5e74ca9beaf77a9dd72c8e59122c1f71b1aa458638e0fca2f043df91d7e3f006

Analysis

max time kernel
165s
max time network
209s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1054394.exe
Size

1.7MB
MD5

373af03a25d66fecf5a303f45fce230b
SHA1

2e0eaa1d2c284b5a956b3a8a844030d3b8f6ca53
SHA256

90c723d8dd4d776a7c5d0f44233a23cafca10ba94c5a8db31daa71aaad0c652b
SHA512

14a69f487596b3aa6131a9cc44c91c943e3091b2846d974ba4652970c8ba38964448a7ff0394f8918e507514a37c322ae5deedf5e145839c8ec5338b32d4411f
SSDEEP

49152:QFzIUTG3vgMtytmkfhriQn5ImTiUt/Y5fbtSZ8:CzTCHt+hripqiUt/Ifb82

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

1054394.exe

pid process

996 1054394.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
996	1054394.exe

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009accead6708c3044bb39e4fafbbc09d7000000000200000000001066000000010000200000004134bd4b4a4bb3f6ca3aa67eeae16566753e447311f54a6b80fb880d5cca6856000000000e80000000020000200000000a60cabbf044a690d1288de1d4ca99f6a2a31e5d5b17dd192b0d0545a7b3b4c8200000005ea878b2c8073db926fd945b3e0c048a4fb0dfaf70d4fe36a2ce3277daa6b2ad400000008f8a625d921791027459dc0edcaee0c822f672b05f76235d53ef26313fdcc52a4b39f68032ccb1ba4cfcbaba0003f4406a6ec709d4e82f8bff79d119fb54fdcb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "126"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009accead6708c3044bb39e4fafbbc09d700000000020000000000106600000001000020000000acc9d1e7bc3e79f6921cbab1f96aad68a0928a2b09c2da0a83def2c7e00ced72000000000e80000000020000200000008e999830b4284b588816dea476a60b70e9a5a3f847a39830069c92b497f74fe9900000004798c06bf8840fb55db03559919f0a42c927c3f6704f7314955c90568b37c4bac09fb40c9b99449d01c309e787f2eee3d15b5a86795b67a9ae7c550c0ba15c02aa6427673412a71179bd7450adfd6d14408b8a67083a458380df722255b9dd740c562808d15a8d0e46f6876663b4dfa38a8a86be35745f8b53d53bea8d2c1c51905ec8bedab8e6da59d16ecef7056179400000000deb813c39383575a1287acb4e6352b6a347683ecfa7738dcfe04eba73ffe58bf807861c5f10d40fe82311f6fe2125dd9925bdd926f83d632970d90f6ceb20d0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376006473"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "63"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d08489af88ffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C7A2FB51-6B7B-11ED-8C74-D6AAFEFD221A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2044 IEXPLORE.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1164 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1164 iexplore.exe
1164 iexplore.exe
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE
2044 IEXPLORE.EXE

pid	process
2044	IEXPLORE.EXE

pid	process
1164	iexplore.exe

pid	process
1164	iexplore.exe
1164	iexplore.exe
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1054394.exeiexplore.exe

description	pid	process	target process
PID 996 wrote to memory of 1164	996	1054394.exe	iexplore.exe
PID 996 wrote to memory of 1164	996	1054394.exe	iexplore.exe
PID 996 wrote to memory of 1164	996	1054394.exe	iexplore.exe
PID 996 wrote to memory of 1164	996	1054394.exe	iexplore.exe
PID 1164 wrote to memory of 2044	1164	iexplore.exe	IEXPLORE.EXE
PID 1164 wrote to memory of 2044	1164	iexplore.exe	IEXPLORE.EXE
PID 1164 wrote to memory of 2044	1164	iexplore.exe	IEXPLORE.EXE
PID 1164 wrote to memory of 2044	1164	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\1054394.exe
"C:\Users\Admin\AppData\Local\Temp\1054394.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.51ztzj.com/win7/index.htm
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
c0eff5ba2f1609c1164c9b25c764a386

SHA1
6a508cbc396ad8ecc5b3714d2510455e9a1af775

SHA256
e2776157fdbb2c5f1fd5dbad4d74504fc04c8ebf5bacd0dbb5ac931534b13187

SHA512
e7c74cbbe40392a09d669fc51bc5dc9cf5d68d7093442c0d2f07b02ee297b5ded05db00298ead90e549e95576263f6d88310917ee805e29227aa6c79ca53fc9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
Filesize
13KB

MD5
ee4c7863bab79b7676082c7aae604780

SHA1
a9b7be69dc2210e7ef45026006be325ad8ee4d5a

SHA256
dfc6ad6cce58c6e56779628f93e98f284dbcac856d79c3d508ade0676f0585a6

SHA512
1621a711cff932ab9bdd85234704a3e13f5078a7c0741308143ee3ddf960e985954a3ab93a52149556dedf0864d90b9ba024035b122a131386d137f1ec26aa76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DJKNDLIC.txt
Filesize
608B

MD5
26eb49bc0e6e97c992ce312059ecf002

SHA1
b462d6f617c1062d7e5c6928db4f6f36d42c2c51

SHA256
b61f4c1263b1e79e7f4fd6a7286c8755bd34d9a79fe5c2f3cb6f106db18b710c

SHA512
360e28ae8270d176ed0b6743eb1cc7eef6a52cd2e069b490777c7af67c9da1f70db5c2ef9d107b91ad07369a90620f4bb62e4f2ae416a3e2339f978972414033

Download Submit
\Users\Admin\AppData\Local\Temp\nseE005.tmp\Splash.dll
Filesize
4KB

MD5
ff8340b98dbd0c4f38d06627b97637a4

SHA1
aae736a26fbb1ed5e9fddd956115699a910b3435

SHA256
6dad450c8b77a4827899eb54347d6f0c3a225c56920b0565dbc6b63c33bc176f

SHA512
58eda9fdc3e69c651f96d2994c76afd9e09624de5622177996b3ca9cfb9fbadb4489996ac49d220de16963acc734853239b807c65c50f79d39f4b292925ec685

Download Submit
memory/996-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download