188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 06:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854.exe
Size

2.0MB
MD5

ea89fde187539d7d189da9de625a9331
SHA1

ebbff1862364d8c48f34766f2c773291bddfffca
SHA256

188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854
SHA512

a5fe0c16c83717a0e4e8c1cd90101dc1582dcf41c9f1b3c9f9a453f66f609291ef608ab37e4d2ffc230b21054a80d1b87603e347eadc563f59616ed978765142
SSDEEP

49152:wF8+EDgUqEq84phgn0oENum7xIaCodPOJszwd8fbtSZn:i8NehZ8uxIaCood8fb8h

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1720	188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376365902"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000003e97d02db0a2ea43c67b9abf28ca3510f81f166affbc092409945e9a4578fedc000000000e800000000200002000000044cd3ea60cf38688f328838ea3d63d28e143843f50c82d4360c42a7ad3c8d2ba20000000c4d4dd8990e3d3ee7b5a53d50aea2538e0f7031ac7f594454095864b3b6fb3e640000000658ba306e134d52f4ea3f55f8ca11d9bd181ba19077a0b1291e982fa933db986f8f5180f42cbdfa2915b017192c3d082444e84b2eca354904523b5e12edfb378	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51ztzj.com\Total = "126"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000003ebcb4ed59059bd316d8e9cc672d9233a74578c8ee2e55d09e56f5fc3d102a80000000000e8000000002000020000000a46ed05716f468a8885daec3210723b87de50f5f287810c47fe28dac5efef19b9000000055df50a6b580d95b7ad3ee7315b6497dbc8427fca6a2bc686911037e4c6c9976324eb23d7935f582903fe591fcc558d1473ac156079f4321425fb4be894db8e36c0dc7ca9e32e5c044dbdc2a18c1014a7a8a4ed9821ccbfa3ba75b0dfc0e479cc88cecbbba56b46af19f676203bffca6afc406b21a96c9151d1ec9297b8512bea7febd1261074c3507cdb778b81697c640000000d8b7eca0bd730ff42333086616ca35b3b6ae07a23a3e91319749449fa2a4bd82aa1f12fff41e07a7241ad40212b3904cf2fb29b6fa71100528bca24c380a70ca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70f7b285cd02d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51ztzj.com\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A92BBED1-6EC0-11ED-979A-4A7553B9BC92} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
660	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
112	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
112	iexplore.exe
112	iexplore.exe
660	IEXPLORE.EXE
660	IEXPLORE.EXE
660	IEXPLORE.EXE
660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 112	1720	188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854.exe	27
PID 1720 wrote to memory of 112	1720	188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854.exe	27
PID 1720 wrote to memory of 112	1720	188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854.exe	27
PID 1720 wrote to memory of 112	1720	188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854.exe	27
PID 112 wrote to memory of 660	112	iexplore.exe	29
PID 112 wrote to memory of 660	112	iexplore.exe	29
PID 112 wrote to memory of 660	112	iexplore.exe	29
PID 112 wrote to memory of 660	112	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854.exe
"C:\Users\Admin\AppData\Local\Temp\188cfec392ec2770e2074f28d894e9f7dc36c331b7f5015104ecd59b383df854.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.51ztzj.com/win7/index.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5b31af4d41f575f6c94c3c388f19737

SHA1
56c40eb5af4fb97438726a278377caedba12899f

SHA256
65abec0ed1d6fdba2b2a11c152f78a5785cc341c8644452f3eef8361943cf3d0

SHA512
cc13ba4f61f7d1c259b71a766fd4c3883386dc52b9360126b07d740798d4c5779f2a4f2998f19551e1c6032077db1258a5f26063c52fd65c1fd1579c5b3e19f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
13KB

MD5
39fbd31d747dd52951280fa03cd23d69

SHA1
d1ca9162634aeb1187729c6bc92bada11b90d247

SHA256
cb5a73c5ab6d59a49ac905b3c39b9fa737ae1708a74cfac5d00eb2c8aacb7431

SHA512
f9debe1d6514f86eb59e566b347fad0a38154315a324c8faa2e8757589778d23940db164166b5e47a1d922c40d21c28a5b09f15520915c35b0a1c4ba47ff1d1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VYON39FL.txt

Filesize
603B

MD5
9257288a50a049299d4b39b60c0ea095

SHA1
e46dc98c39c9778bf5d6cc24fd1eb39f14189a60

SHA256
aa362ae8c4b0502f40d014db8f1b3dca74aab32ef1ac2164391d53f16952202b

SHA512
bdf028ec7e2faa746ba6be87fb05583ab94d247de0b983f0194006f8d995a016b1c2beed459b160a89030b7babc96d03642fb974c7536ddf504303ab57f7dde4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy1E1D.tmp\Splash.dll

Filesize
4KB

MD5
ff8340b98dbd0c4f38d06627b97637a4

SHA1
aae736a26fbb1ed5e9fddd956115699a910b3435

SHA256
6dad450c8b77a4827899eb54347d6f0c3a225c56920b0565dbc6b63c33bc176f

SHA512
58eda9fdc3e69c651f96d2994c76afd9e09624de5622177996b3ca9cfb9fbadb4489996ac49d220de16963acc734853239b807c65c50f79d39f4b292925ec685

Download Submit
memory/1720-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download