9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7

General

Target

9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
Size

1.7MB
MD5

de8f507d8ced9abe1b50ca36361a2de6
SHA1

903c00428f1239fe3c8538d9c3348caa0915c18d
SHA256

9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7
SHA512

700219b20717feea27d20d26e44f3dd11d547f1da21f7cd38c591beecb79790c3ef3b4b2c95de790ec8c6b0b42facad84419802fdc30387d5dcfaef61b96dc23
SSDEEP

24576:b5SuxQf2VotQU1aWyyk4rV9kis/Gu4rEH/Oav6rbVf+iGEF2jnq8gs2hsC5e:b5SucTazBGTm/OacVf+rWKbg5de

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe

description	pid	process	target process
PID 1064 set thread context of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aac8759ec8d3884eb9cca40e44166849000000000200000000001066000000010000200000001c0184f60976c8a1e55181541b0ee1537c9a14cb5930d48defb20fc9d8795550000000000e8000000002000020000000667818acc7ee62ba36905c2fc4c939fbf74008df70fbbbff057eb37fff325ae1200000002f35ab8772876f2cca41d4e1fd3a5dba92f97a8ad9ca349c0d06a265126bd463400000006e0b71f6b3323e6c5da290fb1374ca5c6bdb6ba24abdd79b0a7fa96a3a170cfb3257e5d4a1d6c203baad33cdca1f13fbc40c994d1e217edaf7182a4ec79ce49b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aac8759ec8d3884eb9cca40e4416684900000000020000000000106600000001000020000000b7b1ddda985b6fe07fd63c3457f7157878fabd51efd61c4d74a7092af2bf426d000000000e8000000002000020000000f0565cd31ba5efa9627af1d3a8e0ad90a195efba37e1271c3379ac580887c29190000000508fde3d71b51f73290b05756f0f3269c519c89d7cbf848519ac1e28ed5c23ca71f1eacd8ff3194cc5c7db70767a3b0ccee9503062c3a11c05bca80632607a38c7d7de21f306874a9b190ecdd3fff32c7e31529e52b48ba1a72ac1384d20077f1d034e8ad1ad7f4f6117a9f18aca49c5c825afb53de9f4d6290f8960b6ef4baf746ad9f405db6385914bdaa519d66d8b40000000ab98116c8f30b71bb63358f2ad16dcd743e5267da4926cdfca47e091cebe1ecd742a547be6a8a2a734a3c2d71d8ba884e0ac9dcc752d629decf702f98930dcf2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e07cd0d0ee05d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376710058"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6764601-71E1-11ED-A920-7ADB5DB493F4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

676 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

676 iexplore.exe
676 iexplore.exe
1520 IEXPLORE.EXE
1520 IEXPLORE.EXE
1520 IEXPLORE.EXE
1520 IEXPLORE.EXE

pid	process
676	iexplore.exe

pid	process
676	iexplore.exe
676	iexplore.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exeiexplore.exe

description	pid	process	target process
PID 1064 wrote to memory of 936	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	splwow64.exe
PID 1064 wrote to memory of 936	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	splwow64.exe
PID 1064 wrote to memory of 936	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	splwow64.exe
PID 1064 wrote to memory of 936	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	splwow64.exe
PID 1064 wrote to memory of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
PID 1064 wrote to memory of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
PID 1064 wrote to memory of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
PID 1064 wrote to memory of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
PID 1064 wrote to memory of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
PID 1064 wrote to memory of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
PID 1064 wrote to memory of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
PID 1064 wrote to memory of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
PID 1064 wrote to memory of 1648	1064	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
PID 1648 wrote to memory of 676	1648	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	iexplore.exe
PID 1648 wrote to memory of 676	1648	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	iexplore.exe
PID 1648 wrote to memory of 676	1648	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	iexplore.exe
PID 1648 wrote to memory of 676	1648	9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe	iexplore.exe
PID 676 wrote to memory of 1520	676	iexplore.exe	IEXPLORE.EXE
PID 676 wrote to memory of 1520	676	iexplore.exe	IEXPLORE.EXE
PID 676 wrote to memory of 1520	676	iexplore.exe	IEXPLORE.EXE
PID 676 wrote to memory of 1520	676	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
"C:\Users\Admin\AppData\Local\Temp\9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe
"C:\Users\Admin\AppData\Local\Temp\9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=9166d75269a02fe9e1ffaa2dca54bc701240fc8e2d374f46cf9500739c75aef7.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:676 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CF4VMRX1.txt
Filesize
539B

MD5
33fe7f843e15573727d24d79a70a53e0

SHA1
5f59e080df5ddfef13e57e5ac784f3d59a154f36

SHA256
3e7566c74a25eca14c53873ee23284971229423d3f2a87461c78cd898e877563

SHA512
5440c0c2ba2c359faa4a702049e43a824a91d7b14efac7b441996546be93d7565593966764b9921ccbd7fed92e64549cb27788c37feaefe1f44fc1ed7c1c3163

Download Submit
memory/936-55-0x0000000000000000-mapping.dmp

Download
memory/936-56-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1648-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1648-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1648-66-0x000000000040C50E-mapping.dmp

Download
memory/1648-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1648-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1648-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1648-68-0x0000000000402000-0x000000000040C600-memory.dmp

Filesize
41KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads