2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59

Analysis

max time kernel
175s
max time network
201s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe
Size

1.6MB
MD5

370223f429c741800b0e645662f2ec44
SHA1

9ae49e07f2f20224862fb88a44c7ea07a251636c
SHA256

2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59
SHA512

3b2431acc3e71bfc1b24a102b366f9d2d630a182c21e29293538fda721a8eb6ed9aace6b5a1ff37646fcf140baf80b6101cd4adf5344a909a48c9f39e6d291fc
SSDEEP

24576:DJf0o2gDZATBBsHeQGZfkRq2WBwjWeVdzZPQes+Th/7w74J6J:DzATGZlEeVbb/7w74J6J

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\xiugua.net\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0bbee552805d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\3pgqt.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376624794"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\xiugua.net\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\xiugua.net	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.xiugua.net	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\3pgqt.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.xiugua.net\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\xiugua.net\Total = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.xiugua.net\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000db536f3b2e36214ba6cc671711a3e8d70000000002000000000010660000000100002000000099dfb9d93013919e2bf3005373b4db1b969930ca5c5c5c0897c03631fcb9c8ef000000000e8000000002000020000000f450d580027c1f38e77a39ef729f796aa43740387df5ceb21980a1eacddce09c2000000069c5129fca8c30fc71dee6cd0ac35e68b42bff64936cdbdbef2b6376b9a37e904000000093d3982e7c1b5e7493acbec522fed553791f1eecd56d80415cf1778f8657c74b721e83eb63041d6762f002f3b0c3735e15a797a8a539962e210670fbfbf52d0b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000db536f3b2e36214ba6cc671711a3e8d700000000020000000000106600000001000020000000ca734a94fd2ad2d45da36b0d24e4f5cfbbf36644a1b54804a088919603ca5c62000000000e800000000200002000000021ab0ebf421ec2a206937aa99ac21b4d02a7fbf1cf781b484e1776e02534fcbb900000004f964cef78c9bf0780b1943082251b31f4cd19e66a9b32c01bfb66ee845c1c63595401a7340860540947b44b7218f1054a3fbd291658216d9b56341ff30b664be399536e8e7108c4808748c9e7d183f7e578caf589a1b9f88357a77f643c119e3b8666150032a17b7839286e73b69a40a68185250e137a23407a65b0796ec1a03b252437850f6c4d584bb4ffee5e850f40000000a94ccec6cbb5e6d3bf263ebcddddbf748bf0a47e650c178151c88d9dc35f8746f00dfed52fb0b7874ba2a4f30ed786dbda463fbca3d3e6208909ab188b3b08ea	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61DEBB61-711B-11ED-9351-5A21EB137514} = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
828	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
768	2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe
768	2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe
768	2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe
768	2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe
828	iexplore.exe
828	iexplore.exe
340	IEXPLORE.EXE
340	IEXPLORE.EXE
340	IEXPLORE.EXE
340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 828	768	2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe	30
PID 768 wrote to memory of 828	768	2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe	30
PID 768 wrote to memory of 828	768	2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe	30
PID 768 wrote to memory of 828	768	2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe	30
PID 828 wrote to memory of 340	828	iexplore.exe	31
PID 828 wrote to memory of 340	828	iexplore.exe	31
PID 828 wrote to memory of 340	828	iexplore.exe	31
PID 828 wrote to memory of 340	828	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe
"C:\Users\Admin\AppData\Local\Temp\2c44b9dfaf73d54ec34479ca3bf3c972672af62c10c134911fd6042f067aab59.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xiugua.net/wg/dnf/20130121/1754.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8710459a9c88420266abe4eed74c041

SHA1
d8b3dc08e8d0505339afb66a53e75f3bcf00dfa4

SHA256
6bbaf95056b7405b9acaad3aed6f297d19afd2fb83d88ce065ab5389df7373a9

SHA512
44e39cbfd8cf08ac577178f05016fcdebd5ea96968621088a56af2ea6c0093bc9ba65af94678df81a75cc0722f4c3e855c2b448dcdb11d8967ff26a5e612be73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b2fe9f51b6cfdda8fa3edc25ac565cdb

SHA1
b3b0617a1c5b06676f14deb13112b1edb2bb5ddf

SHA256
cd578ef8bfae3f4cf5820b9e95d89640dedb7f33dc5f1f3ea2c80c46080f0d62

SHA512
d0cb9c7f96a623341341936fba53bdf7d2a7161b2e85b913fd436fec3e92457038133ebaa472b87437d5df21284493d0f4be8a276fbe628bbf2ffb381bc89012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat

Filesize
8KB

MD5
a5a3655c50e2c3dbcce7c602d48458e6

SHA1
aa5ce6b52a220f0f9c964eb6ab2ae1aa4c3bc1f7

SHA256
2e60b987515613613caaf567f863d334554becfbecf2a2af48033986c1578224

SHA512
90bce377c8d71f626555117535102e9c0891a13db8138fff3d20d16b603987263683763e73ec535dcda9f0d710331d08e78533dd41a56ed194e4c11d75cad0ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BPXC22NI.txt

Filesize
539B

MD5
53d19290376b97f6e485cb4b405549b8

SHA1
ab3b7769140910129fc1963154a88efc57287958

SHA256
7ae3bdee6dfb28db25a9a2576b2da1f816726245ab3a5b0eefe69baccdfa8e8c

SHA512
b27ebe67a711d86e79479ea8f53431844c58c6e7732a990ab838a291cccf16b40d2eb3db32d593be60391d6be9fbc216f869ac6b838682c398f3277c37fb55c3

Download Submit
memory/768-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download