96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70

Analysis

max time kernel
124s
max time network
143s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe
Size

536KB
MD5

a11027cc67801ea5c8bc8e87405f66a7
SHA1

68bb583b80b2798533f6af4c673a095db221fdc9
SHA256

96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70
SHA512

9c1ddeafaa9d9ecbbe6fceecddd0b681f9e7079e15dc238677a98fcb5e7a692e01b1b3457c99ce4f7ea2f7c2084ab3e6b75e088454bc963d6f37dab9e49b548a
SSDEEP

6144:L0xWAiRvFr84JQc7zLII6SDzAWziUwlx9hg74MZ5MoDIHQdqk3gJTTlh4GVzXg:LQ5iPi8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008de904f53472b049b8841a1a744a39920000000002000000000010660000000100002000000097bf4a5d8bca436ee97a7663c767847a86c7543781ce0d7a25f22b978ab9b0e7000000000e8000000002000020000000033fb76b2035a6865ec36db3a734a0df1a4fd7c0bdca28237ebe63e1e22596ff200000000166da969fb1b8ebaba6dc0561cc0a7f709e8e48c9b24e27ca8bdd47e727d7fc400000002462f29ea2177c3748ba0380cf67246a17154897d8ac7d6dd7ea7f5dae7cd746dc51c0f90be2c494b2e4b6256fbec6cf3f0ee9b2e026c4d4816cdf0c5e0f41c1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6595A721-766E-11ED-AD72-5E7A81A7298C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377210179"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008de904f53472b049b8841a1a744a399200000000020000000000106600000001000020000000bdc9e44be9a5f5df66b5a3179a60f99b7d13273ceef799494d7095532cb33fc6000000000e800000000200002000000041f4e72f1c7eeea31818fb0702e0b056f7e95d61a3a2738f4ff3d4263de543ab90000000d3e6a79aec56e5c6854a8fa7abe5320c3667f147473fd8a1436517a9a79e991d72e62ca69bcb7ebdec98692a543c5bb52e8d5655a24d9a5bffa2c1bfc55e194ee1b6e4a23cbab2a9aa02a9cd70e0c8930c1042470b1f21018b33fd128d91d1af9f55740ee7e0bfa683f0bd8f8ea1da4a19fd21381120f25ea9b781403b4fcb1af176bf018cc9b13f26caecc7cd9a4792400000003c3ddd1d2d7e3ea0cb7fcdf860ada18c53aa61af859dfef0a6e3e0193707372cfe7ff0fc903cc64e5c99a864895228567b38207ef57b4f96ecad9ebb393bbe11	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80bca54e7b0ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1288	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2016	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe
1288	iexplore.exe
1288	iexplore.exe
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE
1716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1288	2016	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe	26
PID 2016 wrote to memory of 1288	2016	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe	26
PID 2016 wrote to memory of 1288	2016	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe	26
PID 2016 wrote to memory of 1288	2016	96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe	26
PID 1288 wrote to memory of 1716	1288	iexplore.exe	28
PID 1288 wrote to memory of 1716	1288	iexplore.exe	28
PID 1288 wrote to memory of 1716	1288	iexplore.exe	28
PID 1288 wrote to memory of 1716	1288	iexplore.exe	28

C:\Users\Admin\AppData\Local\Temp\96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe
"C:\Users\Admin\AppData\Local\Temp\96d1684abc120d9eee9a4f93bfa9513c98113c879000eca8614851afcadbbf70.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=gOO_UqzEc5Y
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1288 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3707591520da296915ae3bfbf43e5d89

SHA1
9c41c94a20027ebfffdfabe19c8a4ab4fb09f5eb

SHA256
8899393ede02d538eaf74c4fa877975171e936ae4a79c9220cf8e065e1f6c80c

SHA512
e733ab416aa3cc9b7c2ee7b231c75a75e033ed7857eba4a8fb744663107bc726f42d251ed6a3e86147abe76a462fdb2d8921052fe3289c0c90aa71657e1e661f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
2babeb8d6b87ad960e51ccdaf0d797dc

SHA1
9727c32d54c6598ee063d82ba619effa96eac647

SHA256
97024c933ff5dbc312b94f9129ed227ae40e685bdf531bc8cb256665412c00af

SHA512
348c7d40292fe29875dec578a5355344c6ae5dc33a400f7f0bb4aad4c5377512f8487fa77f54b46ac2d454d26d6284cc248f5d8e6b55fc0a8103bc23c801e80f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S1HBPEPF.txt

Filesize
608B

MD5
178550fa9b4e63ce923f3e1e1abaa647

SHA1
601dfc0541dff0d29fd68fb6ba4ad5983c0ee011

SHA256
5ccb8be91a46ed30d5498466c3c923f4d5944cd24b1dec5dab5b52bc0fa687db

SHA512
c500617663932f9bcdc820703f11f18d4b5601ef89912c0626153046c7518149fe61cf8dce5b3b70eabbee4aa8faafd75fb61da30e8cbe06539cadb8ff70984e

Download Submit
memory/2016-56-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2016-57-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-59-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads