203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79

Analysis

max time kernel
151s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
Size

48KB
MD5

0cfd7b9daaeeccf65756bd2a5a383bb0
SHA1

fbb15fe5852c30f3f2c89cd298d1318aa818290b
SHA256

203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79
SHA512

daf9423aab383a8fc4fbc7732802c45a00f557b92d6014f9197349e8a57d5001f8a9423380826766d000265c59000a51c41b1ad1896563394b660d6a63e3f61a
SSDEEP

768:hMTLFoLgpF2jD6JNDVUG93jMyPIGjAHlC5GtE:h6Z/pk+cGtjP5OsAa

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\_Hazafibb = "C:\\Windows\\system32\\zzqdcuig.exe"	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\begqkkoz.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\emqbrywy.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\uuinydgd.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\ivgfvieg.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\xtmwmppe.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\zzqdcuig.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\eeaosdlq.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\kpenexqw.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\ieiyvpxb.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\ewkhdfrv.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\zzqdcuig.exe	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Windows\SysWOW64\gpuousep.dll	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\winamp 7.0 full_install.exe	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\winamp 7.0 full_install.exe	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\aliexpress.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000088b28487f2811ba3b7634ac5be2b27c93ee653944f13a4e9c4c14d05e2ad5149000000000e800000000200002000000058a3e3bf12eca5474b1899122517ffefd546d7d0ba1da449bc6ae4925489997b90000000617d7e34bc23fde8ef8a683f8888ded1468dc8f90ac19573f1c444a98b6e0d301cdc1d87025db6ecc0115334c74de249285ceb8a0ec511d22cef0b98944286ea54bae5cde140ae260efdbcd57f417d3645f579c16236af1b2dc4a123c593db357b95b5c37c75213e903514ad0a767990deaa8438186110de3aad5d8fce73f719f6c29909f7bc58296f590c0bcf8c45f140000000aaa3e57e9cb0547753f7de6865b3d98d6e688d264e7ab213c202eae275f47013dd62d2624e0ad4d85d4e49d48e7c375f681557468b6553808373dd99f11d6d97	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\aliexpress.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB4C3561-5F3A-11ED-A923-6651945CA213} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000086c063dd93f29fb7aa0a8d9d667a453cc93f25e15164179b52c50f524e950d37000000000e800000000200002000000017b04e45092ab6d1394ec88c6f3150d2b58c5d107a313c58952b28bb134c501e2000000046e6e6199883727ab66ef006c77c42dd9932b292e42a6dccc0b03f750c3f3009400000000048c76cac7404a31fde3429de2895e9af7616a62ea1c2130f0c97ccdb2e1baad7f5599a88788a18e7bab99234c15d91d21c7132691d40e05123b01b9aa17236	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a520c847f3d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374659172"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1972	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1972	iexplore.exe
1972	iexplore.exe
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1972	1992	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe	26
PID 1992 wrote to memory of 1972	1992	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe	26
PID 1992 wrote to memory of 1972	1992	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe	26
PID 1992 wrote to memory of 1972	1992	203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe	26
PID 1972 wrote to memory of 1500	1972	iexplore.exe	28
PID 1972 wrote to memory of 1500	1972	iexplore.exe	28
PID 1972 wrote to memory of 1500	1972	iexplore.exe	28
PID 1972 wrote to memory of 1500	1972	iexplore.exe	28

C:\Users\Admin\AppData\Local\Temp\203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe
"C:\Users\Admin\AppData\Local\Temp\203d55a92361ef7d5092e8e2c7b46990c91acdc06f975f3185cd762eefb66a79.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://login.aliexpress.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
4a0db3880bd46dd2ca4a83364e6ce27d

SHA1
ce726e966b0ff0e07b34c632764aa3ac50c14470

SHA256
323b96524c9abfbed448f22a500694272846ef51f6f023d38e5848bcdcb20725

SHA512
112e6f5a673b7b1bc0e1a2eb5b08457c5fa5c593a02e1e4f97058f596cdb9f2f621a38ecdbaf674339233b380112529d8d6c597b3c4f4a945ec3788b5106a3f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X53KPJUS.txt

Filesize
598B

MD5
d3e8a298bd3a4cbb5e7be6bc9a715502

SHA1
22aa858ac4bb19d689171725c586bd7a4e4e31de

SHA256
36ddf2f0905246bcfbaa9e562af1b0a4cff25c4d53027acb265bc40b071f2ad9

SHA512
8b6329d58cb9b9ed279e7abafec8c244a1cd5fc9f52262f2ab8d398fa835f1080c1a835133c34e0d0f405910a2b7789283b3223d78869bc42e0e5eba6697a046

Download Submit
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1992-55-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1992-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads