50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124

Analysis

max time kernel
5s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Size

59KB
MD5

73e24a5a55914dad591341e667bdfb33
SHA1

f7779bc269b26b33b534f52fdf008bcb973b1a61
SHA256

50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124
SHA512

4c119b0f0bd90cf310dca9597abc06d2334f5afc8b21f31d9dd5470b7e2d12f69471b3e5220aa3cf744fe7c0905cdc628fdf8069c598269ec7ca812fffe7444b
SSDEEP

768:cU2v7xIzlpJN13aGjndUiDTuU3jJYBb8GENlD4v8yKH1QQRTJgvM6P556VDqnUA3:Sv7xcpfJdUaRVYUNlQkwhnlUf8nrzEC

Score

10^/10

evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\web\Index.htm	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
File opened for modification	C:\Windows\web\Index.htm	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
File created	C:\Windows\web\Index.html	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
File opened for modification	C:\Windows\web\Index.html	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TYPEDURLS	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.pmw8.com/?sh"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.pmw8.com/?sh"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)\Command	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\Command	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.html"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)\Command	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)\Command	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Play2a\10 = "0"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\HideOnDesktopPerUser	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\É¾³ý(&D)	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\HideFolderVerbs	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\DefaultIcon	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Play2a	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Play2a\1 = "20221210"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Play2a\cdafile2 = "141926"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Play2a\10 = "1"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ = "Internet Explorer"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\Open(&O)	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\Attributes = "0"	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\Shell\ÖØÃüÃû(&M)	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA8}\ShellFolder\WantsParseDisplayName	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1184	2020	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe	28
PID 2020 wrote to memory of 1184	2020	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe	28
PID 2020 wrote to memory of 1184	2020	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe	28
PID 2020 wrote to memory of 1184	2020	50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe	28

C:\Users\Admin\AppData\Local\Temp\50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
"C:\Users\Admin\AppData\Local\Temp\50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
  C:\Users\Admin\AppData\Local\Temp\50d5016f4f4b4529ed5da03014feb91bda1f1035430971c8877ad05c6c6cc124.exe
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer start page
  - Modifies registry class
  PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1184-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2020-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/2020-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2020-58-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/2020-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads