4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6

Analysis

max time kernel
100s
max time network
142s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe
Size

401KB
MD5

1e2d8a6d5bedd11e058b18d2ec2a8fbc
SHA1

baa9c95f346e8d563a9e4a76b17e6f7aa0c2226d
SHA256

4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6
SHA512

3d02c33bec003272bbc0734f6e879c4c40a385057be1e243eee6534193eac976b5e3c2fe45ae8675f94e9321d8db1c8fae796b4341cbe7ec09cb9126d856687b
SSDEEP

6144:550gUCc5IQ5FMvhefYIeLX+ULIO3m95twAuZ+cL0udOIjWM8AvA7KGbN9cfjUiWq:r0gIV56SYIczVmjuldONAvA7KGbNuw+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1296	7za.exe
1268	rundll32.exe
856	starer.exe

Loads dropped DLL 6 IoCs

pid	Process
1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe
1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe
1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe
1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe
1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe
1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000a8809d6394687f57101fca3b6436c337a0f49d6c4623ae312d2e29de28005824000000000e80000000020000200000002981c0b2235c45ad57db27752193da959ba923b3d3df12fb29bd9d0145d50d73200000004ccec611837967ef01bc52e927c42fbd9f1888c50434eadf0e908245996402d1400000008491f32cff934b5787eb343bb4969cc8848f16f4e730072ba4e0f6465cc4bee98ffc15b8726d0fd48a73cb948fb36eaa93049b232605f9f083d23b0614674848	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{550E3F21-6FA7-11ED-9ECC-C253C434FFA8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376464975"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 704ae734b403d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000004a3609836a021d35b6d138cd02bab04fe78591616738e05f30c59ba97900f7b4000000000e8000000002000020000000b24d44dfdd1dc335d341ca289a77cf526579767a2dfa241c081eb81bf66f54dc90000000f70ebd81525b1213b05016b569ca64e6715f598472adcec948d67d366ed7c0b93e4559efcb91db24b3ea9c6e3454f856a0efa911ec77455fff04bd8ed55c6b539880fb55c5c0b204c20372b265e3730e18625ed8f9e421179d0bc8b2e7f660ba56e948f05275577863df39d8048b8ada876c76cd82b878338f5c096a93af20eb2773cee18ecf0ad48688ae68c3bd1bd440000000d78e8be54c7005a3efb68dfc02c5e1a7d63c87b41bd460d66abd7fbec2f2b422a4085b3eac18c0df27924bf463f95505ae0edbc3e1c99b3e4cb3bb76f40a0e5d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
268	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
856	starer.exe
268	iexplore.exe
268	iexplore.exe
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE
1512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1296	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	27
PID 1760 wrote to memory of 1296	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	27
PID 1760 wrote to memory of 1296	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	27
PID 1760 wrote to memory of 1296	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	27
PID 1760 wrote to memory of 1268	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	29
PID 1760 wrote to memory of 1268	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	29
PID 1760 wrote to memory of 1268	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	29
PID 1760 wrote to memory of 1268	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	29
PID 1760 wrote to memory of 1268	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	29
PID 1760 wrote to memory of 1268	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	29
PID 1760 wrote to memory of 1268	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	29
PID 1760 wrote to memory of 856	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	30
PID 1760 wrote to memory of 856	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	30
PID 1760 wrote to memory of 856	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	30
PID 1760 wrote to memory of 856	1760	4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe	30
PID 856 wrote to memory of 268	856	starer.exe	31
PID 856 wrote to memory of 268	856	starer.exe	31
PID 856 wrote to memory of 268	856	starer.exe	31
PID 856 wrote to memory of 268	856	starer.exe	31
PID 268 wrote to memory of 1512	268	iexplore.exe	33
PID 268 wrote to memory of 1512	268	iexplore.exe	33
PID 268 wrote to memory of 1512	268	iexplore.exe	33
PID 268 wrote to memory of 1512	268	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe
"C:\Users\Admin\AppData\Local\Temp\4ca22b7a7b2953baafabbe82bf8751373b1900ce52d7936aecc9972c32d9dca6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\a.7z" -pBTI7u8A66Q -o"C:\Users\Admin\AppData\Local\Temp\" -aoa
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Users\Admin\AppData\Local\Temp\rundll32.exe
  C:\Users\Admin\AppData\Local\Temp\rundll32.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\starer.exe
  C:\Users\Admin\AppData\Local\Temp\starer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://ilikeua.com/1.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.7z

Filesize
5KB

MD5
609a586468e2a2fb2c7e8f9c3984813f

SHA1
ce308a9b51bffc8b9504870ec8ab23cceb507be7

SHA256
a84107a114f465db4466708ccc898ee62f70d1648779248bc7d89e7a611f927e

SHA512
5371d4f23921bba3d2e576c1740e7b73823fc545c207c3f320a7cf118adab850d30a5ee77d0247f669ac96d64b0d8686ef535ee22cb2c51aa6837c9a8f7e0761

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\starer.exe

Filesize
20KB

MD5
e16edd984b5963e3dabbddd7d6737a0f

SHA1
a835149425c257712d44b0dc1e02476bb4dfbb5a

SHA256
978489c7490b696cd3c3aa683b73755b2ea743602271c4450417802915a67f89

SHA512
355cc8573413793e5b1f360b302003d22859aa9f3d32128e6d99035e58d8099e4b69e3bf061457f7dbb7712f77932991021cf9a08e632a081f134935fe428f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\starer.exe

Filesize
20KB

MD5
e16edd984b5963e3dabbddd7d6737a0f

SHA1
a835149425c257712d44b0dc1e02476bb4dfbb5a

SHA256
978489c7490b696cd3c3aa683b73755b2ea743602271c4450417802915a67f89

SHA512
355cc8573413793e5b1f360b302003d22859aa9f3d32128e6d99035e58d8099e4b69e3bf061457f7dbb7712f77932991021cf9a08e632a081f134935fe428f46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R59373XA.txt

Filesize
608B

MD5
0845d50d360592f9338b11e6b45e0e9f

SHA1
2dbdddc410b844b9b7eaf47dba18b85d0b0f9515

SHA256
a3eea0c1342d6f58ccd38e54276864ac01f7fbb3ba810f5928ee1bab3f451f32

SHA512
796c896c504737fad207ab14eabe70ae80e7a4521cf22bb06996aeee226eb8a9a35eac4f286fcc388ac98e12ddf96f025fd30c4447e3de3d0a91069dc65806ac

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1315.tmp\execDos.dll

Filesize
5KB

MD5
0deb397ca1e716bb7b15e1754e52b2ac

SHA1
fbb9bcf872c5dbb4ca4c80fb21d41519bc273ef5

SHA256
720be35cd1b4a333264713dc146b4ad024f3a7ad0644c2d8c6fcedd3c30e8a1f

SHA512
507db0bee0897660750007e7ce674406acf9e8bf942cf26ded5654c07682757b07c9eb767bead0966478abc554dc9a6461c4288dc35d12cacfadad4c128f1bb7

Download Submit
\Users\Admin\AppData\Local\Temp\rundll32.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\starer.exe

Filesize
20KB

MD5
e16edd984b5963e3dabbddd7d6737a0f

SHA1
a835149425c257712d44b0dc1e02476bb4dfbb5a

SHA256
978489c7490b696cd3c3aa683b73755b2ea743602271c4450417802915a67f89

SHA512
355cc8573413793e5b1f360b302003d22859aa9f3d32128e6d99035e58d8099e4b69e3bf061457f7dbb7712f77932991021cf9a08e632a081f134935fe428f46

Download Submit
\Users\Admin\AppData\Local\Temp\starer.exe

Filesize
20KB

MD5
e16edd984b5963e3dabbddd7d6737a0f

SHA1
a835149425c257712d44b0dc1e02476bb4dfbb5a

SHA256
978489c7490b696cd3c3aa683b73755b2ea743602271c4450417802915a67f89

SHA512
355cc8573413793e5b1f360b302003d22859aa9f3d32128e6d99035e58d8099e4b69e3bf061457f7dbb7712f77932991021cf9a08e632a081f134935fe428f46

Download Submit
memory/856-74-0x0000000003210000-0x0000000003CCA000-memory.dmp

Filesize
10.7MB

Download
memory/1760-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download