669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87

General

Target

669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe
Size

1.3MB
MD5

574df1baeb8a3c0772c09ada7c0a72e9
SHA1

081ffa1c06a5161e7613af8d304f5fb4f801bd6d
SHA256

669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87
SHA512

71494890b1b616f25c3f6809711b52f224fb1612c775a7e8d23250afacef54e77a2a808bbbc14998c08b9eded0d2743bc91d5fee5dd59c54e76815819161f584
SSDEEP

24576:G5CF5e45qsC8kSxj4vR7I12obD+yaN1UYn29gFJTa4tui6vUrfb3dSNr7wQ:hFDtCUa1gGN1Un4TfbtSZ9

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe

pid process

992 669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
992	669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D06B9E1-6B73-11ED-BBEB-FA28CBED7ACF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000a70317e0e707b7f38d307fa017517f18984de4d8ced538fd7fa53cd18ad4e3d6000000000e80000000020000200000007a3df34cc890ba0fa4ff4e08fbbba2fb1a4467a159eed908df4256fea78ea789200000006a8a6bda99dba08b9dc68c4fcbfe4ee05dae2fe59e72fd6ecd13db2b2e8c6d5e40000000cc0427a04d9f9dddcc7ffd2667dac2df01bfc3d1fb8312f6cf0e6171cff64a324150cdc36025a5b76095a0ef47f173964538256bafddec17b9f4aaa7fd048bae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000f0089df36027a56dac35a348a361399e8352a718b4bad008134d64fbe7181102000000000e8000000002000020000000567dbab95e1135f073fe5895ef188fea13ce604f809240c6afd1fd63c0e4e48990000000b7cddccb9a97bbf7851362ac8850bdd709b91bb48991ead1e473f482fd246486865ec2538f80423e5088ee3a251310c5be95f036e9d7521edc445b6f8c8a5f835db18c91f6c0358e58c551f59450fd75e278bed460d6a7e6b25de2d4806427a50190041aa8999574ec193729247c7029c73c1f1b23b2765ce6c15f8d684da3c9b6970f8b5ea575d3cb5ba08818840540400000009e18ad790e14fa7d4a973290bd5c4d726dcef8dcde6e9e6435ce01a74cd72077bf620e4f3b1c24e88865d87d9df6ddc98503d0f5a5de4c2d7dc63be0c405950b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376002770"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808fd60a80ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1036 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1012 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1012 iexplore.exe
1012 iexplore.exe
1036 IEXPLORE.EXE
1036 IEXPLORE.EXE
1036 IEXPLORE.EXE
1036 IEXPLORE.EXE

pid	process
1036	IEXPLORE.EXE

pid	process
1012	iexplore.exe

pid	process
1012	iexplore.exe
1012	iexplore.exe
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exeiexplore.exe

description	pid	process	target process
PID 992 wrote to memory of 1012	992	669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe	iexplore.exe
PID 992 wrote to memory of 1012	992	669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe	iexplore.exe
PID 992 wrote to memory of 1012	992	669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe	iexplore.exe
PID 992 wrote to memory of 1012	992	669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe	iexplore.exe
PID 1012 wrote to memory of 1036	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 1036	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 1036	1012	iexplore.exe	IEXPLORE.EXE
PID 1012 wrote to memory of 1036	1012	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe
"C:\Users\Admin\AppData\Local\Temp\669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.51ztzj.com/win7/index.htm
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6ab1c7c42daf4e5365456926ccbf9ab

SHA1
0c018cfa6032f80e1a8750080313927186453a4d

SHA256
5f5ca2ca221093158701dbc339c7d25be3817aa8b6d75ab7ab530a27b3890413

SHA512
5a61ae25e6eeacf7920f6624a3660189cbb1498d55fab97a0b9406727448e9a4956c91e3080aaa5f14680204e83768b75d7ac35ea0863024a1129b5ce64350f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
13KB

MD5
620959cfde43903f8f5afce997bd009c

SHA1
c2c2862873ddcbc8619592d4636bed1ea11def6c

SHA256
9a1d226cd016f5d36ad26c6aa424178c0e486c9a762da89cfe64942e76e743eb

SHA512
33cc30cddedf85fc71550d50134011bb9e8fe6bb40df41046bcec728c33e72e5102da982cd010c9f8d5c4b83c8747f4d868ddd68fca895ac12ac710da46ffdc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WYTY2R3A.txt

Filesize
603B

MD5
4fb6d6b46af784947a050e09833232a6

SHA1
128027fc6d4f01e050d50e94a932759448c42adc

SHA256
c3a7387b290d1eb7805162186f5bea1ce774dbcc1d4188e023566f63c5002f07

SHA512
de86b67db2f943763010513c15bf2ed90bb3eac5eeabd7b009c946b87c4d7cf1ee114022d9d806e33da6f5e9b4446b4cef8b36bec3a470132e840d80d546ca77

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2280.tmp\Splash.dll

Filesize
4KB

MD5
ff8340b98dbd0c4f38d06627b97637a4

SHA1
aae736a26fbb1ed5e9fddd956115699a910b3435

SHA256
6dad450c8b77a4827899eb54347d6f0c3a225c56920b0565dbc6b63c33bc176f

SHA512
58eda9fdc3e69c651f96d2994c76afd9e09624de5622177996b3ca9cfb9fbadb4489996ac49d220de16963acc734853239b807c65c50f79d39f4b292925ec685

Download Submit
memory/992-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing