c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c

Analysis

max time kernel
145s
max time network
184s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
Size

286KB
MD5

0c89a7f0acb3f3da130cf6358063d5e7
SHA1

26f83e7fd79d227b892e49db1becfee8442a4b48
SHA256

c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c
SHA512

4aaafe5d0a80582767e9c2d4deab44cd05e81d9f4da1d89a22365ed017edcf80372c60da12cda1a288bcfb1e2b63c8a9e2f45af48572487f4472ee7230c65e82
SSDEEP

6144:3zynM6mVv1bYE8P23jbrry6BjvMtUQFPYVFtuChJHgVXOgDDI9QZtooiNn6ex+2W:3GnBmQZmfx+2L

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Download	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000001f999bee6c5bd99c510a91875aac4b5e9391e1c928986fd1cfcfaf284dbad568000000000e800000000200002000000085974d7bea0c1767a2af6e1c920cda4e2b37904baa0e5bde912cc414d7db847720000000659c19d00efc8cf3b9acb90917021198f7f976de0e0285cba471e9b5acba54fb40000000577fd6dd4db41d6a0befcd45dde8050509ae4c54f6417222c74378d7614cf2e2684105d236c4cf96a0ae427b1397a05f2dd6227f55cf7c81b6cf731c7052b3f0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000e3578419818bee513712bbb1bbd24243b9148031f04fe1841f414e517130701a000000000e800000000200002000000033c0907fe70dae6913c6696e603c3a651125b9664c5688e62ba39a13f711926a900000006f46cd145604f0a9251f8e264e7191ab020188dd6d82917915a4c94ba49b2c334dd2b531386f4c9aa7cb89c722910a7f7650c97c2ef9be921e8a4a97adbe4f4aafa5542fccfc0aa4fb2898868c27d566ef3cc0f5a7f15b8132b76b62072f9ddb9218254e71f99fc916631a0da779df0cf2405a3d33d7ac0fa31246ece2181571de4eafc381824539ad0dfb765f115f4640000000d9c0f2ac18d7dbb9f4637f00b242154acd7943ea7ce4204c45f2fb01a50007e6f52b0b4873b4f96c50b23401b3b71caefe2e2b59ba134954eaab7181c77a1ec7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{14329370-7849-11ED-AF62-72F0FB4431DC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c518fe550cd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377414054"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1916	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
1916	iexplore.exe
1916	iexplore.exe
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE
1568	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1916	1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe	28
PID 1876 wrote to memory of 1916	1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe	28
PID 1876 wrote to memory of 1916	1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe	28
PID 1876 wrote to memory of 1916	1876	c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe	28
PID 1916 wrote to memory of 1568	1916	iexplore.exe	30
PID 1916 wrote to memory of 1568	1916	iexplore.exe	30
PID 1916 wrote to memory of 1568	1916	iexplore.exe	30
PID 1916 wrote to memory of 1568	1916	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe
"C:\Users\Admin\AppData\Local\Temp\c7f56169cff22e4dd66e6c368c4aa7ea9153ca65d34e1383ac214f4c8576607c.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51d8b209a9a5d9c075d83ec808989f61

SHA1
d18f44e7f63764597c5048e34bfc490f4af227cf

SHA256
a3eabbf4dc79dfabf364f406c5a4f42f7dd9f1a67a4f2aafcca269ec40f287e1

SHA512
aafac04128b3deca53b3fe8ba004ff8cc723685e13744fbabf3619d77f5ccad95690083be87917d86d20bd126ef434084371056d1e7644486530dd954397b7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
1KB

MD5
bc42e0d051d615830165b8b70239d34e

SHA1
a672208527b824d97879a35c520ed9fece975eb7

SHA256
ea71694d9bfd7d88b3ae93eef7e59c2a4630cfe94216a2f9e78df7b28a81e446

SHA512
223f117e7c6b145acffe597e4c259c5d2edd51080cbcd1ebf32ea082f87f8fb41555d05bfb260823886960a1b1d0f87fdc1a49c7fdca204c51cda4e57bf13d29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8YS54Z3G.txt

Filesize
601B

MD5
444eb26510b8463eecdcbdac4da472fd

SHA1
df5f07170b82d679bb96a9b9c17fff279b2e81e1

SHA256
a9adac115bf6887dd9da62d8d1b0d1907379fa93120963cff68659a0217854b8

SHA512
a58d01934642265047cf131ca155eb24aa9395cb221eb9bbd80044102463edbe1733efc9d194b89eb9244fa0bf8ff6644b0dce99e6b855f679e96bcf400fb6d5

Download Submit
memory/1876-56-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1876-57-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1876-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download