0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9

General

Target

0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe
Size

504KB
MD5

2b0339907662d614899bcbd97816a9e5
SHA1

608200c4a096fd02ce6e31aae3ee126a9caad193
SHA256

0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9
SHA512

e720065b6367aaeba78bb937b22199fbbd52aa81c999a4baf94df5ac6ce6e0824928d227473c4222ec4552f9932d12b75ed80c8f2a41552226564508ac1dcb7b
SSDEEP

6144:L0OR4Vji+xwxxhRldcYQU2dWWA1S0RxRz4IoNu232sX:L/KQrIP3

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c25500e79789324487d81012283cfdbf000000000200000000001066000000010000200000006ac6e28541e8911596b4598bd09ca7c7f94ea84bf4b324298acec1e287de9fe9000000000e8000000002000020000000b1f123f9447074db48d844169342a36eb7221e437824bfdad2ceb7b15bf7abd22000000097e6ed1caf420b261bea626f4179aaa426b46cc3072fbe6c8fe71c25957151314000000034e84b2723e081789462474d8e8c38ad290e671458b62b4e30d7b5451a6eaacc4c909d2082a689f4b2fc218579a3b8762be0488b25a5cab0eb86d216eca4c7ae	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c25500e79789324487d81012283cfdbf00000000020000000000106600000001000020000000f69e9d65c77abf31693bdbbee1a798283c156712badafa9318763039a699bfcc000000000e8000000002000020000000c03f3a707a5665c950ab72393aa752c7ccae5cfc53b78065041e8f4410d7e12390000000dcd748d138305180e0e7c8933f41c94469b19c112d57769937e4b84e7c06ec797bc8d38d1447497a0ed68f8d8725f463e47f1fa49415f75be7826fd2cda0f99f435496f8fa28fc19879413356bbd6a3005a622691b180c3851d22a030016574e1b4ace5543e4086e748de3dda62ed5f1caedba4f08fa1d8e77af7c8ec8de19ed47b739a5e83a4a1b5a49b0e915f98d4a400000009dfcb03bc6ee5d927fd2b76f9b115acf979e6d3ee3ed979ddd436ddf275977d004874681008bded94c72c6875eb4b0dafee1d85e93a7214be505aced15b5bb37	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1038f26373ffd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8681B0E1-6B66-11ED-A34F-EA25B6F29539} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375997336"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

952 iexplore.exe

pid	process
952	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exeiexplore.exeIEXPLORE.EXE

pid	process
800	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe
952	iexplore.exe
952	iexplore.exe
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE
1268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exeiexplore.exe

description	pid	process	target process
PID 800 wrote to memory of 952	800	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe	iexplore.exe
PID 800 wrote to memory of 952	800	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe	iexplore.exe
PID 800 wrote to memory of 952	800	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe	iexplore.exe
PID 800 wrote to memory of 952	800	0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe	iexplore.exe
PID 952 wrote to memory of 1268	952	iexplore.exe	IEXPLORE.EXE
PID 952 wrote to memory of 1268	952	iexplore.exe	IEXPLORE.EXE
PID 952 wrote to memory of 1268	952	iexplore.exe	IEXPLORE.EXE
PID 952 wrote to memory of 1268	952	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe
"C:\Users\Admin\AppData\Local\Temp\0bb6278acde0b7e0bcf7088b12447db6c9493c3827c2a38667847139bb0824e9.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=gOO_UqzEc5Y
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
6d1608ab69093cd7b739c64568e465ae

SHA1
09a521f86ac2610ff868c2e6a2cbe61d42ecda72

SHA256
505ad9479c62cd9391f0ec4e98674bf7a94e1f6bc3781fc9ed4c5a902a5d2ee4

SHA512
aca01820af285cd86821da68796c7c8c6390224bafa07ae6ef6c1a91b763112519176bfa74abc232a567faccbba2c6303acbb1931965eef461d9f65bc20b7703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
5KB

MD5
5fa738ca49e215ea9c98fdfa26029cc6

SHA1
e061503189cd449692186f0e6179faa7729ca2aa

SHA256
814cdd0211044d769d020b4e62f78b4378c9a10d78f9d211c7bc0260dd0f52f9

SHA512
d8bc4a70dfc6708fd7be351a02a4f6c496726fc80db74b5c77050a89ee41e3f3530373fe0a0a0f105042ffd9094ff67151265a8c13ba6c4228819d53addce919

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CLKO34I2.txt

Filesize
608B

MD5
afacee8c73f1c7fc2a6885726ca6d3e8

SHA1
67cff674ed5fd0f3b2ab73ea0a4c7906773b7820

SHA256
c84ec88bfeff0fa5a593d774744a0fd9746269b07d0e7cf55faba1122784cb72

SHA512
89a45beb9d597857d31147857bfeb218833e37063e6563f7bda6b0ab2fc3d263d462f36c3f9e3db22e1b517efe9718a5bc5bab7ea65a9f7710882f79e3dfd6e1

Download Submit
memory/800-56-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/800-57-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/800-59-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads