Analysis
-
max time kernel
87s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 06:12
Behavioral task
behavioral1
Sample
597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe
Resource
win7-20220812-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe
-
Size
278KB
-
MD5
940d5795620be29fa24ba86e2ac1b70b
-
SHA1
7d4c72db9a88488333baa87b1eb08a3c47f44c17
-
SHA256
597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9
-
SHA512
157ae76f39ee76eff7373cea4cb47c0bcd83785b61eaedd193c3fdc1ea4f5cd7bb78240f79955f35ff8a82985d09b82a49cfd2e8c0939deec186168e0695c615
-
SSDEEP
6144:6zv+kSZBbdH19ex4T02J4fqz22tvymTiB62iKnWKKmDTcNwjreOV:6zcRD02J4Sq2vHGB67KWKKmDp
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/536-55-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral1/memory/536-56-0x0000000000400000-0x00000000004B6000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HOSTS Anti-Adware_PUPs = "C:\\Program Files (x86)\\Hosts_Anti_Adwares_PUPs\\HOSTS_Anti-Adware_main.exe" 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/536-55-0x0000000000400000-0x00000000004B6000-memory.dmp autoit_exe behavioral1/memory/536-56-0x0000000000400000-0x00000000004B6000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 004487b1d202d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376368133" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6da15b90333dc409753a51948d4c04000000000020000000000106600000001000020000000f476a9e5764a3c28512ff5b2de48ffb4597529457e83b10b2ea923e32f2e7cc5000000000e8000000002000020000000e144f6f13c0201d3fe0c6c56a6bb38bcc102ecfd6cb0596ac256505b84831d2820000000af83c6c539e3c8d45f4a067fc79fdbba7f15fbdb99b1888c9e6168a8767b2f5540000000b2390e0b1f7ba889b6d0942d0f2593302ce12d91dc7efe48574eec62dadcfc461c19579ee0e487ca1e15045b32d3386bfe8567edb0780e8d3b0c8732a5fc44ae iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DAFCD201-6EC5-11ED-8716-EAF6071D98F9} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6da15b90333dc409753a51948d4c04000000000020000000000106600000001000020000000f15a761937de6ab3e83406b40be464b71d7e6aaa004e1324216e5a093a2e2d56000000000e80000000020000200000008f5649c59de5b73ff26d44674439cedeec369b6680bf3cf20bac9c624ddf3cfa900000002685ccf6b7603a1cacc7bc513b90e00ca8c87c45a437402674cab1922b2127a692088617376309cda9db4c5f087065762f4df64c1f25b01e52a8c1c40d33e33334464c8fb4cb5bac598305154ad85405bb1201cd17062f01dd324b066e38ca880287f73f3e5bf432d9b24b62a2961b49bdefa77abc78cccbd3ea5a117e11bbf4d5f177369156a029a83aae61d503f60240000000400ae31b457e0f43bdf602d5ddd972da0a013ef3e863d7efa4fee0c84946354290dee7c98c802a2e723dbf32a11fa95e701bab16351324e22dd8fc34c6cfc3a5 iexplore.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 1472 iexplore.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1472 iexplore.exe 1472 iexplore.exe 1608 IEXPLORE.EXE 1608 IEXPLORE.EXE 1608 IEXPLORE.EXE 1608 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 536 wrote to memory of 1472 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 31 PID 536 wrote to memory of 1472 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 31 PID 536 wrote to memory of 1472 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 31 PID 536 wrote to memory of 1472 536 597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe 31 PID 1472 wrote to memory of 1608 1472 iexplore.exe 32 PID 1472 wrote to memory of 1608 1472 iexplore.exe 32 PID 1472 wrote to memory of 1608 1472 iexplore.exe 32 PID 1472 wrote to memory of 1608 1472 iexplore.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe"C:\Users\Admin\AppData\Local\Temp\597a450befbc3d69df3fbfad1bff378a50642f882e105358b3a70191afac8fe9.exe"1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.malekal.com/2012/01/10/hosts-anti-pupsadware2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1608
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize340B
MD595b64ca14a5ace28da2bd76d980ba468
SHA13608547c9b1c9cc3f57f51df58ed9efa5dbcd912
SHA256859ea94ee7da097f75832ac9d49861c598d2e96244bdfdc509ba0d1476aca953
SHA5121beb2793d7c88102cebae1a802fa4fa2665b4c358e9e2dc28f1893d30bfd2bedf0b190840fb30f2603598f4256307e59efd0a063867fcdcacb6246b8fd6a64ab
-
Filesize
600B
MD5b55e34ae24f7548d5fd53536485b8604
SHA1cd8af1303b1c1b43af0bac60eff0f519f34e9f22
SHA256272db0f8f9243a7bb44438ad4e07b18e4a081c80980907f9a601e5cb1e2b5e13
SHA512dd772fc3f1035320240fcf206502e3928ed20ef9cbd7c2bec86dafef625f359f5e45a1df8b7beed2ef2b75288e452b39159eae7c88f605b9d5c42a9d413e7386