a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657

Analysis

max time kernel
129s
max time network
173s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe
Size

137KB
MD5

0b20e0c3e0b1fcdbf35bc033dd925a00
SHA1

2d4ad10bd65c99bbbfc9e7f44c7a4bcf0518f495
SHA256

a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657
SHA512

e238996860308474a8e3de8f27bf76fe77b46348245ab001533ab1686f99a4c31e415a203bc7ebe63a1723b428c15143e4203fcf2f069e49d92d2399534b4b77
SSDEEP

3072:nDYhPk5Hb4QXTiKZ7dYaATMl3FoFBZkIKz0RDx/Eqk1e:ng85HsyTiKPUMtOfmIR5O

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000086b529921f77d44b24473ac771caa5990b2035c4ad91f1e23dd726faaf6c1279000000000e80000000020000200000004083a8419904ef37d4efc09f0dc2f6e638152268b19a7b3dcfe3ee5ffd9a0afd20000000f025ef1ff892d73150d59e2e4ee638e94f387522a0712b9f1bacc4688628fa0a40000000d8eab5e5909ead9ae6239a0c5cb3928da6009954409a607d30da7550f014172b91cdb3846f43e32926a5c10a125f9e9d6edd0c565c390ec0276ecbaa3a5b9b16	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377211203"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402234b67d0ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C7AA0AD1-7670-11ED-8BE9-EEAC7132E42C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000008f33c6858eca8ebba5ff322aaf6fc8c9714519e6e7b8fdf1e78aafba23c85ba1000000000e80000000020000200000006a0faf25307de1bd5b72b1fbffd4d1b9da79e8a0e8d515f9958665746ff7c6339000000003fa65182e5523e43e3d752b6a4cc62b42008de61930548bd873e734d4c140e06e4cf9c53e798cb1b20612b4de388a89d056546731f0259c2a3b0902859d52c36121d4a2fde1b3ce5f68971bc4206ab1d60d61b07f7413eebc52ec6e526630c19a7559e9426b7650c03ce3ed159b915046e4817c33dae80777ffcc3c3ef24bed0c8177d6619976556252706fdbc73a8d40000000bd43005e7b95c11020b016d17fc407e54678aa37ead42049ca5ae2da4bb7fd1df764d0f1af068e914201a764cf93353f2db252b1d11bca89fe66adcc8ba5b937	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1400	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1368	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe
1400	iexplore.exe
1400	iexplore.exe
560	IEXPLORE.EXE
560	IEXPLORE.EXE
560	IEXPLORE.EXE
560	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1400	1368	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe	28
PID 1368 wrote to memory of 1400	1368	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe	28
PID 1368 wrote to memory of 1400	1368	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe	28
PID 1368 wrote to memory of 1400	1368	a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe	28
PID 1400 wrote to memory of 560	1400	iexplore.exe	30
PID 1400 wrote to memory of 560	1400	iexplore.exe	30
PID 1400 wrote to memory of 560	1400	iexplore.exe	30
PID 1400 wrote to memory of 560	1400	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe
"C:\Users\Admin\AppData\Local\Temp\a366ae4ff148f1e26fa04b91ac05ee997b74d619c12806e5718c52c70726a657.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=gOO_UqzEc5Y
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6909551ac23bad5befd87587b8590e45

SHA1
3b3829cebf57eaf635fcb53eed972043ae2b2499

SHA256
caa44346af626f4c5245664dd0ce506690270085e421ce7e8257b7ed41d8e7ec

SHA512
234cbf8ff17640639898698333b7c4ffd310c79e478b30792366790f3e3dbf84cdd4b8ecb2b10873c280788842a4471e0a4e7309334e85880a80727cb5ea2f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
1KB

MD5
4ab06742266a7fcab894755d914a0ae3

SHA1
51ec733c8b58ef6dd8af5fd59e0b2786a0e20213

SHA256
87a032f02968252c14c71d90412910ef14d65b826e7142bc351830e21b3d68d9

SHA512
ef2cb78bb8992d6cd2d891613edfa6c096125f8e02832af7468d9273bb49b4ca2737a1497a18d4e178f12f2a18ef6ad434f3db375951e1dd63d05111c41febc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PG6F5OWX.txt

Filesize
608B

MD5
509dfae3688b917d381e1be442e69ddf

SHA1
8f56906556e8734c85e3a1e66508acb3ad5e1707

SHA256
00eb88908073a07d8c1a75d9a7f63ea3a55c0b00e931a8bc96e8f0c5e609583d

SHA512
cddf125812d0ca1fa4abf6317e27c026478747acfa1c59a21b2f76275f83883de076004474d09695d57be7279192b4c5e5caa8b5af90edd436081f9bc151d88b

Download Submit
memory/1368-54-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1368-55-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/1368-58-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1368-59-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/1368-61-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads