df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d

General

Target

df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe
Size

188KB
MD5

dbcc1c4520081b8b440a5dc5683de52e
SHA1

8ff871e09e0e6fb1bb800b6ecccd97407de02d0f
SHA256

df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d
SHA512

4b85e2a65cb8b25e3797760763ce43e421681ae723e903e30f73727b8eaab4ca16ae0c3c86b4f5d31fe8c1cb03c7289106766f9db9f561b8f5f0fb357c0e3070
SSDEEP

3072:ozNWMKKRZYchObK91C8sV6Xmoo4LEpYOH4XFMcXqmAtc+5vuesBpn:oZuuObR8sVImcyYOSFMFZJuesB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1636	Key.exe
1368	install.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	install.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Player = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Player.exe"	install.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\explorer.exe	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe
File created	C:\Windows\install.exe	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe
File created	C:\Windows\relaXXX.biz.url	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe
File created	C:\Windows\Key.exe	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	Key.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EAF9261-75C5-11ED-AC54-767CA9D977BF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
764	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1636	Key.exe
1636	Key.exe
764	iexplore.exe
764	iexplore.exe
980	IEXPLORE.EXE
980	IEXPLORE.EXE
980	IEXPLORE.EXE
980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1636	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	28
PID 1516 wrote to memory of 1636	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	28
PID 1516 wrote to memory of 1636	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	28
PID 1516 wrote to memory of 1636	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	28
PID 1516 wrote to memory of 1824	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	29
PID 1516 wrote to memory of 1824	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	29
PID 1516 wrote to memory of 1824	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	29
PID 1516 wrote to memory of 1824	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	29
PID 1516 wrote to memory of 1368	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	30
PID 1516 wrote to memory of 1368	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	30
PID 1516 wrote to memory of 1368	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	30
PID 1516 wrote to memory of 1368	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	30
PID 1516 wrote to memory of 1368	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	30
PID 1516 wrote to memory of 1368	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	30
PID 1516 wrote to memory of 1368	1516	df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe	30
PID 764 wrote to memory of 980	764	iexplore.exe	34
PID 764 wrote to memory of 980	764	iexplore.exe	34
PID 764 wrote to memory of 980	764	iexplore.exe	34
PID 764 wrote to memory of 980	764	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe
"C:\Users\Admin\AppData\Local\Temp\df70005e2b76627b322871ac5421c8d70dc34dc575d3f84817c8bff492a72b1d.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\Key.exe
  "C:\Windows\Key.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1636
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  PID:1824
- C:\Windows\install.exe
  "C:\Windows\install.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Key.exe

Filesize
102KB

MD5
82714a5e0073bef31d2359c0a7be60a8

SHA1
f4cfd42b01d6d7d57ec92ff9cf6efd58a7a17adb

SHA256
bcdc6418d1afcfad0cebfeef6bc7e7ad59eaafed3b18e55076ca66d12a0d1bf3

SHA512
f31aca669e231532d3e2450be5816332be4d24f7f2c52c6d5b2431ac6f8c0d1a0ca4fdaa76c6fc787b7180903d7ba8b599ea009cd362e343a3abd955eeda0768

Download Submit
C:\Windows\Key.exe

Filesize
102KB

MD5
82714a5e0073bef31d2359c0a7be60a8

SHA1
f4cfd42b01d6d7d57ec92ff9cf6efd58a7a17adb

SHA256
bcdc6418d1afcfad0cebfeef6bc7e7ad59eaafed3b18e55076ca66d12a0d1bf3

SHA512
f31aca669e231532d3e2450be5816332be4d24f7f2c52c6d5b2431ac6f8c0d1a0ca4fdaa76c6fc787b7180903d7ba8b599ea009cd362e343a3abd955eeda0768

Download Submit
C:\Windows\install.exe

Filesize
16KB

MD5
6f62d5fadbd7d5b9914d06a5c6a9c3cb

SHA1
bb2c8f2893f5486dcb992f4c0466a5c08d7c1cc4

SHA256
ab9968cd869cc72172070b13ad04f1a36b508126774a7a02eee3923646651881

SHA512
9a3d83f258d03a4e761e0ee015428b5aa4a2f60a611a62ae9f191dd55330899d92102bce9e0c09656b8f0934632375df7b1d1133f2cbd94ef5fcebf988175606

Download Submit
C:\Windows\install.exe

Filesize
16KB

MD5
6f62d5fadbd7d5b9914d06a5c6a9c3cb

SHA1
bb2c8f2893f5486dcb992f4c0466a5c08d7c1cc4

SHA256
ab9968cd869cc72172070b13ad04f1a36b508126774a7a02eee3923646651881

SHA512
9a3d83f258d03a4e761e0ee015428b5aa4a2f60a611a62ae9f191dd55330899d92102bce9e0c09656b8f0934632375df7b1d1133f2cbd94ef5fcebf988175606

Download Submit
C:\Windows\relaXXX.biz.url

Filesize
262B

MD5
7cef5d11148fa1c99dbfedddd09cce0e

SHA1
4733117db8d6988ecdc71bac3eb94b70e0b1a76e

SHA256
d19d19454afd241e5f9b7d3a04be9d36ef6e14e16503d965be79e0a459f9207c

SHA512
a92706855ac60916b8eb82f92190b0b5711ddf7e3af768d28d1a7d97876e7b3d6a0c7cbe8bf7622c7a4f71e245f255ec2dc40fa49f6eded239565d542e8e38f1

Download Submit
memory/1516-54-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/1516-55-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1516-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1824-61-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads