Analysis
-
max time kernel
187s -
max time network
195s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
23-11-2022 11:05
General
-
Target
4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe
-
Size
106KB
-
MD5
04dc85e18f440a5b0357e8a36eb5c281
-
SHA1
932d9dbe76cdc980f3ee7c5e345526f89a47af4f
-
SHA256
4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050
-
SHA512
11f8036c4fa9286d3c02c28569bc163bb60f5440dd2b87f4a57dcae6d04c92138ba417626f991e614807d0aa14f70ac44028765f0b34f502f19fa27240f6f4da
-
SSDEEP
3072:xZMJnTeM4cJJ+dILa77j2NZmOSyt+DDMuzWtVhUxxe:/eTeM/mILI8Z2yQ/MGWcxg
Malware Config
Signatures
-
Loads dropped DLL 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SetWindowsHookEx 52 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe"C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.bestdfg.info:251/?t=1123&i=ie&8383cb5a51f4672ae32da63c639759c8a85363ae=8383cb5a51f4672ae32da63c639759c8a85363ae&uu=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.bestdfg.info:251/?t=1123&i=ie&8383cb5a51f4672ae32da63c639759c8a85363ae=8383cb5a51f4672ae32da63c639759c8a85363ae&uu=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:24⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:799752 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:865299 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:472095 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:3683350 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:3486758 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:4142111 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:275457 /prefetch:24⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae2⤵
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=1123&ur=C:\Users\Admin\AppData\Local\Temp\4610de1c764c7f93dd3545e866af356c0a1752d82fa574440360464066600050&8383cb5a51f4672ae32da63c639759c8a85363ae3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{84F248B1-6B2B-11ED-B422-767CA9D977BF}.datFilesize
6KB
MD5407c20708c22bbd532e5084bb9b6a48a
SHA143d975187d2d4ee7d6848c46874ed6140641f9e0
SHA256b8cf970c3bde802a96fe7b15e845bccbee07c0317bd471819164f1428aee29f5
SHA512172f11bbd6d076d06fcb75234e403ab05579a8723de39c359e01266956190e0fd1003d700d47ee87ddee77580c8faa4f8aa4b0de597ced3a789811e49a4fe337
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3JRWEQPR.txtFilesize
608B
MD56862873d82a557bb4d2667a9b40be81d
SHA11f0d740f4e2f758a5db06bcaf3a5536c5ead18dd
SHA256b9fc9a9f3ed53004c9bc75ee37e3af9b5e380553738a21049ac9cd22a3be9e91
SHA5121bc55e40884a475e1ce955ae4236ab8c2194459f4d44d8c521b6b988a64f4a7c849480d2d1d51178ecd5a4e4d2bff95a260da44f995f1a5a0dc38a32a0df2137
-
\Users\Admin\AppData\Local\Temp\nstA150.tmp\InetLoad.dllFilesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
\Users\Admin\AppData\Local\Temp\nstA150.tmp\InetLoad.dllFilesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
\Users\Admin\AppData\Local\Temp\nstA150.tmp\InetLoad.dllFilesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
\Users\Admin\AppData\Local\Temp\nstA150.tmp\InetLoad.dllFilesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
\Users\Admin\AppData\Local\Temp\nstA150.tmp\Math.dllFilesize
66KB
MD59eb6cecdd0df9fe32027fcdb51c625af
SHA152b5b054ff6e7325c3087822901ea2f2c4f9572a
SHA25654cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560
SHA512864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a
-
\Users\Admin\AppData\Local\Temp\nstA150.tmp\System.dllFilesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
\Users\Admin\AppData\Local\Temp\nstA150.tmp\inetc.dllFilesize
20KB
MD550fdadda3e993688401f6f1108fabdb4
SHA104a9ae55d0fb726be49809582cea41d75bf22a9a
SHA2566d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
SHA512e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8
-
\Users\Admin\AppData\Local\Temp\nstA150.tmp\inetc.dllFilesize
20KB
MD550fdadda3e993688401f6f1108fabdb4
SHA104a9ae55d0fb726be49809582cea41d75bf22a9a
SHA2566d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6
SHA512e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8
-
\Users\Admin\AppData\Local\Temp\nstA150.tmp\time.dllFilesize
10KB
MD538977533750fe69979b2c2ac801f96e6
SHA174643c30cda909e649722ed0c7f267903558e92a
SHA256b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53
-
memory/1656-54-0x0000000076221000-0x0000000076223000-memory.dmpFilesize
8KB
-
memory/1656-57-0x00000000002C0000-0x00000000002DA000-memory.dmpFilesize
104KB