e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4

General

Target

e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe
Size

524KB
MD5

4f898a6a4524b4998b8a14750dc2fcf2
SHA1

bebc486d5508695b4735c8840592f847ded6e2d3
SHA256

e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4
SHA512

b073ea0b8ff0861f5f29c62e31abfb24815f8f015a6b2ac56a19b90f1fafe791e78dc8938d85dcdcb36e83d3a5d37501e9548c33abf5450ed297522414d3be44
SSDEEP

6144:lfxWd/K1JxNgczX8B83h0fIWC9kR6B0du0TV4as5LWaz53/UX:3U/Vat

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEe2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000cbb61d45b9862473203748a24bbf480a2f33e3eeb137407987f58e96601bae18000000000e8000000002000020000000c6c95f4684da836d04ab77fc566481e1673e152f4308d6b751a43c78afad6cb99000000049ae50cb2c722418e8ecec1c86efb5bd808d7c3a2f71c7cfee0f9fade1ffc8cc99b2419e086f3ae9185fef5cfebc3dc730470b388152cf397596f07193f81b8f760b06fa708b03eecc3f36d81f6b4178bc08bbd85b45c43eddc6e02adabe80569b637e11bcaf00ef734b373d8868c025b492042af0ceb37f0b3e171543a2049cc25971c7c594abc708dceb84fa12ed294000000038ec5aa211d99a39e5c9a4eff27be754d0216a8254ec434bf932946783945ce57c2bc6bbdb0e7b04b9e50f55d47137e137187d76f25a30b0a67511209e7b6362	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000b8fb807dc702714796b6c783719b6dfc6b7e05a2fc3a2693d2a1015ab07667d9000000000e8000000002000020000000c7c5055ae81997b86102193dd643a437d82772d297d936add042c66d72347da820000000e5038fde1e2219edf7a69b77eef38460debc67cc6301fed24b584d78905b382a40000000fbca343354029f9464734f53dcbf7a2d96bc1feae07a0899d5aaa0b45305c1b710d717958c435864a67cc677f13638c6fb90bd6cb6d4b4a29c6d32043f414642	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2648A8C1-6B6E-11ED-8DFC-667719A561AF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376000612"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d6bc027bffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

520 iexplore.exe

pid	process
520	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exeiexplore.exeIEXPLORE.EXE

pid	process
1752	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe
520	iexplore.exe
520	iexplore.exe
748	IEXPLORE.EXE
748	IEXPLORE.EXE
748	IEXPLORE.EXE
748	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exeiexplore.exe

description	pid	process	target process
PID 1752 wrote to memory of 520	1752	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe	iexplore.exe
PID 1752 wrote to memory of 520	1752	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe	iexplore.exe
PID 1752 wrote to memory of 520	1752	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe	iexplore.exe
PID 1752 wrote to memory of 520	1752	e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe	iexplore.exe
PID 520 wrote to memory of 748	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 748	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 748	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 748	520	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe
"C:\Users\Admin\AppData\Local\Temp\e2a64c5465504a27ed3e46c05f872b6b02dfb1f8301a435d8b678fd0e7cbaee4.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=gOO_UqzEc5Y
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ab076757187a302efdbc8e64f2760f9

SHA1
f70a74db2cae5253e8323b666a7fbb871060624a

SHA256
26105aacf3e367b023f9c38dda076722b0407ff64e0b975a9b73eda05df6690b

SHA512
a679500bfb1dfb823533894df56a14f498a1691106fff0e85c30ab5615724b0d73c88ba6f4b74a40038958fabc7206b09803ad7cd1c1dbd6d69ec4651e7c8847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
e70ca5b656a72f9d14677dfe4c22f0d5

SHA1
44c65f44b8e366e2457d40e644242aaa05ae077d

SHA256
920681bfe2c138c903ccd26fcfd6a4f5ffb91f28ee7654189e157f33b271f0d4

SHA512
83431fcd384663372a55fdb31e7d91075ec5b3fa26be81c220c2a3104530de5c26f17801cf239153f7de2be5a46a81f1997f9e08026fc8373ce6230611ea196d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B07C01JH.txt

Filesize
603B

MD5
0c95c22b17cab0bb0e57ecffcfd51d0a

SHA1
ecaf48f4192e1c2b8b5915a1a99c1b62c0a620fb

SHA256
a9f6fd12c3bc100d19e133b4f6162da58c8e21f7ec9ebaa443e0230df5d539bb

SHA512
75204cb1ef398cf67d6c2f56739edf3cb1991e46e468821122fc3f0073a0531d90d221d5d2e24ae4e45832fe176146b9bca6f34ab2186d8490f9faa34588a87e

Download Submit
memory/1752-56-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1752-57-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1752-59-0x00000000030A0000-0x0000000003B5A000-memory.dmp

Filesize
10.7MB

Download
memory/1752-60-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads