f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c

General

Target

f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.exe
Size

86KB
MD5

a4620623330bcba6845a8700e9af247e
SHA1

67fe4e26343e97ab93898afdb239d77c8ec3e8e3
SHA256

f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c
SHA512

0c08411ea99a1076222f555abc2e36d1da9ebde1ebf23873fa38d7bacb1cd292939c45b647992b464223ebe39fb404cb54e0b40d0c68c62c5c097915d7dd5c65
SSDEEP

1536:5ucaS9mhEf8+ptUSjqFMaztleruMV1yPMR3pLLJZweL+C+2V5NPXhO:RjTlCttleruqyPMZBLJOrjYJXh

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000067430e66beaae10144554cfdccf769b43414889a7c4c6b10de6a43559a4a7097000000000e80000000020000200000001eabbbafbe3bcdc4c0c1fac4116ccf599984188e90dd464ad9eee305c46d201990000000f1763b1ccb5651a64bbfaf45cf1b718309b9c58ca17748381445279613a6ea4516e1192f865c2fd59688fad731e79827a378720949a96e8144b214024b0c027e1c21a4d13ec32e00585ccdae04e738c607f3ce17ab2ef06274d5e9261f24fe2e003f1546ffa3064280506c04cefdae2c3c61aa70a4fe4f4c90fc134947eee4eb48a871933c280542951c657bc13f055940000000124a14bcb5746aaad33677abe491d7436ced7d088dc086dea62f12ea4cd6af4f9995154c48a190edc48f22d985e6d3b6664fef1eda7e34e2bf36f2b3040ba9ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2051c63676ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375998548"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000003dea47ddbbd7ff68b5866e42b000550755837600b5b14bbc65712e52cd4d8315000000000e8000000002000020000000c2056cbe41636cb8e06916dd223731fdbf9e6b0201a87e8b6d413792e9ed2b612000000064b4f752d3de61ccb26aadf6507f08bcb417ef80f48af5d9d51d30df24bb448640000000cdb77f029d26fb8b2b46c304aaf9ae4d9efb103348b94bec8a5e1121b1d446241251a954c8266b74424d8b266addc1c4d900501ddeae300df718eec13254c18d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{55589C11-6B69-11ED-BA2E-6662AD81E03A} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1032 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1032 iexplore.exe
1032 iexplore.exe
1884 IEXPLORE.EXE
1884 IEXPLORE.EXE
1884 IEXPLORE.EXE
1884 IEXPLORE.EXE

pid	process
1032	iexplore.exe

pid	process
1032	iexplore.exe
1032	iexplore.exe
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.exeiexplore.exe

description	pid	process	target process
PID 1776 wrote to memory of 1032	1776	f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.exe	iexplore.exe
PID 1776 wrote to memory of 1032	1776	f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.exe	iexplore.exe
PID 1776 wrote to memory of 1032	1776	f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.exe	iexplore.exe
PID 1776 wrote to memory of 1032	1776	f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.exe	iexplore.exe
PID 1032 wrote to memory of 1884	1032	iexplore.exe	IEXPLORE.EXE
PID 1032 wrote to memory of 1884	1032	iexplore.exe	IEXPLORE.EXE
PID 1032 wrote to memory of 1884	1032	iexplore.exe	IEXPLORE.EXE
PID 1032 wrote to memory of 1884	1032	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.exe
"C:\Users\Admin\AppData\Local\Temp\f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.gif
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f1ba5ece7b86f46f86b205d3844820186047131d2297cee1bf3318d93e441f0c.gif

Filesize
4KB

MD5
6104a8155330609b6a51d27bffc4068c

SHA1
131b7771dc5b2e917a67b76b9fa76694bca9f53a

SHA256
a47d369b642b7e5ed1e59e0a7c77c77c15eb81bacd9303223ee0c7d4219ea06e

SHA512
93f142e9c79bb4154ae7c8b61f340d10b7e027777fd2160bbff3486e9a6c54cdd7626f611bf14944643ad4027ef1fee98699f8f64f3c82ca9fe72940e9ebe31e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F9RW3YSE.txt

Filesize
608B

MD5
1dfd4216e85e590d060f9505b447617f

SHA1
bb2d41fd70d5ad8bc12e449628d0e6d487a23bed

SHA256
bc2de6dad6f9fdfdd68fc5cff74773387fbd564ead950ddc9696a5b91a40f36e

SHA512
6a08b5a98943d9368e416723ffbb809137692e0b700d18ea6b1a92d0cfbea35520186579e6f77d9f12190aa41cfeaf4a8e33c97ad8355731ae6641c6c5bce317

Download Submit
memory/1776-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1776-55-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1776-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing