Analysis
-
max time kernel
284s -
max time network
312s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 09:39
Behavioral task
behavioral1
Sample
75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe
Resource
win7-20221111-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe
-
Size
385KB
-
MD5
e1d8e80851a24e1b3f4a9a6d6157eadb
-
SHA1
36e3fb9ffb8969dd3383b165f1eae59452377d78
-
SHA256
75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b
-
SHA512
639008f7c9ceba4b0b2808c5f8d07971d6c3d9c41c2b468d96879a6f419fc16a12150123976f50e2917cdfb9e47eb893cb416d961053e36e10b707c6be327a61
-
SSDEEP
6144:lMjTSMUhdc4WIMQeCujuQkFRI+++192NcYDZTx4rstZvvObI5IOXup3NZDL0Cz:G9qMoTRc+T2NDZTOi0ESdL0g
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3836 G_Server.exe -
resource yara_rule behavioral2/memory/3608-132-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/files/0x0007000000022dda-133.dat upx behavioral2/files/0x0007000000022dda-134.dat upx behavioral2/memory/3836-135-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/3836-138-0x0000000013140000-0x000000001322D000-memory.dmp upx behavioral2/memory/3608-137-0x0000000013140000-0x000000001322D000-memory.dmp upx -
Drops file in System32 directory 18 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{562D26C6-732B-11ED-B5DD-FAE5CAF4041A}.dat IEXPLORE.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 IEXPLORE.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE IEXPLORE.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\Favorites IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\Favorites\desktop.ini IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Virtualized IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatUaCache\Low IEXPLORE.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatCache\Low IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{562D26C8-732B-11ED-B5DD-FAE5CAF4041A}.dat IEXPLORE.EXE -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\G_Server.exe 75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe File opened for modification C:\Windows\G_Server.exe 75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe File created C:\Windows\G_Server.DLL G_Server.exe File opened for modification C:\Windows\G_Server.DLL G_Server.exe File created C:\Windows\uninstal.bat 75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Connection Wizard G_Server.exe Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Flags = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Time = e6070c00060003001000370033002700 IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Edge\IEToEdge\LatestUpsellAttemptedSessionTime = "133145601105203102" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1120239869" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Edge\IEToEdge IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main G_Server.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{562D26C6-732B-11ED-B5DD-FAE5CAF4041A} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" G_Server.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31000384" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2568 IEXPLORE.EXE 2568 IEXPLORE.EXE 3556 IEXPLORE.EXE 3556 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3836 wrote to memory of 2568 3836 G_Server.exe 82 PID 3836 wrote to memory of 2568 3836 G_Server.exe 82 PID 3608 wrote to memory of 4184 3608 75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe 81 PID 3608 wrote to memory of 4184 3608 75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe 81 PID 3608 wrote to memory of 4184 3608 75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe 81 PID 3836 wrote to memory of 2568 3836 G_Server.exe 82 PID 2568 wrote to memory of 3556 2568 IEXPLORE.EXE 85 PID 2568 wrote to memory of 3556 2568 IEXPLORE.EXE 85 PID 2568 wrote to memory of 3556 2568 IEXPLORE.EXE 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe"C:\Users\Admin\AppData\Local\Temp\75b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat2⤵PID:4184
-
-
C:\Windows\G_Server.exeC:\Windows\G_Server.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:17410 /prefetch:23⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3556
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD5e1d8e80851a24e1b3f4a9a6d6157eadb
SHA136e3fb9ffb8969dd3383b165f1eae59452377d78
SHA25675b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b
SHA512639008f7c9ceba4b0b2808c5f8d07971d6c3d9c41c2b468d96879a6f419fc16a12150123976f50e2917cdfb9e47eb893cb416d961053e36e10b707c6be327a61
-
Filesize
385KB
MD5e1d8e80851a24e1b3f4a9a6d6157eadb
SHA136e3fb9ffb8969dd3383b165f1eae59452377d78
SHA25675b2cae489415519c840721bec4d921140346e272c1db6f4eddb01584d17ca1b
SHA512639008f7c9ceba4b0b2808c5f8d07971d6c3d9c41c2b468d96879a6f419fc16a12150123976f50e2917cdfb9e47eb893cb416d961053e36e10b707c6be327a61
-
Filesize
254B
MD5df7b7fe9bde6c2a2c9d786d10f51a1e7
SHA143da02acf62b6c13352175aa9c12b7746d73b0f5
SHA25604e97b45d32b47773f57c83c928991eda477577bf0823543e7fca8846e8c3e3e
SHA5122330d30c230f99211781bf2b4aac7ce2d1e9589d70224a070cef8288bf0ce56a46e934a4ed21e740ee5ee648fbe384374abbe37197f256fa10a902ea3597b3f7