11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8

General

Target

11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
Size

31KB
MD5

5917fd985744f864f7fc02892ced4e60
SHA1

c2077be8cbf1a790bb87db9c4c4f81819c8a5a35
SHA256

11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8
SHA512

e45b8cfd315dffd3ba9a185200f423e32e471cb84cf26e460157cae0709478d2028dbc701ebbbe405d5782da583b75c4a14fa329cb9e26eed29a68ea7a2d6828
SSDEEP

384:iPX0UBPAAGNDX+Mk4964fpbB0s6Ahkzq8fWWWDE8vQWapUUpe2p8sG0:ivPoiMkJ4j0Chkr6vUVOsr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

pid process

1752 11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1936 cmd.exe

pid	process
1752	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

pid	process
1936	cmd.exe

Drops file in System32 directory 64 IoCs

Processes:

iexplore.exeie4uinit.exe11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\HFDA874O.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\imagestore\p46mcwq\imagestore.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F3B90C03-6BA5-11ED-A5BF-5242C1400D5F}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5E7VHK06.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\8S9JDT2O.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File created	C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url\:favicon:$DATA	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5E7VHK06.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\DKZT4ULP.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\8S9JDT2O.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\9I6B9IW9.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3B90C01-6BA5-11ED-A5BF-5242C1400D5F}.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3B90C01-6BA5-11ED-A5BF-5242C1400D5F}.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\HFDA874O.txt	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\imagestore\p46mcwq\imagestore.dat	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\9I6B9IW9.txt	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\suggestions[1].en-US	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\7D1G8YKF.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\X0ENUDWD.txt	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\DKZT4ULP.txt	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File created	C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\X0ENUDWD.txt	iexplore.exe
File created	C:\Windows\SysWOW64\mssvc32.dll	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\7D1G8YKF.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\TMOXYKO4.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\XK2Y7WGK.txt	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url:favicon	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\TMOXYKO4.txt	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\mndex.ini	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEie4uinit.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E40D6DCF-AA0D-4639-B6A3-557E0A95356A}\0a-73-e8-57-79-14	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E40D6DCF-AA0D-4639-B6A3-557E0A95356A}\WpadDecisionTime = e05b6cbbb2ffd801	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-73-e8-57-79-14\WpadDecisionTime = e05b6cbbb2ffd801	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 40767db7b2ffd801	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 002e6fb7b2ffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-73-e8-57-79-14\WpadDecisionReason = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-73-e8-57-79-14	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

pid	process
1464	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
1464	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
1464	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
1464	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
1752	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

description pid process

Token: SeIncBasePriorityPrivilege 1464 11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

iexplore.exe

pid process

1100 iexplore.exe
1100 iexplore.exe
1100 iexplore.exe
1100 iexplore.exe
1100 iexplore.exe
1100 iexplore.exe
1100 iexplore.exe
1100 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1100 iexplore.exe
1100 iexplore.exe
436 IEXPLORE.EXE
436 IEXPLORE.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	1464	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

pid	process
1100	iexplore.exe
1100	iexplore.exe
1100	iexplore.exe
1100	iexplore.exe
1100	iexplore.exe
1100	iexplore.exe
1100	iexplore.exe
1100	iexplore.exe

pid	process
1100	iexplore.exe
1100	iexplore.exe
436	IEXPLORE.EXE
436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exeiexplore.exe

description	pid	process	target process
PID 1464 wrote to memory of 1936	1464	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	cmd.exe
PID 1464 wrote to memory of 1936	1464	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	cmd.exe
PID 1464 wrote to memory of 1936	1464	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	cmd.exe
PID 1464 wrote to memory of 1936	1464	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	cmd.exe
PID 1752 wrote to memory of 1100	1752	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	iexplore.exe
PID 1752 wrote to memory of 1100	1752	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	iexplore.exe
PID 1752 wrote to memory of 1100	1752	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	iexplore.exe
PID 1752 wrote to memory of 1100	1752	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	iexplore.exe
PID 1752 wrote to memory of 1100	1752	11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe	iexplore.exe
PID 1100 wrote to memory of 1180	1100	iexplore.exe	ie4uinit.exe
PID 1100 wrote to memory of 1180	1100	iexplore.exe	ie4uinit.exe
PID 1100 wrote to memory of 1180	1100	iexplore.exe	ie4uinit.exe
PID 1100 wrote to memory of 436	1100	iexplore.exe	IEXPLORE.EXE
PID 1100 wrote to memory of 436	1100	iexplore.exe	IEXPLORE.EXE
PID 1100 wrote to memory of 436	1100	iexplore.exe	IEXPLORE.EXE
PID 1100 wrote to memory of 436	1100	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
"C:\Users\Admin\AppData\Local\Temp\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11FA6A~1.EXE > nul
2⤵
- Deletes itself
PID:1936

C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1180

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1100 CREDAT:275457 /prefetch:2
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8.exe

Filesize
31KB

MD5
5917fd985744f864f7fc02892ced4e60

SHA1
c2077be8cbf1a790bb87db9c4c4f81819c8a5a35

SHA256
11fa6ab6bf8421364e2f531c25cdf7ecf8266f9a5c19afcb0567e74d851bcbc8

SHA512
e45b8cfd315dffd3ba9a185200f423e32e471cb84cf26e460157cae0709478d2028dbc701ebbbe405d5782da583b75c4a14fa329cb9e26eed29a68ea7a2d6828

Download Submit
memory/1180-61-0x0000000000000000-mapping.dmp

Download
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1464-58-0x0000000000400000-0x000000000040C016-memory.dmp

Filesize
48KB

Download
memory/1752-59-0x0000000000400000-0x000000000040C016-memory.dmp

Filesize
48KB

Download
memory/1752-60-0x0000000000400000-0x000000000040C016-memory.dmp

Filesize
48KB

Download
memory/1936-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads