f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814

General

Target

f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Size

3.3MB
MD5

fff0a5da060e53f0cc394c6e934e84c7
SHA1

1c6f303a315dd491fa045f30d00b3fd9da6ca7bd
SHA256

f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814
SHA512

0ecd4119dad808a6eb68a28f23a35e244e504cad635d879cfea8ffcaf2f7f380e3b24cacb198efbd0f7c9d295913c717682b88441d8c05bb6f34b0cb90ded769
SSDEEP

98304:4TOdz3J+zo5AYxQ0WU1i+5O4JBpO3c3c4A9DQfv:4TOd1ohYx6Ei+5O43gM35GQf

Score

8^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1984-54-0x0000000000400000-0x0000000000A29000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6e5e4f014cb404385326ff1f68308be000000000200000000001066000000010000200000006e1a0756be01ba74be32a6a549a774ae1ab1b73a9b27f62cf807a39e65d73c4a000000000e800000000200002000000007074a2ff1214b154821de0478d96c2460f616b1fa622ff94a7dd0bf62ad9b4b200000008eb4a4dd70007773270e17abe9fb9dc7e0e2b344fb1d695982bc516ef39ce06940000000b2b255552332d5b6fb0092c10cf8de59f386c2bfca7369bd8b3b6e098162f1c2cc608bcaee933234c41a1a3df4f6793210c3ff897bf173bcf91bd76d0f2ba7bc	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40be448fe800d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6e5e4f014cb404385326ff1f68308be00000000020000000000106600000001000020000000796381b5eb02d9b9e03115d9a0968d01a90fe62630835da00bf3bf6f29ee3b5f000000000e8000000002000020000000b829fc3ef814e1be35b8d780efbc609e236b753c377bb5b650c0f8753ca76f83900000000975145c9ef21d5980b4d07c422261011b433bd04ad35c4f0ed9feeefc361175502fb3a61928854c0f4b6dc5cfdd881b447591a15f7fd823dd6722c52d5435b17e7e455f6624a8827aba9ad9b01e05db42ba4d847fe024bb99389ac970e0c8f0cfb8cb3e1591f79425a9c79c50c7a0ace9f5e0804bfc4dcd3ae1816d816ae0cb1c313b2282b4d70f806c78d02fe7b32c40000000b777b3abaad616bad879964c939e63037f8d467d15674ed252f0cebb94b0993d26256e40c16a847924f9775347fba27bc38bc0361c626ecb7df16fc958129060	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A2410081-6CDB-11ED-A645-626C2AE6DC56} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376157587"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 61 IoCs

Processes:

f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\TypeLib\Version = "25.0"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\ProgID	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\ProxyStubClsid	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\ = "__clsConvertPDFToImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\LocalServer32	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\VERSION\ = "37.0"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\TypeLib\ = "{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ConvertPDFtoImage.clsConvertPDFToImage\Clsid	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}\25.0\FLAGS	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}\25.0\FLAGS\ = "0"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}\25.0\HELPDIR	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\ProxyStubClsid32	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\TypeLib	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\TypeLib	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\ = "_clsConvertPDFToImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}\25.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\ProxyStubClsid32	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\ProxyStubClsid	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}\25.0\ = "ConvertPDFtoImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}\25.0\0\win32	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\ = "_clsConvertPDFToImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\ProxyStubClsid32	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}\25.0\0	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\ = "__clsConvertPDFToImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\ProgID\ = "ConvertPDFtoImage.clsConvertPDFToImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\ = "clsConvertPDFToImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\TypeLib\ = "{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\Implemented Categories	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}\25.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\TypeLib\Version = "25.0"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}\25.0	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\TypeLib	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\TypeLib\ = "{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\TypeLib\Version = "25.0"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\TypeLib\ = "{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\ = "ConvertPDFtoImage.clsConvertPDFToImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\TypeLib\Version = "25.0"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\Programmable	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\TypeLib	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{777E3CFD-66D3-4E9A-B29D-C7A43CDBD442}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ConvertPDFtoImage.clsConvertPDFToImage	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ConvertPDFtoImage.clsConvertPDFToImage\ = "ConvertPDFtoImage.clsConvertPDFToImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\TypeLib	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\ = "clsConvertPDFToImage"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{30244D3E-CE18-49BA-89DE-12204DC04BC7}\ProxyStubClsid32	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\TypeLib\ = "{2BDB1082-D220-4AA4-AC2E-0397FF36DDEF}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}\VERSION	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ConvertPDFtoImage.clsConvertPDFToImage\Clsid\ = "{CEDF652B-6347-4ED1-B6A5-7D5EC392D3E3}"	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1640 iexplore.exe

pid	process
1640	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exeiexplore.exeIEXPLORE.EXE

pid	process
1984	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
1640	iexplore.exe
1640	iexplore.exe
320	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE
320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exeiexplore.exe

description	pid	process	target process
PID 1984 wrote to memory of 1640	1984	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe	iexplore.exe
PID 1984 wrote to memory of 1640	1984	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe	iexplore.exe
PID 1984 wrote to memory of 1640	1984	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe	iexplore.exe
PID 1984 wrote to memory of 1640	1984	f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe	iexplore.exe
PID 1640 wrote to memory of 320	1640	iexplore.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 320	1640	iexplore.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 320	1640	iexplore.exe	IEXPLORE.EXE
PID 1640 wrote to memory of 320	1640	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe
"C:\Users\Admin\AppData\Local\Temp\f1afe10109797d310f5373992f0a416f243f9d64181caa779e2a54ee75e06814.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.softinterface.com/Extend/Questions-Thank-You.ASP
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
00b737968be43b5bd1f5549be6347962

SHA1
9a816cf9f114a075da18470ffe86ab77c58ad52c

SHA256
76264ac1428a28e3cea91d89a801bc860764e010bfa1c1d4ce2af6297f3b5de4

SHA512
457371fa910816fe0ebf3f0c3f57033c6cff500041f352b9b60c95b6a6f401cdb634521db4491bc2872386ed4fb4a06de98f4a1c9f1ac073ae56ce0366c803fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M9HTNAPK.txt
Filesize
608B

MD5
c2dfd2f1d1c097c0c64b6f51be9925fc

SHA1
0939aaea6dc7d4fc6b8d26356e4614ac9ebba5a7

SHA256
4dbe6e4798c784e3e62c452164109f34851fbf5f7f9f56429cc3a821bca1b071

SHA512
c395c6c72d6d5a3127167e7bc01eb11348a965e6fde42e5f2b3d12fde78bca64c442580e9b14c514daedf972f7d89282eef790157582a2a9100c605f4b1dec89

Download Submit
memory/1984-54-0x0000000000400000-0x0000000000A29000-memory.dmp

Filesize
6.2MB

Download
memory/1984-58-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1984-59-0x0000000003B31000-0x000000000407D000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads