d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed

General

Target

d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed.exe
Size

309KB
MD5

192b98651d71c5fb021ad218a4473571
SHA1

4a8c0889f2f725b747db63583e65222c90b883d8
SHA256

d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed
SHA512

78a7194dd888780e9b72a404217e79b592f26163576bf560309479331d1460c0fbbaacc01cd3ef99859f9a3b7970debc620162724f8a3c129a5f954cef8e68cc
SSDEEP

6144:da53G748znG0jAA2g2TW/OyqVY2RDg+HtOd0yE:053zALkAtqVdRE6

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1503CCC1-6BFA-11ED-BBF9-5A5CFA1077B6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb80000000002000000000010660000000100002000000093a8a192215958b74181a1d689dcfc8caf6831ffa58ab0dd283c6788bdde1f0b000000000e80000000020000200000006523d7fceb37444454ef001496b219999d8daf2e693ffbf7e08cd8b13aac5a1e20000000f0c80c56287f000497082f1cf8cda71cc4ed677bc97c3a0937615232ac605b2540000000f774ea89a2db8f6499cd577bab3d254dc1de03caffdebb5d07bd811dd89fc1b40f81aa7253124ce5c6a15ba20e862d49ca81105c1d914266bc8b6e5c77ccee21	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000950253c48535350066806ec4c9b8b95112f65668853931c4a96c86c849448121000000000e8000000002000020000000e2ddafe21a26a94dc5f212384d5e8f31f66b6c7f410e72ce12ffdf2c1131a41d900000000cf049d694db2ad515160a31ad39a2e8b44b0d9b3e112b5536e8b857263de99ed696a1d1bfe329099f81e18f48263d9b2169952e3b994f412e4846724c59a297f2879d99794c74e162d8722eb7471ad0e3d353bc796ab574f0370be87089e5e99837d23d5eabb5d48b016bb2980bd2109988937ecef89f0810823e4dbca0da12028be234df4d95da6f1e0d719464b30e40000000a2ca1e825a6e8389d624234631f56f302e30e10d276972f5d35eb730fc1881e55b2fdc94f22a87b12000d029700e7fad744096b528daa84e3fc03ba0aa56b906	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376060735"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 909794070700d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1116 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1116 iexplore.exe
1116 iexplore.exe
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE

pid	process
1116	iexplore.exe

pid	process
1116	iexplore.exe
1116	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed.exeiexplore.exe

description	pid	process	target process
PID 360 wrote to memory of 1116	360	d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed.exe	iexplore.exe
PID 360 wrote to memory of 1116	360	d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed.exe	iexplore.exe
PID 360 wrote to memory of 1116	360	d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed.exe	iexplore.exe
PID 360 wrote to memory of 1116	360	d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed.exe	iexplore.exe
PID 1116 wrote to memory of 1620	1116	iexplore.exe	IEXPLORE.EXE
PID 1116 wrote to memory of 1620	1116	iexplore.exe	IEXPLORE.EXE
PID 1116 wrote to memory of 1620	1116	iexplore.exe	IEXPLORE.EXE
PID 1116 wrote to memory of 1620	1116	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed.exe
"C:\Users\Admin\AppData\Local\Temp\d70553173679f78df378e38adcf50f318b83c1be40ecb39e23a33bcf08b0c9ed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://best-hack.ru/load/warface_rossija/12
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1116 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a085e5f6f7a680b895f5df7dba421e6a

SHA1
b18aa9003a7992f9ebaeef645f7a29fcdeeeede0

SHA256
00b40f506db94fc27f938682e77086961a8c568d34e45f9566a97bdcc2c7eb62

SHA512
68e4798cc5d576f009ab95c53f3983b55c587bf68eb363102c22593e6a4558bcd944071156bb09c8c523202685e33b861a93f67b32e61a8f50c6eb8f5ee06d61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FUJG1QZQ.txt

Filesize
601B

MD5
da9c106cd7a753473eaafadde19e493b

SHA1
1bef72e0b28a2e84a876162140371b1259f24c39

SHA256
aa116443506c5c65d4077e17c6dccdebbba5beb37f4c800061aad1b0c0f6ba6d

SHA512
1bf5116a6a06ffa51ec3e5aa92efe1a34fa88106f3a57a67d73a67ceaa5567c8b790d9c447a433ebfea1a6bfc36eff0318c1d84b2190e5fb3296a1daa772e4d8

Download Submit
memory/360-54-0x0000000000AC0000-0x0000000000B14000-memory.dmp

Filesize
336KB

Download
memory/360-55-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/360-56-0x00000000048B5000-0x00000000048C6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing