Analysis
-
max time kernel
148s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 17:59
Static task
static1
Behavioral task
behavioral1
Sample
8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe
Resource
win10v2004-20220812-en
General
-
Target
8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe
-
Size
361KB
-
MD5
83c4c622187ef9cd7b756c27281e0608
-
SHA1
5f59b4f46fdf971f127545f2658af7b802e5f4fe
-
SHA256
8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504
-
SHA512
418ced6a56d3ebf45058bb0d1133eb9597c15dd6d823d0af435735d63382ae706a5f0edb34673ada9ecbbf25cbd8252dc10197177c382ae93a04ff4c367c2e6a
-
SSDEEP
6144:eflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:eflfAsiVGjSGecvX
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2044 vupgeaytsjecbwvq.exe 576 CreateProcess.exe 1664 vrokkgdrnn.exe 560 CreateProcess.exe -
Loads dropped DLL 4 IoCs
pid Process 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 2044 vupgeaytsjecbwvq.exe 2044 vupgeaytsjecbwvq.exe 1664 vrokkgdrnn.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1516 ipconfig.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E53C20E1-75B9-11ED-BB94-5A21EB137514} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0335dd5c609d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000077d05100c4b3bd46a4adf63eeb2d0108000000000200000000001066000000010000200000004418f84f6a45857b3c2b63ff910b3f9685cb5ad67d2d2047f5721e822f71a6fa000000000e80000000020000200000009500a945080545b7a656381e4022ef4a85d58e7bc490f152724bd9acb1de8e5690000000ef808acd6322ef87bb9bff495c93cba1b632477895dfe49000b783e0e8ab4c1c843fa200969e4db148a1ee1660e86b1db8ff0281a48c11359e0e9ddbd225440cbe999c518177a5301554ba03a67807553b4389dd8e7bd7193834553d8e9204d5ba8b211b4856e2339527352fa2956c802213e7c24b1e2e825dcba6d5343293186efe65210bc64e346035e72f521695c84000000086867c218f6ffca2e30d616ce266df24a1eec1526e6d996a409014b4d317aa44e6edae10c3146b1ab521dcff76731c8cb2a815fd67ba7b09cd8ea46c79cda5b6 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000077d05100c4b3bd46a4adf63eeb2d010800000000020000000000106600000001000020000000a42bca558e54762fedd0c0305745e8e6864484250e189a3bf912ecd657b7f9e6000000000e80000000020000200000001b80f7cfedfe2cc8fd4ae095732fcc6355a2ca71cd39250b0a77d6d52147792d20000000655102beb121bdcbd991725853525872bb4ddf462eedad45e647845e2d8e144240000000ca9bb3dbe9ea7cd35924537c0177de25211ae292154ee2ddfa3ac2accc3b7d30e283899e6ff9f6c33ee99b807e6dcd8998674d7d7a8fc33b4da4f7629fc489a1 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376529571" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 2044 vupgeaytsjecbwvq.exe 2044 vupgeaytsjecbwvq.exe 2044 vupgeaytsjecbwvq.exe 2044 vupgeaytsjecbwvq.exe 2044 vupgeaytsjecbwvq.exe 2044 vupgeaytsjecbwvq.exe 2044 vupgeaytsjecbwvq.exe 1664 vrokkgdrnn.exe 1664 vrokkgdrnn.exe 1664 vrokkgdrnn.exe 1664 vrokkgdrnn.exe 1664 vrokkgdrnn.exe 1664 vrokkgdrnn.exe 1664 vrokkgdrnn.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1320 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1320 iexplore.exe 1320 iexplore.exe 1136 IEXPLORE.EXE 1136 IEXPLORE.EXE 1136 IEXPLORE.EXE 1136 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1848 wrote to memory of 2044 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 28 PID 1848 wrote to memory of 2044 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 28 PID 1848 wrote to memory of 2044 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 28 PID 1848 wrote to memory of 2044 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 28 PID 1848 wrote to memory of 1320 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 29 PID 1848 wrote to memory of 1320 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 29 PID 1848 wrote to memory of 1320 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 29 PID 1848 wrote to memory of 1320 1848 8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe 29 PID 1320 wrote to memory of 1136 1320 iexplore.exe 31 PID 1320 wrote to memory of 1136 1320 iexplore.exe 31 PID 1320 wrote to memory of 1136 1320 iexplore.exe 31 PID 1320 wrote to memory of 1136 1320 iexplore.exe 31 PID 2044 wrote to memory of 576 2044 vupgeaytsjecbwvq.exe 33 PID 2044 wrote to memory of 576 2044 vupgeaytsjecbwvq.exe 33 PID 2044 wrote to memory of 576 2044 vupgeaytsjecbwvq.exe 33 PID 2044 wrote to memory of 576 2044 vupgeaytsjecbwvq.exe 33 PID 1664 wrote to memory of 560 1664 vrokkgdrnn.exe 35 PID 1664 wrote to memory of 560 1664 vrokkgdrnn.exe 35 PID 1664 wrote to memory of 560 1664 vrokkgdrnn.exe 35 PID 1664 wrote to memory of 560 1664 vrokkgdrnn.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe"C:\Users\Admin\AppData\Local\Temp\8499809f4b3f8f8ac2fa568c2d762d162b8376610e112339512aaad9f382b504.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Temp\vupgeaytsjecbwvq.exeC:\Temp\vupgeaytsjecbwvq.exe run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\Temp\vrokkgdrnn.exe ups_run3⤵
- Executes dropped EXE
PID:576 -
C:\Temp\vrokkgdrnn.exeC:\Temp\vrokkgdrnn.exe ups_run4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\temp\CreateProcess.exeC:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release5⤵
- Executes dropped EXE
PID:560 -
C:\windows\system32\ipconfig.exeC:\windows\system32\ipconfig.exe /release6⤵
- Gathers network information
PID:1516
-
-
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1136
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD51f21688ce0a7888878d4a097049b28cb
SHA16103dd2ffc369d56d176633764ff073881ff1a3d
SHA256ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a
SHA512a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2
-
Filesize
3KB
MD51f21688ce0a7888878d4a097049b28cb
SHA16103dd2ffc369d56d176633764ff073881ff1a3d
SHA256ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a
SHA512a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2
-
Filesize
361KB
MD58bce9db40a7db60e6747caec76f33734
SHA107b0e132c2719672daf63684ae43ffdd36db0674
SHA256fe9192a6da0693cb5c433555afe68dba297fa6a1c4682c9a4f4d99200542a848
SHA512d4d0b777e1eeeec8184b85fc355b11124c08f9f9ec48c30c936e46886f6aedd2e7055c88632520770871f812fac8f3a9e48cbd2cf6864a90370e373231634160
-
Filesize
361KB
MD58a1c9f6b8cd710fc4be2602452ffef38
SHA145c580d7176ce9442d389b8bf2825534ee7fb228
SHA256a7ea27ed13cc3091e7b7cea56bbb3370576c3756e018c7c368c1b25e6f5b8d3f
SHA512269fc28f7d225180990cad264342b60be7427914ef619df9d48e22516d4b5f005efa1c549642b7cf0bde171c6f383c20f9f417e240e68b3b46f7d88d72c27769
-
Filesize
361KB
MD58a1c9f6b8cd710fc4be2602452ffef38
SHA145c580d7176ce9442d389b8bf2825534ee7fb228
SHA256a7ea27ed13cc3091e7b7cea56bbb3370576c3756e018c7c368c1b25e6f5b8d3f
SHA512269fc28f7d225180990cad264342b60be7427914ef619df9d48e22516d4b5f005efa1c549642b7cf0bde171c6f383c20f9f417e240e68b3b46f7d88d72c27769
-
Filesize
3KB
MD51f21688ce0a7888878d4a097049b28cb
SHA16103dd2ffc369d56d176633764ff073881ff1a3d
SHA256ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a
SHA512a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2
-
Filesize
3KB
MD51f21688ce0a7888878d4a097049b28cb
SHA16103dd2ffc369d56d176633764ff073881ff1a3d
SHA256ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a
SHA512a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2
-
Filesize
3KB
MD51f21688ce0a7888878d4a097049b28cb
SHA16103dd2ffc369d56d176633764ff073881ff1a3d
SHA256ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a
SHA512a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2
-
Filesize
3KB
MD51f21688ce0a7888878d4a097049b28cb
SHA16103dd2ffc369d56d176633764ff073881ff1a3d
SHA256ef06b0cb906e3bcb4d6f234198c10c680545a38ef438de9aca14208f6589821a
SHA512a77cc000bc59e9fd6076d21435ebf70f72e69b26bba43dc14c4539502cd6af25c80123df140cdaa79b4e8bd8fd7ee3c4f7807bedfa6905d821b5612e0c5ff2d2
-
Filesize
361KB
MD58a1c9f6b8cd710fc4be2602452ffef38
SHA145c580d7176ce9442d389b8bf2825534ee7fb228
SHA256a7ea27ed13cc3091e7b7cea56bbb3370576c3756e018c7c368c1b25e6f5b8d3f
SHA512269fc28f7d225180990cad264342b60be7427914ef619df9d48e22516d4b5f005efa1c549642b7cf0bde171c6f383c20f9f417e240e68b3b46f7d88d72c27769