Analysis
-
max time kernel
147s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 01:46
Behavioral task
behavioral1
Sample
8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe
Resource
win10v2004-20221111-en
General
-
Target
8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe
-
Size
26KB
-
MD5
8595535b946f18c37051d3a1e8cbac07
-
SHA1
061fae33fc7d5ce3fe859c7315e292634d8eb511
-
SHA256
8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc
-
SHA512
dfc20b9fc9adfa5bbb27bde4941d813438260940743af00b9c275cbeee9bd0d9f488d4827e90d048f9e259b033296c492a0c404c541d395d4bfaeeb6837457f3
-
SSDEEP
768:NYzN0KzwUbKS3Eaj4FPSWVpQL9SUIcBFitkjAmiW:N00KzwUbPUFP1Q5S/cBo5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
mstre19.exepid process 688 mstre19.exe -
Processes:
resource yara_rule behavioral2/memory/4416-132-0x0000000000400000-0x0000000000413000-memory.dmp upx C:\Windows\mstre19.exe upx \??\c:\windows\mstre19.exe upx behavioral2/memory/688-137-0x0000000000400000-0x0000000000413000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
Processes:
8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exemstre19.exedescription ioc process File opened for modification \??\c:\windows\mstre19.exe 8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe File created \??\c:\windows\mstre19.exe 8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe File opened for modification \??\c:\windows\msmark2.dat mstre19.exe File created \??\c:\windows\msmark2.dat mstre19.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{804D6535-7767-11ED-BF5F-E2CDD1D11107} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376714094" iexplore.exe -
Modifies registry class 4 IoCs
Processes:
regedit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/xhtml+xml regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml\CLSID = "{25336920-03F9-11cf-8FD0-00AA00686F13}" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml\Extension = ".xml" regedit.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml\Encoding = 08000000 regedit.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 2680 regedit.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4712 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4712 iexplore.exe 4712 iexplore.exe 3812 IEXPLORE.EXE 3812 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exeiexplore.exemstre19.exedescription pid process target process PID 4416 wrote to memory of 688 4416 8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe mstre19.exe PID 4416 wrote to memory of 688 4416 8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe mstre19.exe PID 4416 wrote to memory of 688 4416 8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe mstre19.exe PID 4416 wrote to memory of 1660 4416 8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe cmd.exe PID 4416 wrote to memory of 1660 4416 8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe cmd.exe PID 4416 wrote to memory of 1660 4416 8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe cmd.exe PID 4712 wrote to memory of 3812 4712 iexplore.exe IEXPLORE.EXE PID 4712 wrote to memory of 3812 4712 iexplore.exe IEXPLORE.EXE PID 4712 wrote to memory of 3812 4712 iexplore.exe IEXPLORE.EXE PID 688 wrote to memory of 2680 688 mstre19.exe regedit.exe PID 688 wrote to memory of 2680 688 mstre19.exe regedit.exe PID 688 wrote to memory of 2680 688 mstre19.exe regedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe"C:\Users\Admin\AppData\Local\Temp\8c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\mstre19.exec:\windows\mstre19.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\regedit.exeregedit /s c:\2.reg3⤵
- Modifies registry class
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\4321f456.bat2⤵
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4712 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mstre19.exeFilesize
26KB
MD58595535b946f18c37051d3a1e8cbac07
SHA1061fae33fc7d5ce3fe859c7315e292634d8eb511
SHA2568c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc
SHA512dfc20b9fc9adfa5bbb27bde4941d813438260940743af00b9c275cbeee9bd0d9f488d4827e90d048f9e259b033296c492a0c404c541d395d4bfaeeb6837457f3
-
\??\c:\2.regFilesize
202B
MD5428090d84a47f875c8fdd6d0258f00c5
SHA196c029720065ac1dc5ece2a5481b780267d7b439
SHA2568c8668f6339728aebfc08e547f15b0e250f6a551be86f47fcb6098ffe37f0404
SHA512f752bf52b359a5a82e821ee288e11cd4176c39ac3c932c6f44db69780c6e2597e654bbb3a9db9c32f8659d5af66fa9578b5625758b1f6db70c1314369dbadf7d
-
\??\c:\4321f456.batFilesize
306B
MD57463340f8e25ce5b7391e9deaa84302c
SHA176f9a3cc5f769011e69e5ead350e4a7fdd920997
SHA25635f20cb6d8b21a0c209e2145ee161b3525377ee4ee5465e658842c4eb2bc88d7
SHA512bcb280a8f465375d3b473c7f13c92e980f9b92bf9f4b401a94ee4f1f2b19bb44fb18532834ccb363dda714a493bbffb93aa66dc62eeb2b2c3e1c11320304c5e0
-
\??\c:\windows\mstre19.exeFilesize
26KB
MD58595535b946f18c37051d3a1e8cbac07
SHA1061fae33fc7d5ce3fe859c7315e292634d8eb511
SHA2568c95640230dd09c29d68420665a9ee492c03f3d5a59084819c380046e692e3cc
SHA512dfc20b9fc9adfa5bbb27bde4941d813438260940743af00b9c275cbeee9bd0d9f488d4827e90d048f9e259b033296c492a0c404c541d395d4bfaeeb6837457f3
-
memory/688-133-0x0000000000000000-mapping.dmp
-
memory/688-137-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1660-136-0x0000000000000000-mapping.dmp
-
memory/2680-139-0x0000000000000000-mapping.dmp
-
memory/4416-132-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB