88fc2d1a6ba13e7dcdf189f56766cb24a515f21f9d4938d967ad1f63a74b3eea

Analysis

max time kernel
138s
max time network
138s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 06:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

88fc2d1a6ba13e7dcdf189f56766cb24a515f21f9d4938d967ad1f63a74b3eea.dll
Size

74KB
MD5

59a50c4e71c1086bce270e3fb9d66284
SHA1

0a940c7e54fd5a4c11973d049f6ccd29272f408a
SHA256

88fc2d1a6ba13e7dcdf189f56766cb24a515f21f9d4938d967ad1f63a74b3eea
SHA512

0a9f47e3a9b9666ae62a26d90b62203cb1ed8de822060816aedb080e050456facdd4876f4e4399221175e9c74bb7bfaac8bd76f581f9c7c0a41243fdb5b0d97d
SSDEEP

1536:Ka5j7tWQQQkqkVgTrSiw+vU8mJqfo0XQYkk/7yO8VFCVL:KaFtWQQJBVgnS5oU8mQfVGk/2/jCV

Score

8^/10

evasion trojan

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	2044	rundll32.exe
172	2044	rundll32.exe
176	2044	rundll32.exe
184	2044	rundll32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\inf\rynksfqe.inf	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "164"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\noticias.uol.com.br\ = "24"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\noticias.uol.com.br\ = "45"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "181"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\noticias.uol.com.br\ = "210"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br\Total = "181"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\tm.uol.com.br\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80c5b5179f04d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br\Total = "45"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br\Total = "194"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\tm.uol.com.br	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br\Total = "24"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "232"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\tm.uol.com.br\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\noticias.uol.com.br\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br\Total = "119"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br\Total = "164"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\noticias.uol.com.br\ = "181"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br\NumberOfSubdomains = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "242"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000007fe4955893251de79f79042a73181e6bdfb439d7fba345125413b17dfdb45ee000000000e80000000020000200000008763e262705bcdc34b774ccf6cbdd5709ec5a4ecb85f7c873df496df0c74eb3a90000000cbc29f5a7fcd1c6246bbd1f53009c39d0aa12474ae6870591aea827ddd5607992ee3e55843ffacd54c14bbd167557d0afb9cabdff09b2316bc4c5d3795a1f24785b1f6bb3055b428646bb0eaf83175d7a9b4c3cd6a79e87235f200bb93cf30c93cea0660adae5161bf72b61af26a88214e32c1ada7b0262edbcbc38663a81d79d19830ae826c79f65d64c50751acbf2d40000000e489183f21dd5d1e464d6842b0d31d4c8d9287ff2173833ff887e6d89d4dc675e72c5893b1c7a7eabb35c3e6f3bc839598496c8a1cc064369004dae66f8c732e	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376565857"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "24"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\noticias.uol.com.br\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br\Total = "230"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000ffff969eb3e25da52855e9c108885686c07db31ecb124defece05dff346f343f000000000e8000000002000020000000de101a50f81ca054a0b814e326008e5bb0615a67cdbb7caa23b45908c29825c020000000b2fe10a2c581cc70f974f7c00ce3f5afc7ac3890b3c153a189668e0cca17181e40000000592b61b1c33290d22d36ea476a3198d5bdb394b131ac26816b1360272aed9e2d36179b6e07dabdc15ccef77dc4aedc2d33963c9e9a348286bd6af674946d08d9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "230"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\noticias.uol.com.br\ = "230"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\noticias.uol.com.br	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "151"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "194"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "210"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\uol.com.br\Total = "210"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37F14BD1-7092-11ED-AE24-CE372EDB0509} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "45"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\noticias.uol.com.br\ = "164"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "119"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
992	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
992	iexplore.exe
992	iexplore.exe
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE
1328	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 1184 wrote to memory of 2044	1184	rundll32.exe	27
PID 2044 wrote to memory of 992	2044	rundll32.exe	28
PID 2044 wrote to memory of 992	2044	rundll32.exe	28
PID 2044 wrote to memory of 992	2044	rundll32.exe	28
PID 2044 wrote to memory of 992	2044	rundll32.exe	28
PID 992 wrote to memory of 1328	992	iexplore.exe	30
PID 992 wrote to memory of 1328	992	iexplore.exe	30
PID 992 wrote to memory of 1328	992	iexplore.exe	30
PID 992 wrote to memory of 1328	992	iexplore.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\88fc2d1a6ba13e7dcdf189f56766cb24a515f21f9d4938d967ad1f63a74b3eea.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\88fc2d1a6ba13e7dcdf189f56766cb24a515f21f9d4938d967ad1f63a74b3eea.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://noticias.uol.com.br/ultnot/cienciaesaude/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d6c71d55d7a27c6f2622b98b344b23a

SHA1
c31e5cda453fcd324f7135bd6377e67499489a47

SHA256
dc344f3fc7a37a63bc2f7de47e2537e3814069e86aa9dddac40df321aebd8192

SHA512
74c3e7147356c22ecb35d29cd97c55c060e67a8329b826509f289bc86ae40a91c95f3789d2fa0a89417aa1c51f195fd7d2583a3948e3f2a8c60009bb33907449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
138KB

MD5
838826fa0ede793efa6492e85757d3f2

SHA1
6f3d900d10138266f6706b0476fa54308dc394a8

SHA256
1feb2ea51cbec8613067664b2c8c6579cf8331d22fa7ef22a2dc9f169edbad1c

SHA512
cfa06a1e6aa7fd01809e1bc00792366a17a0981c1e1827bb389e8aae90a31e1545ba3f12b906a58cb9869dbc5ae586e0beca9ead50d4305a6438946d8c7a3ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BRZ07283.txt

Filesize
603B

MD5
f942a1a2a1d636f352597cea2af06394

SHA1
d71a0d33b965da5ab589ec7dad9aafaaec5121c0

SHA256
c2971058958a62bbaf0642d95219df26d939a501e63028bdaca80d754e1a78ef

SHA512
49f24c0ff89713b6d7f7e1436a0b816d8d06db8154df279eccb828c3e87f4cee172b74fe7f70659f085eb3ee51e1b45525947532215355676c97c5f472bdc357

Download Submit
memory/2044-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000000193000-0x00000000001A5000-memory.dmp

Filesize
72KB

Download
memory/2044-57-0x0000000000150000-0x000000000019E000-memory.dmp

Filesize
312KB

Download
memory/2044-59-0x0000000000160000-0x00000000001AE000-memory.dmp

Filesize
312KB

Download
memory/2044-58-0x0000000000150000-0x000000000019E000-memory.dmp

Filesize
312KB

Download
memory/2044-60-0x0000000000150000-0x000000000019E000-memory.dmp

Filesize
312KB

Download