16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f

General

Target

16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
Size

144KB
MD5

203f8b6e09c6b46db6362b4987e96895
SHA1

5b8ad7739213eeafafdc72f7ec4d10a5b672686b
SHA256

16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f
SHA512

1490ef26050f5ac847c7f0a3fc705b5663f661e7e89187255767ddae748585e460d57e183e823458388da2d93a2a7940c758b79104b5fced2cafb9884c613100
SSDEEP

3072:lAr7XvVgyG22sUHsWvDvTWMlxfFj9WnIfypmm5DygXQqLZQ5X0V92ol:l87XdZG2rUH5v7Xl/j4oypxtOl0Vr

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

mspaint.exe

pid process

1760 mspaint.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mspaint.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqrhrg = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Zqrhrg.exe"	mspaint.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exemspaint.exe

description	ioc	process
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\D:	mspaint.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe

description	pid	process	target process
PID 1816 set thread context of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 set thread context of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1D4F0C31-6F2B-11ED-9FD0-D6EA6736E294} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376411623"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe

pid	process
1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exesvchost.exemspaint.exeIEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
Token: SeDebugPrivilege	1300	svchost.exe
Token: SeDebugPrivilege	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
Token: SeDebugPrivilege	1760	mspaint.exe
Token: SeDebugPrivilege	1840	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1912 IEXPLORE.EXE

pid	process
1912	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

mspaint.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1760	mspaint.exe
1760	mspaint.exe
1760	mspaint.exe
1760	mspaint.exe
1912	IEXPLORE.EXE
1912	IEXPLORE.EXE
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exesvchost.exe16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1816 wrote to memory of 1100	1816	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1300	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	svchost.exe
PID 1100 wrote to memory of 1300	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	svchost.exe
PID 1100 wrote to memory of 1300	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	svchost.exe
PID 1100 wrote to memory of 1300	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	svchost.exe
PID 1100 wrote to memory of 1300	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	svchost.exe
PID 1100 wrote to memory of 1300	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	svchost.exe
PID 1100 wrote to memory of 1300	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	svchost.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1100 wrote to memory of 1988	1100	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
PID 1300 wrote to memory of 1760	1300	svchost.exe	mspaint.exe
PID 1300 wrote to memory of 1760	1300	svchost.exe	mspaint.exe
PID 1300 wrote to memory of 1760	1300	svchost.exe	mspaint.exe
PID 1300 wrote to memory of 1760	1300	svchost.exe	mspaint.exe
PID 1988 wrote to memory of 1104	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	iexplore.exe
PID 1988 wrote to memory of 1104	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	iexplore.exe
PID 1988 wrote to memory of 1104	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	iexplore.exe
PID 1988 wrote to memory of 1104	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	iexplore.exe
PID 1104 wrote to memory of 1912	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 1912	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 1912	1104	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 1912	1104	iexplore.exe	IEXPLORE.EXE
PID 1912 wrote to memory of 1840	1912	IEXPLORE.EXE	IEXPLORE.EXE
PID 1912 wrote to memory of 1840	1912	IEXPLORE.EXE	IEXPLORE.EXE
PID 1912 wrote to memory of 1840	1912	IEXPLORE.EXE	IEXPLORE.EXE
PID 1912 wrote to memory of 1840	1912	IEXPLORE.EXE	IEXPLORE.EXE
PID 1988 wrote to memory of 1300	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	svchost.exe
PID 1988 wrote to memory of 1300	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	svchost.exe
PID 1988 wrote to memory of 1760	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	mspaint.exe
PID 1988 wrote to memory of 1760	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	mspaint.exe
PID 1988 wrote to memory of 1840	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	IEXPLORE.EXE
PID 1988 wrote to memory of 1840	1988	16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
"C:\Users\Admin\AppData\Local\Temp\16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816

\??\c:\users\admin\appdata\local\temp\16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
"c:\users\admin\appdata\local\temp\16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\system32\mspaint.exe"
4⤵
- Deletes itself
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1760

\??\c:\users\admin\appdata\local\temp\16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe
"c:\users\admin\appdata\local\temp\16dd8e8144501c890b4b3a68983a78e4fe7578097cbdc68d9d7fbbd105e3374f.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1912 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5TU1TIOM.txt
Filesize
603B

MD5
6ea06baf4d2645979350754cf7381f44

SHA1
efae29ca5cd23c35c08705114d636b90d7414ed8

SHA256
5392388d404c8c17f8b3b70d2a2033869566808c05420e302aabfcd490bda693

SHA512
ae51334db6b31a02a4aee288a33bae07d76a76e5217113f975dae1a961bc463d809b573ca8f70935f6d945285bf71fb86a3efacecbc9e75c385a34e38af8b709

Download Submit
memory/1100-58-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1100-57-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1100-55-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1100-60-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1100-61-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1100-82-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1100-62-0x0000000000401E9B-mapping.dmp

Download
memory/1100-65-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1100-66-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1100-54-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1300-69-0x0000000000000000-mapping.dmp

Download
memory/1300-120-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1300-314-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1300-113-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1300-102-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1300-159-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1300-107-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1300-126-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1300-97-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1300-94-0x00000000002C0000-0x000000000030E000-memory.dmp

Filesize
312KB

Download
memory/1300-90-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/1760-315-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/1760-88-0x0000000000311000-0x0000000000313000-memory.dmp

Filesize
8KB

Download
memory/1760-86-0x0000000000000000-mapping.dmp

Download
memory/1760-124-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/1760-167-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/1760-118-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/1760-105-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/1760-112-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/1816-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1988-70-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1988-106-0x0000000000340000-0x000000000038E000-memory.dmp

Filesize
312KB

Download
memory/1988-100-0x0000000000340000-0x000000000038E000-memory.dmp

Filesize
312KB

Download
memory/1988-117-0x0000000000340000-0x000000000038E000-memory.dmp

Filesize
312KB

Download
memory/1988-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1988-111-0x0000000000340000-0x000000000038E000-memory.dmp

Filesize
312KB

Download
memory/1988-85-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1988-81-0x0000000000410910-mapping.dmp

Download
memory/1988-122-0x0000000000340000-0x000000000038E000-memory.dmp

Filesize
312KB

Download
memory/1988-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1988-163-0x0000000000340000-0x000000000038E000-memory.dmp

Filesize
312KB

Download
memory/1988-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1988-279-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1988-282-0x0000000000340000-0x000000000038E000-memory.dmp

Filesize
312KB

Download
memory/1988-78-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1988-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1988-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads