40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47

General

Target

40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exe
Size

5.3MB
MD5

76f7040293e3b338b83109a17334be0c
SHA1

84837cfb721c1bba135e2dcb7efc1a349b4571a4
SHA256

40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47
SHA512

c04ee0d5ba494f3b88d24ab65b826d8b5f31fb44b008f382b3b803ff48d20419ba04f07b09d733fce4fe12dad386ea460bd5f6beee0db652fa4580211e029adb
SSDEEP

98304:cmp6wcCuEctakxM31CX2YcFXMEgniXKKP1QMj9ghi1RebMo89ub0bV+gyn:NcCuika88MiXKKP1QMjDo89ub0bVdy

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376153669"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8459F7B1-6CD2-11ED-BDBF-EEAC7132E42C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0088b6fdf00d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000002bfd478f9498cfc1ffca93dd9d710d0b0f14f6b9ab1ab801da2d2838c1cecb8000000000e800000000200002000000067086cee4ac2b53f46e3fa81427c30f33c08881a424f5b65eba9c61fd5cecfef20000000936f49f12ba0e7487484e978564899ba8cc1cd80b70a029d501655822254787140000000053490fb6dc8517c91897f2f7a081d1753695fc5782c63afb128c20f06a0a29210018e04576e272817db2fa60e52b8ba25c6df241c5b871241aaa56a92c83405	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000061f4f72bb6f700740b11eae69a8ccf0da433a85fc57f69f8c014b89d0a3ff941000000000e80000000020000200000006e09f00a0be563b13c7c2f181bff5949d078b8afb215f60f11afda85d7b165299000000092aaef6a46755f1be88c7f5a67dac8b9d192444b2762feb3b6a2c6c84c752dc07a6a7ca6df2b97b80daa69d7813a423c94a1cdcaa3329c254766d3d521b714c9dfa8fa4c19814a75d27f47a5b3bf037823470d551ef5b970b39a50e8fe30e4b3267ba0b1cde5bda2a65195a4343e55408afeacb4088efd76f0f6b103d22db8205198fb9d763b5fb2d654f06df321b0ad400000004f5641bca5fe3a2a45fca04273dc29e1148bdf595bac7178420ff0c8b72bfbc879e5178febe8ad9707defd35e83d727db6028765ed69c88615db272d4ed6cfee	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1908 iexplore.exe

pid	process
1908	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exeiexplore.exeIEXPLORE.EXE

pid	process
344	40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exe
344	40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exe
1908	iexplore.exe
1908	iexplore.exe
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exeiexplore.exe

description	pid	process	target process
PID 344 wrote to memory of 1908	344	40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exe	iexplore.exe
PID 344 wrote to memory of 1908	344	40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exe	iexplore.exe
PID 344 wrote to memory of 1908	344	40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exe	iexplore.exe
PID 344 wrote to memory of 1908	344	40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exe	iexplore.exe
PID 1908 wrote to memory of 1080	1908	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 1080	1908	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 1080	1908	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 1080	1908	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exe
"C:\Users\Admin\AppData\Local\Temp\40b33a2c5e6f456453ca475efd5e03201e7d21ea63d45b84894baf8250183b47.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://downloadian.com/typ3
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1b33f818be48a6bdbf2aa756197be4a0

SHA1
7ce89798cee2d1ff46475a79f218d4a8ff38c0b6

SHA256
cbcc887c17dfb63b46d4102cadf27a19ad3968c3778ea5dbf58e3d9a5acbc658

SHA512
bc2556f1608beac122c52ec176fdd6d1969774c5c3429efefbd250f5dae4258363212e2306b423f37db64ec007428377eaaef9e0408a9b806bc2c7f3270af827

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ODAUJ34Y.txt
Filesize
608B

MD5
05a4f351cd933377a1f63347b8fbabf6

SHA1
ecf3aa1c4729c73d47b43c9fc13132d2df91891a

SHA256
b85de5d78048524ba9d6c9dba520f890471bb31f46149b0ecec9faf6e95ba0a9

SHA512
3276be1e8d93231c162b6411abe346912e06f12fe0384754469c6daee193aa4f19f1c824c64bbf6ee08b7cbad96e98c332f461c2deb7496eacdffd58325b8752

Download Submit
memory/344-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/344-55-0x0000000074AC1000-0x0000000074AC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads