e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98

General

Target

e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe
Size

1.6MB
MD5

e79441b4ee155de683b050dd9873ceab
SHA1

3e0964893f307e16f42ec40a5f45bb1e5522b991
SHA256

e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98
SHA512

f6444e455cf168fa9a46602764660d01eb88d9f9a4fb98d6c8a4147406ff293fd6348e8aab50c8c508f62b471c5d64985147e41bb4af35d1ff89ad2c35a8f990
SSDEEP

384:1LsxK3F8+KVDWED/+D0YfxGV9SpRk854PmE3BcowRsbQywLT9npzl+1tln5y1kzg:VsgG+nEDOdfk2ps3GFsypMt1uZrV

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

iexplorer.exe

pid process

1312 iexplorer.exe

pid	process
1312	iexplorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Windows\\system32\\iexplorer.exe"	iexplorer.exe

Drops file in System32 directory 2 IoCs

Processes:

e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe

description	ioc	process
File created	C:\Windows\system32\iexplorer.exe	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe
File opened for modification	C:\Windows\system32\iexplorer.exe	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

Processes:

RunDll32.exeRunDll32.exeRunDll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395168194"	RunDll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1"	RunDll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLs	RunDll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	RunDll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	RunDll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = 20edf4fe29ffd801	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395168194"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	RunDll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iexplorer.exe

description pid process

Token: SeDebugPrivilege 1312 iexplorer.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

RunDll32.exeRunDll32.exeRunDll32.exe

pid process

936 RunDll32.exe
760 RunDll32.exe
664 RunDll32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

iexplorer.exe

pid process

1312 iexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1312	iexplorer.exe

pid	process
936	RunDll32.exe
760	RunDll32.exe
664	RunDll32.exe

pid	process
1312	iexplorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exeRunDll32.exe

description	pid	process	target process
PID 1988 wrote to memory of 760	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	RunDll32.exe
PID 1988 wrote to memory of 760	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	RunDll32.exe
PID 1988 wrote to memory of 760	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	RunDll32.exe
PID 1988 wrote to memory of 936	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	RunDll32.exe
PID 1988 wrote to memory of 936	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	RunDll32.exe
PID 1988 wrote to memory of 936	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	RunDll32.exe
PID 1988 wrote to memory of 664	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	RunDll32.exe
PID 1988 wrote to memory of 664	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	RunDll32.exe
PID 1988 wrote to memory of 664	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	RunDll32.exe
PID 1988 wrote to memory of 1312	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	iexplorer.exe
PID 1988 wrote to memory of 1312	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	iexplorer.exe
PID 1988 wrote to memory of 1312	1988	e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe	iexplorer.exe
PID 936 wrote to memory of 1396	936	RunDll32.exe	iexplore.exe
PID 936 wrote to memory of 1396	936	RunDll32.exe	iexplore.exe
PID 936 wrote to memory of 1396	936	RunDll32.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe
"C:\Users\Admin\AppData\Local\Temp\e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\RunDll32.exe
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:760

C:\Windows\system32\RunDll32.exe
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 1
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -ResetDestinationList
3⤵
PID:1396

C:\Windows\system32\RunDll32.exe
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:664

C:\Windows\system32\iexplorer.exe
"C:\Windows\system32\iexplorer.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\iexplorer.exe

Filesize
1.6MB

MD5
e79441b4ee155de683b050dd9873ceab

SHA1
3e0964893f307e16f42ec40a5f45bb1e5522b991

SHA256
e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98

SHA512
f6444e455cf168fa9a46602764660d01eb88d9f9a4fb98d6c8a4147406ff293fd6348e8aab50c8c508f62b471c5d64985147e41bb4af35d1ff89ad2c35a8f990

Download Submit
C:\Windows\system32\iexplorer.exe

Filesize
1.6MB

MD5
e79441b4ee155de683b050dd9873ceab

SHA1
3e0964893f307e16f42ec40a5f45bb1e5522b991

SHA256
e75ce0629d45514cdf6ac63e05dc1df8855ca057e2e2903a6067cbbc9ac14b98

SHA512
f6444e455cf168fa9a46602764660d01eb88d9f9a4fb98d6c8a4147406ff293fd6348e8aab50c8c508f62b471c5d64985147e41bb4af35d1ff89ad2c35a8f990

Download Submit
memory/664-60-0x0000000000000000-mapping.dmp

Download
memory/760-56-0x0000000000000000-mapping.dmp

Download
memory/760-57-0x000007FEFC451000-0x000007FEFC453000-memory.dmp

Filesize
8KB

Download
memory/936-58-0x0000000000000000-mapping.dmp

Download
memory/1312-63-0x0000000000000000-mapping.dmp

Download
memory/1312-66-0x000007FEF40D0000-0x000007FEF4AF3000-memory.dmp

Filesize
10.1MB

Download
memory/1312-67-0x000007FEF3030000-0x000007FEF40C6000-memory.dmp

Filesize
16.6MB

Download
memory/1988-54-0x000007FEF40D0000-0x000007FEF4AF3000-memory.dmp

Filesize
10.1MB

Download
memory/1988-55-0x000007FEF3030000-0x000007FEF40C6000-memory.dmp

Filesize
16.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads