fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f

General

Target

fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe
Size

249KB
MD5

c048d282215580e60a1a833c435ef826
SHA1

c6bcf8868e8f8943f23c1b4cf5416641d50e2775
SHA256

fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f
SHA512

900f1d721763ba465775ead667a6b5aeaec4eac35b0661b1c42c8baeb2f5b80e8ede79843378b49e35588ca5abe036d5eaab12ca0fc296a546bd84302a9023ef
SSDEEP

6144:kHoH98Q3n5Q93WuvD9XrOnYzKuyNqLNWOv+w:k/M5Q93WuvD9Xymyqxv+w

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC0EF610-6DE6-11ED-9B9F-7AEFAD47A2D2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376272415"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe

pid process

1248 fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe

description pid process

Token: SeDebugPrivilege 1248 fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

544 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

544 iexplore.exe
544 iexplore.exe
1620 IEXPLORE.EXE
1620 IEXPLORE.EXE

pid	process
1248	fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe

description	pid	process
Token: SeDebugPrivilege	1248	fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe

pid	process
544	iexplore.exe

pid	process
544	iexplore.exe
544	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exeiexplore.exe

description	pid	process	target process
PID 1248 wrote to memory of 544	1248	fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe	iexplore.exe
PID 1248 wrote to memory of 544	1248	fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe	iexplore.exe
PID 1248 wrote to memory of 544	1248	fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe	iexplore.exe
PID 1248 wrote to memory of 544	1248	fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe	iexplore.exe
PID 544 wrote to memory of 1620	544	iexplore.exe	IEXPLORE.EXE
PID 544 wrote to memory of 1620	544	iexplore.exe	IEXPLORE.EXE
PID 544 wrote to memory of 1620	544	iexplore.exe	IEXPLORE.EXE
PID 544 wrote to memory of 1620	544	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe
"C:\Users\Admin\AppData\Local\Temp\fa8f4a6234a4cb0d6c031162f6c1adefc79713877cec11374ababaa6610f7f0f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://prison-fakes.ru/s/3.php?t=Skype login;; trojan174rus
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F

Filesize
7KB

MD5
64bd9a644bd182581368e3ce024dad9a

SHA1
1520bd16d65200bfa86d889eb88f4f62a65dd007

SHA256
5814095df174f580f08019718d2f8d05177276906620e36564588ba4b19ddfdb

SHA512
af1ec9959334ae377a1b199a44ec31a3cadc1273512f8a2644eb8b3b21f24d4afe1c0515a3bb685bd35a0856c2d6383504ee7e72ae67f87f3bda0a8ff91ec5db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F

Filesize
232B

MD5
46cca979dcb1578a6ce6436136a2bb2f

SHA1
fa71609f329fe9b1b1808b3a9a59c433a93fc1ea

SHA256
03e019e1cc36f699faa05df4ff0b6077e6e2e06f595265d26120b9a7e8fd265b

SHA512
7a93f000fe36387c7228c0e5f0aaad0f0213d341217103fe6a10d7d8666dde86adbcf6fc4b960fb520545f2d3ed0629170c988c3e2215963ea7ae26d3be0271f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75521a264442c6ba3c2fdd842d268c33

SHA1
729182c84954c8474cb8119e9e837dc615946229

SHA256
54d9d260f2290e299ca662f7118e828dbe721df4b732a4fff55816268f565faa

SHA512
e953deb2d68bd05fd3fcb5e51cca5009100aa9ded6e49da9e85a736d70bdf0d800d56b50d67c3668f5275147b5db71e0c020b06a0c2429a110a8f892b6f7ab2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FS21GL3U.txt

Filesize
601B

MD5
3f02ec002e26f275ff372bc6539e587c

SHA1
b1df70f87a721ffe5a5df8bc0a73ea48074c047a

SHA256
ee8ecab7ea14a98c992566a1a21d11b58adb78f6c64136ad9563eb91d8a2568c

SHA512
57c41d5c62e7e0a4509ef4579e568e7c930f62e92bb08c6de34c1a28deca10f4631f0ffd0586e4061ff18b89cd29e37e376ee41c3e9de4880f7035eb7b87dc0a

Download Submit
memory/1248-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1248-55-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download
memory/1248-56-0x0000000074550000-0x0000000074AFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing