cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea

Analysis

max time kernel
175s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 03:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe
Size

972KB
MD5

b06da495c034b62ccb01c093d55e2ff3
SHA1

db6d54f68ef84771e7cc976827a50139807d4e6e
SHA256

cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea
SHA512

56e190a3223edb6bf4874e0bb7d8feb26d284da37bc56fc335e17b00a5dcf26150cb5b4c1c49b77c13628fb779e6df584760f3430fa91caa85d9175872951957
SSDEEP

12288:VemBePmzJ/iRjvdN1MSp2eQgQr18ggSCGDE:VvBRzJ/GjFN1MSp2Z8ggSCCE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
600	IE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\IESettingSync	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
920	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe
920	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe
920	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe
920	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 600	920	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe	83
PID 920 wrote to memory of 600	920	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe	83
PID 920 wrote to memory of 600	920	cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe	83

C:\Users\Admin\AppData\Local\Temp\cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe
"C:\Users\Admin\AppData\Local\Temp\cea390ec84db5125f0a81be5f1470c39a7b987d503467c4c78bcf671613d6aea.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Roaming\IE.exe
  C:\Users\Admin\AppData\Roaming\/IE.exe
  2⤵
  - Executes dropped EXE
  PID:600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\IE.exe

Filesize
26KB

MD5
9a2a37badbefe91a21e139b349bb257d

SHA1
8225e66e08a54455e07a2c4e06932455cdc8f1e0

SHA256
b0ccb25aca604cbb4afc40cdef2a247258dd8a6ba97dcb5b6788bc90b3548130

SHA512
ea3eb01403bc8b184c7c0323bed48dc7d6800b90bf85770f3535c6228737e399119598ed38ee7e5257a3df1a156442ae3a1d53d209e672a9560cc40cf5c3fd5c

Download Submit