4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9

General

Target

4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe
Size

539KB
MD5

07cf7e720a27b4409f6d2f61665ecc36
SHA1

23131fb6c835f8dfe4bc77dfeee42045db025bcb
SHA256

4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9
SHA512

040775fd8e2ba0adf0efb1a18ce114632bc1629f2fb03521778352ba9676ef630a7dcd2e46281b8e0249fd41898cb1f12342fe23b68ce46b8281547c0e6738f1
SSDEEP

768:5tdZ4Po3qT//owQmaHA/cvcPqtZcvqt0QWqA:5OPo3qT//oYn1q

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chromium = "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\""	4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe

Drops file in Windows directory 2 IoCs

Processes:

4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe

description	ioc	process
File created	C:\Windows\Interop.IWshRuntimeLibrary.dll	4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe
File created	C:\Windows\dwmvs.exe	4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{42F9F401-6B6A-11ED-B68C-6A6CB2F85B9F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375998943"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d69f32acc5c584992183a57d8c3b796000000000200000000001066000000010000200000008b11124ae0df571fb9cb3ca7cf4dcdf7aa5dd6a2bb08b2686fa530c912fd4baf000000000e800000000200002000000030fd640c3423eb036bc351efb1cf1c54dc69852567cc5badfc96f83b401cd502900000008b4d02da1e39528348b3a44f7d4bb8478b47d8ca125463f3875702e01d82ef710c027160636f41b58c60ee5448136f420de31581040becc1e5af411801b08b654b7461d9481de15be4db41f4ee6fc61f2c418d4c9dfe0c63919ca44990efa442af05a92add0a4806b1c8ae2b3b2ce278b07fa568a74633204a7e686d2c80742c43b062303eb9b89e2de18d174638a80d40000000a75e3a44d50c3e84e1a6dcb6935cb0a8170db6e542930b4046b9d0136b9a69ec02ade4766f5517f71549d491906998d98c1686186c27b04ece2f73d9a5ab6898	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f2162277ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009d69f32acc5c584992183a57d8c3b796000000000200000000001066000000010000200000004ab6cd7ae59029ee259d00566c3afbb30c317120f8b9b0cec1abc213a22d8e2a000000000e80000000020000200000001c464efdec83a99f7e5dee58bca34b72278a2ff0761a787a5b9069ed00523b2120000000f53a8e62e3ec0275854ab9c70b08c92ee119f0f40913014b03224da4bd6479a44000000094619493f1fadc4ef0ec4a7d9373ac5cd9d8008831f78fc9eb65035f88f5beefe0d4204d96c5d5e2cba97a02aa21e95edd6db2148fdaa585ff73c589ea30826e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1612 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1612 iexplore.exe
1612 iexplore.exe
1068 IEXPLORE.EXE
1068 IEXPLORE.EXE
1068 IEXPLORE.EXE
1068 IEXPLORE.EXE

pid	process
1612	iexplore.exe

pid	process
1612	iexplore.exe
1612	iexplore.exe
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exeiexplore.exe

description	pid	process	target process
PID 1752 wrote to memory of 1612	1752	4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe	iexplore.exe
PID 1752 wrote to memory of 1612	1752	4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe	iexplore.exe
PID 1752 wrote to memory of 1612	1752	4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe	iexplore.exe
PID 1752 wrote to memory of 1612	1752	4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe	iexplore.exe
PID 1612 wrote to memory of 1068	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1068	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1068	1612	iexplore.exe	IEXPLORE.EXE
PID 1612 wrote to memory of 1068	1612	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe
"C:\Users\Admin\AppData\Local\Temp\4360631cf8d0996c61c982b05dd2278147df2843109c6358428c2c129c58e7d9.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://goo.gl/EEnmQf
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
55f7d6b1a667a564490ed376cc078cd8

SHA1
145e5b699fc295e13f03dc04c7b730b66c1a096d

SHA256
fa321a35b71a93a93e88c8c0d277ec252b867f65a83f0a4967e7ce75744b5eab

SHA512
29ff14e277ae970b060cb5108f1463431791177ed4123d81b2a339a79f3c98d23a9722d9344b5a22b7d0508eb16247eff30eecfd1411af65277ae7f20a92b066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OZ5QYDXN.txt

Filesize
603B

MD5
72b80d4449bca924cbaa2ea8b8eaa28b

SHA1
b3c265fdf5ae388ec28db2dc00d8b9dd260e46f0

SHA256
80ff812ee1546045880be9f5a8ecb4864b9aaac0742922f239a6f1589b55f70d

SHA512
25c0fcac9d84c07cf69b489267a8c1efbe08b2c6cd99fb3a211671a9bc6952fa71f7f5a5a3d87d9c2c82b71320191ab19dc86665f6899111b9197735344335fb

Download Submit
memory/1752-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1752-55-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-56-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-57-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads