d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9

General

Target

d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe
Size

487KB
MD5

0561ad8f2a44ef0904875ff858c5f4cb
SHA1

a29102191f2c4e8a77633b42cf9c5489bd30bc5b
SHA256

d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9
SHA512

9718d958291243843c438ab0e201099d61fe4c8dbc2faf8b16a0b0b8ae131955b164c38fb42bdc76cb70aac72b6ccdb4df1a078bba12607e25684e17df590108
SSDEEP

12288:gUomEFRu3xEPENgjj9QvtkvCTl12PmZZO:AmOMSPEN7i6+OZO

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b07ac92f66ffd801	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009c86c569b3c69b44b257af8cc8df7333000000000200000000001066000000010000200000006343ea213c2b5307d921c3793e991971cd97e3f90e9baa36736ab3d71a7ef7db000000000e8000000002000020000000bbcc43082a38154db49bc135b32734dc83a94a89494a65c19bc82c95e92d7c5490000000f949f67216f1525aa1cc259ca7a1e7da990cf09148f089e16b1eaa365d3f34177f488247567ee63bb3e40a1d5fc56b9d7b1537189e29c530ebf588b339a718cfd647156dedb69ed9ca936446f58c4fb9a12c4192611b96da18f3ba07be62555f5d78998ac0f3301df62ec7f879140221d7f4db089ac01569a2daebacc10018d73025f898f9b8decc7c9e5354c004b8be40000000684e581c023d221b185ea99b38bcbc7f47fc8fc320ed2740c6fd506533339282be2828f417a6005d2a713459b8ec46de003fb167bce3c39207ace67cfcc27205	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{590080E1-6B59-11ED-AFAE-66397CAA4A34} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009c86c569b3c69b44b257af8cc8df733300000000020000000000106600000001000020000000a41acb6dfc040a666d7ecc5ba042c3a80c7bbb361070fa5c52b74958ec3be912000000000e8000000002000020000000a14cbc08baff9333fe9b1670099639d9d49568e884411adcb256dd32caa391eb20000000940e3aaca7cdf804968f688278ddb084525a575f7535f9554b8c5d7351fad36d40000000ae0e0cc52cccf67c495b7a04708286c4602109847e29183e2fcfca71e83dbc29b075e396dee02cfcda44c5640e99ac2794596d86194715ccc550a4c4d8450c0e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375991683"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1676 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1676 IEXPLORE.EXE
1676 IEXPLORE.EXE
332 IEXPLORE.EXE
332 IEXPLORE.EXE
332 IEXPLORE.EXE
332 IEXPLORE.EXE

pid	process
1676	IEXPLORE.EXE

pid	process
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE
332	IEXPLORE.EXE
332	IEXPLORE.EXE
332	IEXPLORE.EXE
332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exeMSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1996 wrote to memory of 2012	1996	d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe	MSOXMLED.EXE
PID 1996 wrote to memory of 2012	1996	d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe	MSOXMLED.EXE
PID 1996 wrote to memory of 2012	1996	d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe	MSOXMLED.EXE
PID 1996 wrote to memory of 2012	1996	d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe	MSOXMLED.EXE
PID 1996 wrote to memory of 2012	1996	d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe	MSOXMLED.EXE
PID 1996 wrote to memory of 2012	1996	d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe	MSOXMLED.EXE
PID 1996 wrote to memory of 2012	1996	d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe	MSOXMLED.EXE
PID 2012 wrote to memory of 992	2012	MSOXMLED.EXE	iexplore.exe
PID 2012 wrote to memory of 992	2012	MSOXMLED.EXE	iexplore.exe
PID 2012 wrote to memory of 992	2012	MSOXMLED.EXE	iexplore.exe
PID 2012 wrote to memory of 992	2012	MSOXMLED.EXE	iexplore.exe
PID 2012 wrote to memory of 992	2012	MSOXMLED.EXE	iexplore.exe
PID 2012 wrote to memory of 992	2012	MSOXMLED.EXE	iexplore.exe
PID 2012 wrote to memory of 992	2012	MSOXMLED.EXE	iexplore.exe
PID 992 wrote to memory of 1676	992	iexplore.exe	IEXPLORE.EXE
PID 992 wrote to memory of 1676	992	iexplore.exe	IEXPLORE.EXE
PID 992 wrote to memory of 1676	992	iexplore.exe	IEXPLORE.EXE
PID 992 wrote to memory of 1676	992	iexplore.exe	IEXPLORE.EXE
PID 1676 wrote to memory of 332	1676	IEXPLORE.EXE	IEXPLORE.EXE
PID 1676 wrote to memory of 332	1676	IEXPLORE.EXE	IEXPLORE.EXE
PID 1676 wrote to memory of 332	1676	IEXPLORE.EXE	IEXPLORE.EXE
PID 1676 wrote to memory of 332	1676	IEXPLORE.EXE	IEXPLORE.EXE
PID 1676 wrote to memory of 332	1676	IEXPLORE.EXE	IEXPLORE.EXE
PID 1676 wrote to memory of 332	1676	IEXPLORE.EXE	IEXPLORE.EXE
PID 1676 wrote to memory of 332	1676	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe
"C:\Users\Admin\AppData\Local\Temp\d1c15bbcc38feb23af9d8e02fc4e4f89836653ed6194a591f9396249a3e165f9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\amara.1.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
3⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\amara.1.xml
Filesize
111KB

MD5
0876abf8faba4aa3ab1b6b885db4ba4a

SHA1
fb8c38699323eb67cbdc287c56412d097812bddf

SHA256
1f7f9c007d19ad91161b30c89ec16a24494fe2addaaeccf1268750edc9a9d79b

SHA512
90ac2037b81e5c59589e00cad683e95bd9dbb87dcc48fcc9264b69c73eb445c7b6f073843ed7ab1ce8979a920b3ee5379a10b40b8e741e60e7a594c1591fca06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V64KYG0D.txt
Filesize
608B

MD5
f4842de483671c4e53c632e1ed19853b

SHA1
ae19b0e008b49d5694c85c88e3ff60536559ebfe

SHA256
207e91f6723a89d68a3af52b3ce92ba7708f05134aff0bad6ad715ecfe63bef0

SHA512
5c79417d78e3149dadea8469d2ae27c1ce0fe90f8cf58d1da85bf83897491e089c60f267469fbb320c815f05b2863858329246a5313688ffd79dbd3a6208cf56

Download Submit
memory/1996-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/2012-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing