

Filesize
64KB

MD5
2525aaa5235d0162c375cc9d6e913d4b

SHA1
e3c0ebcd75bd28611e7cfe5928fb1288d256d07f

SHA256
28318f923a63c8c609f2fc2ff8f9926325503e8db33768b20d397d91d45f99de

SHA512
51a4a3c379f8ee6bf43126b1535ea1846f23acd891724a0729df678f8487edbb7ef8108b6c6b1ba7bccf563c57be1a5e5cf71d2ced0fd2e2cb70192cafcb518a

Download Submit
C:\Program Files (x86)\Common Files\xpsp11res.dll

Filesize
64KB

MD5
2525aaa5235d0162c375cc9d6e913d4b

SHA1
e3c0ebcd75bd28611e7cfe5928fb1288d256d07f

SHA256
28318f923a63c8c609f2fc2ff8f9926325503e8db33768b20d397d91d45f99de

SHA512
51a4a3c379f8ee6bf43126b1535ea1846f23acd891724a0729df678f8487edbb7ef8108b6c6b1ba7bccf563c57be1a5e5cf71d2ced0fd2e2cb70192cafcb518a

Download Submit
C:\Program Files (x86)\Common Files\xpsp11res.dll

Filesize
64KB

MD5
2525aaa5235d0162c375cc9d6e913d4b

SHA1
e3c0ebcd75bd28611e7cfe5928fb1288d256d07f

SHA256
28318f923a63c8c609f2fc2ff8f9926325503e8db33768b20d397d91d45f99de

SHA512
51a4a3c379f8ee6bf43126b1535ea1846f23acd891724a0729df678f8487edbb7ef8108b6c6b1ba7bccf563c57be1a5e5cf71d2ced0fd2e2cb70192cafcb518a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a66314123c8c72372bcb8583a5400a95

SHA1
fc3e45060463c37775da0bd4a8920296d222753d

SHA256
657c92d95798fc5dad4272f3d6d71776737ac0bcdce4ac6864ca5532f2ccf34d

SHA512
d9f5c243b04d7b3fbbcb37c68c583db672390644500cfa4d58280048d9fde52c668fd67e84ecd6ace20b2813eefb756627adbd04a6f19719f6e907aa3fffe4f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
e9a16d2dbae64cc02d946a8201440412

SHA1
44ac20905cfa045230a2ad0af9cd254dcde6c537

SHA256
635094ac4ea4e9c1f5d39dcb5d72cba212912316b7882a6645ea441f6c8e5ba0

SHA512
971fce15180d08adc56a0002f60d10e13fc49e39ca1b17747b0e25e02853bc1445779b19b387b4ecba9c61289a7375b7c44254c8e5fccb0b433efd0863676fab

Download Submit