ea09e2c5f95979da7aec551a89e5a785e81b4f23c4b7247e90780617f1c08b12

Analysis

max time kernel
151s
max time network
185s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1054255.exe
Size

1.3MB
MD5

574df1baeb8a3c0772c09ada7c0a72e9
SHA1

081ffa1c06a5161e7613af8d304f5fb4f801bd6d
SHA256

669176b3f6509dce172ed5cb1bc39e7460fe9e38bc3a715f10700139be5fee87
SHA512

71494890b1b616f25c3f6809711b52f224fb1612c775a7e8d23250afacef54e77a2a808bbbc14998c08b9eded0d2743bc91d5fee5dd59c54e76815819161f584
SSDEEP

24576:G5CF5e45qsC8kSxj4vR7I12obD+yaN1UYn29gFJTa4tui6vUrfb3dSNr7wQ:hFDtCUa1gGN1Un4TfbtSZ9

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

1054255.exe

pid process

1416 1054255.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1416	1054255.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00766ec689ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000005c32e9a85bb87d4b20b21290539ce0de8d7ad902a2ebd0b0740f907efbfd2e69000000000e80000000020000200000000be6e16403517b57b6fd684dbe823f36d1cfb98689ca089f49c4fd7b8023989b90000000543e9e6e3a5c7ac7da23395cfa902cce6fa84ac5509d70ece49b162cf8d4854dd76ff1a4413cd7265375fd6ee190dd90876b0839ad1476971a6f6e460eda3058eabca081d2286bf7384290d57fde91fd2eb2daa11181d356bbf35337671a41922a37107443371b1cd20e7e03e6f7f20b099ed7f8db945f95f95e7ef55fd83047da98584c28b53c781f1619487b4113bc40000000ee4e44327e608fba0ff083f05a4d4ac78bc771a4da40160c089384606a79bc4ca2ebe5cc952d36624a66aa16dee1a21f49d25162588e1e799cc1cb3ed6f60c3e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000095f0eaa61ce79b4c10589d469a5130558eb97e54a53f87678a10615928a85bfc000000000e80000000020000200000007ca502e985d4df8d8d8154fa0bbcc022aa77a5313f24bee769749aa209b60eb420000000b6c1a58ac17f3ad5cbbf56f4bb45fc159293082c30af9f677c9d076146a88c26400000003f990de6a1b009cd0b278fcafd722c3f14d690adaba2fa9f9809fbeacf8afb7cbb280b1fecd2137029d45eaf0f15b85ec0e6fb48fcaf7b2408b432d654cf464d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFFDC3A1-6B7C-11ED-A7A0-663367632C22} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "126"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376006938"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1620 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1000 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1000 iexplore.exe
1000 iexplore.exe
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE

pid	process
1620	IEXPLORE.EXE

pid	process
1000	iexplore.exe

pid	process
1000	iexplore.exe
1000	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1054255.exeiexplore.exe

description	pid	process	target process
PID 1416 wrote to memory of 1000	1416	1054255.exe	iexplore.exe
PID 1416 wrote to memory of 1000	1416	1054255.exe	iexplore.exe
PID 1416 wrote to memory of 1000	1416	1054255.exe	iexplore.exe
PID 1416 wrote to memory of 1000	1416	1054255.exe	iexplore.exe
PID 1000 wrote to memory of 1620	1000	iexplore.exe	IEXPLORE.EXE
PID 1000 wrote to memory of 1620	1000	iexplore.exe	IEXPLORE.EXE
PID 1000 wrote to memory of 1620	1000	iexplore.exe	IEXPLORE.EXE
PID 1000 wrote to memory of 1620	1000	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\1054255.exe
"C:\Users\Admin\AppData\Local\Temp\1054255.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.51ztzj.com/win7/index.htm
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1000 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb10fbe8819f7458690359f2417cf4ec

SHA1
ff65e2e1168f998c24878875b3c52e0988337b78

SHA256
a1e07bbb9ce5592b70fd8972df4f834a08ec9c8fcaecf04d216b0ea045d1b327

SHA512
d1a55b989ebcbf990e4e8bfb28e846c20ab187eb9fedb58c67a5e22a929dc4cdbfa6875f7f8883ba8c063f8ec52f016d6547407e23a8b04c4836a49eabfd04e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
9KB

MD5
fc52ab82b03d9fd56b70369bb789a05f

SHA1
60cc02a9a2836614cd383062d5d715dcf9962a58

SHA256
7f0d386298efafd22d56f728f5c18db619e058e74635bd61f43ffe55ac757e63

SHA512
d5a36393bea4cbd53b94e01ce49203fac4ed062b853be017761a520d1bdc40a80b9d0762eaa48362977014962d0221c035295acfbc154779ad2f8db0a435ea77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2ZCFEAQU.txt

Filesize
600B

MD5
352b5e838cfff2e5ce0f63edcdf7d578

SHA1
25c02159b57a5d6f80ad4d78e5550077e3d74184

SHA256
d1ac1050466be11810b5471a8e22c6ceb4a84e38683f24ea148bd63992f71664

SHA512
3190850bc64ea3ab93b7f8138930ab8f43c7b13a2852ceecf7afae60d20be5f740a1acf970ce829d813371fd43b05d17ad437a5f540da41b916f776c6bd07d51

Download Submit
\Users\Admin\AppData\Local\Temp\nso98A9.tmp\Splash.dll

Filesize
4KB

MD5
ff8340b98dbd0c4f38d06627b97637a4

SHA1
aae736a26fbb1ed5e9fddd956115699a910b3435

SHA256
6dad450c8b77a4827899eb54347d6f0c3a225c56920b0565dbc6b63c33bc176f

SHA512
58eda9fdc3e69c651f96d2994c76afd9e09624de5622177996b3ca9cfb9fbadb4489996ac49d220de16963acc734853239b807c65c50f79d39f4b292925ec685

Download Submit
memory/1416-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download