Analysis
-
max time kernel
132s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 19:12
Static task
static1
Behavioral task
behavioral1
Sample
30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe
Resource
win10v2004-20220812-en
General
-
Target
30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe
-
Size
160KB
-
MD5
cc5d6ee284598e29bbbbbaacf0f2bdb9
-
SHA1
87a6def747f1c6e913c3b08b22eb5bd4d8dc6038
-
SHA256
30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317
-
SHA512
eb316ffe5b471cad35a4ba280b2497e26e6050583d47c6ed2e97985badb71dccb1a61548f82711dd314e64e592daf4e12f21b35247ecd26f4797fadc81141867
-
SSDEEP
3072:J+Nqwd5/hTdnGDAclTOsUH7VxFiKVO/GRiXkmt7WHMsT4BY8qDOQH:6vhBcloVaKV+GRmwIBob
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pgfqff = "C:\\Users\\Admin\\AppData\\Roaming\\Pgfqff.exe" iexplore.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4028 set thread context of 1576 4028 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 78 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1612625301" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999395" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999395" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376430294" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1773562721" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1612625301" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1773562721" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7FB193BF-6F56-11ED-AECB-F6A3911CAFFB} = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999395" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999395" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1576 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 1576 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 1576 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1576 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe Token: SeDebugPrivilege 932 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3984 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3984 IEXPLORE.EXE 3984 IEXPLORE.EXE 4860 IEXPLORE.EXE 4860 IEXPLORE.EXE 4860 IEXPLORE.EXE 4860 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4028 wrote to memory of 1576 4028 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 78 PID 4028 wrote to memory of 1576 4028 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 78 PID 4028 wrote to memory of 1576 4028 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 78 PID 4028 wrote to memory of 1576 4028 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 78 PID 4028 wrote to memory of 1576 4028 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 78 PID 4028 wrote to memory of 1576 4028 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 78 PID 4028 wrote to memory of 1576 4028 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 78 PID 4028 wrote to memory of 1576 4028 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 78 PID 1576 wrote to memory of 932 1576 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 79 PID 1576 wrote to memory of 932 1576 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 79 PID 1576 wrote to memory of 932 1576 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 79 PID 1576 wrote to memory of 932 1576 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 79 PID 1576 wrote to memory of 932 1576 30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe 79 PID 932 wrote to memory of 3984 932 iexplore.exe 80 PID 932 wrote to memory of 3984 932 iexplore.exe 80 PID 3984 wrote to memory of 4860 3984 IEXPLORE.EXE 81 PID 3984 wrote to memory of 4860 3984 IEXPLORE.EXE 81 PID 3984 wrote to memory of 4860 3984 IEXPLORE.EXE 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe"C:\Users\Admin\AppData\Local\Temp\30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Temp\30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exeC:\Users\Admin\AppData\Local\Temp\30505b93c5f8faff3181d86b5591f16d116238c3b0b599e164436691bfca8317.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3984 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
779B
MD5d15dbe6d4142e78b10cdd870004dd469
SHA1fabb0cb6c8d54ec97eab5af8342442a4ee3ae415
SHA2560327ca984a77f2ae318c5a23cf4d1cacb5b5c0f0ad9f1e25ae540481436e6122
SHA512747fbc4ffbecc0635c87ff6f967a312c349c783f151c7454eef39aa6f9a7f38b802bddd6df59f7c4ab026088c4dc74c9330ed805f3e486344686eb702c442ffe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C
Filesize246B
MD549325b64aac9e039483ca09fc977cda9
SHA125aae89685795e66329bcca2a679db5250db3ada
SHA256e8cb9109b59218c43b908ed28b956678977e08a6344e1d35fba3f98b7b7fe5ef
SHA51218385ad3be7913e3cb4a9fa2acdaa764e6bba99abef5d8b4882ce302c43e9ee04da977ffcc8541cd896db76c5ccdf8a9d314af03ccefa05586ecbfd574688052