da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227

General

Target

da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227.exe
Size

439KB
MD5

41059f0a4eb885f6c0a27734b3462fcf
SHA1

e4c580beff560acb3e45220de2d9d1b2668f1ae4
SHA256

da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227
SHA512

34b44fa1dd6612223463f591d4d42da4c7e9d279f4e49ef8b01e377a2ee319eaba80b9141f820c10e8ef3e78f2c3352db3d16fe4bbfb14511b67946d55913abc
SSDEEP

6144:Dt+pZpwyFb9yxQCPl/cWxYvNZew7n2/vS8avVoRnXCcJHt17FRqDO4GZLAl:DApZvFb9ULVwK/aLVoRtn1zqy4ULm

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375979304"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000ef379398cd601b5df3ef5160d005aa16f66f01e6b8fed612c6863facf978925a000000000e80000000020000200000005178f282c74b7d34f34bc377f6c0239b82effe249b15ef6429e307587aca84f9900000007e6ef4678d2d07f9b6cf3a48cd5785f9d22d9ea7c08e5d49872aab2a7e095b366e4ff2ca80a8e14afbe08b95fc81ba60dfdef1d573cbf2cbeef37f9912125a049c754e66b41908b0a0ace3949fea64a3810add4d184f0ad08a7f4f4735bc7ad2ea11f2211cf9173644646f4eb1efdb1d5d5a0e4f091c8319ee804d6e1877ce5e489a9b3f7b6bc81abb86e388542335cf40000000cf359f97fa52b449745ccb5aab80149eac4d3266b455c34c172cf9a61978970a0e13eb5aa5848c1c6e9f7c4589e9fdb13d69753bbdd784982570c2f1f5cde335	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{83345481-6B3C-11ED-BA2E-6662AD81E03A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000b46817a70d8e380cc2fceef1e5c8004bd2d1be047cc0578fd7d695b6981b1975000000000e8000000002000020000000a8fdba0a7b57aa3c3b88dc88ce758b0248a5a174e5e80cb5ad9a77e97c7a0a2520000000e2e637c5273f62793ad142c0901b9c0bec16d73bb06676d3838c6cb6e7713504400000007bcec48b4e83fd3a5e3223ec330b6680d7a08631b215396a4318a033a9ed01f8319cce54e65001b92ec6379a6622f8acee032ac97b248028118f8b15c1ddaac4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0d17d7e49ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1324 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1324 iexplore.exe
1324 iexplore.exe
1716 IEXPLORE.EXE
1716 IEXPLORE.EXE
1716 IEXPLORE.EXE
1716 IEXPLORE.EXE

pid	process
1324	iexplore.exe

pid	process
1324	iexplore.exe
1324	iexplore.exe
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227.exeiexplore.exe

description	pid	process	target process
PID 1232 wrote to memory of 1324	1232	da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227.exe	iexplore.exe
PID 1232 wrote to memory of 1324	1232	da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227.exe	iexplore.exe
PID 1232 wrote to memory of 1324	1232	da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227.exe	iexplore.exe
PID 1232 wrote to memory of 1324	1232	da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227.exe	iexplore.exe
PID 1324 wrote to memory of 1716	1324	iexplore.exe	IEXPLORE.EXE
PID 1324 wrote to memory of 1716	1324	iexplore.exe	IEXPLORE.EXE
PID 1324 wrote to memory of 1716	1324	iexplore.exe	IEXPLORE.EXE
PID 1324 wrote to memory of 1716	1324	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227.exe
"C:\Users\Admin\AppData\Local\Temp\da8109eb58a182a0491621e5bdd3aa5b6101e6bf1026c5aabb055b375acd7227.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://bd.svwpj.com/install.asp
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1324

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VH9WANY5.txt

Filesize
608B

MD5
26ce8be712f2c467ed7dae3bcc0fee93

SHA1
eedfa5b05cc5b2ba845ba2d664bf23bf58f245e4

SHA256
33b9c147b8aa7eda1b0c3d0377b4b4024d2fa2a42ac5f79e1f9277d19af81a81

SHA512
a4ae3ec8afaa27320f43e4314f7568f574c0ebc8c3249fc550b1c1725392fa31ded889e4cdd1363bb7a65bba65df16255691f2a95b6aaca3c63fea88c312f46a

Download Submit
memory/1232-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing