9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf

Analysis

max time kernel
126s
max time network
138s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
Size

548KB
MD5

bcac5c5ef7ccce5c3bdfdedb45eb4ed9
SHA1

4a526ca4f280c4547f9db9bb24ca4421e5de0ee6
SHA256

9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf
SHA512

14c98d3be7cc1bffa203a379c3574edac8af68e7b0b70d0aa1a39ec31d66439cc918b5a3bcf10ccbcfb36a4a7d91269d2d5c988085e0a9084b93b89412ca6650
SSDEEP

6144:ruILfhw6sNs/9mjcfcUVaxxnDex+2LQKHK:CIpfcKtx+2L

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206c2874830ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377213673"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a607c19f87a9846bf820d65ab059a47000000000200000000001066000000010000200000001edc52fcbd3706b0027663f3b0564dba82e7d1e1273107ca8ddfc093e03e7494000000000e800000000200002000000006a23efd616853660af1b9356fde795ef0f099261b98fee90eb8ee256cdf26be20000000481669d3cc01d73d403eaac13d09c990519d9682e1011af11e8424175051e64b4000000037ad63bdb29cf35b4021d3ffbb6bc10ee0f642c12e6badb0b689570f64e78bc437ba4f0537f54afd66665db44a1ca8b4c4369d6b38714bd32c4fcf3f0b7212c2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{861A2400-7676-11ED-B40B-E20468906380} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004a607c19f87a9846bf820d65ab059a470000000002000000000010660000000100002000000077e998b80ddc2a628767732f6b22de37c956e780b6ca7c33dcefe32938fb84c6000000000e8000000002000020000000ad995b64ce79ae887d012c97296ef8242857325dd93dc48b553bfda1be9a4a2390000000e5a6e2fcab14413489f5bf59e2804de02be3252d5e7bf7e095f7dc62fcbdfc279a844fc3c7d81cadc770c54f3e49f612ef146640dd6b7c6ea443d1658dfd6321d05d9a95fa756d43f05c585b9f4d82bbe0d267c689f8a52f2b7a0f3d7e63ec48087958ef79463495dd8c8dd84b4321ea0497d043168b8582e587252aff02e72fad169c0c074931ca4b4a1055d60ad33c4000000068cb541e75ec015948c9c7c9d3b53848139d52e96276357d1d5f42a05931182e904cb483c3bc4d00606ec2cd9011675284a187882121e768c8360c59304df757	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
112	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
112	iexplore.exe
112	iexplore.exe
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 112	2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe	26
PID 2044 wrote to memory of 112	2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe	26
PID 2044 wrote to memory of 112	2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe	26
PID 2044 wrote to memory of 112	2044	9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe	26
PID 112 wrote to memory of 1524	112	iexplore.exe	28
PID 112 wrote to memory of 1524	112	iexplore.exe	28
PID 112 wrote to memory of 1524	112	iexplore.exe	28
PID 112 wrote to memory of 1524	112	iexplore.exe	28

C:\Users\Admin\AppData\Local\Temp\9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe
"C:\Users\Admin\AppData\Local\Temp\9fb99277daa426d0c490edabe1c69fff46cc82c92b603cc577b86497413ab2cf.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=ZvizXaqutWM
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:112 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
a983bcfa5ab8f0244fc4abc63545d26a

SHA1
e127dca3bfd07fa833046d4b32a095fcdacde40c

SHA256
de5f77ecb5873478f476dc633741fc4ffee27de471de86f670fb65b89572131a

SHA512
b83a80ee3bca2428b918a80a64c0c1e57d8ac8fae1f33f22e147f9cab4f60b08591a48f77b55b09e895326f7d19cf055e4928c600c805635d90e8180a78f5eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
5KB

MD5
d1ab4a74654d5241e4473084dd706e0c

SHA1
dfa210d151e24d2978e86c548c946c186fc55d92

SHA256
c0bcbdfe776d3b75c091162bd731ed7f5285a3e7702b601f714d8122375ec92f

SHA512
64cf3e2b7cacf8bcca213fc5df6803445762fe2b1ed7edcefc62079b2cb8fcc70a86b481e56140389bab39015a55583f9008ddf4431de655b529caa8611a4851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FCUICAO0.txt

Filesize
606B

MD5
37c465d31c3fc5d84856058ec6be336a

SHA1
c640759c5bfb21745443148cacdf0159c0661d93

SHA256
7ab41ff0cc12606d1e89035d6f4b7a6f90e6d4cbd027a84677038eadd1ec5585

SHA512
2af348a720944a459132a32d46df4ad168b8400d18f93554d100f6bd964a7878dc1a4ba6cbe274b8cc901d40d544e55064ef2bcfdaadc36c567228a00f0721e5

Download Submit
memory/2044-56-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2044-57-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2044-59-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download