Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe
-
Size
361KB
-
MD5
2a3ff6c6a379b06338620aaa1d7e649b
-
SHA1
73a26d4aecb21ebff1f0503c8e571d2f3c783493
-
SHA256
91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525
-
SHA512
7775b8274c1401c76b1762c3b9218d368f631056fed26c604ec7296c02f121d4a82511769e7bba1b3463e1ca9e2de9ef72b47b13a71893b29bb18e5c75d75f98
-
SSDEEP
6144:IflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:IflfAsiVGjSGecvX
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1420 vrnxtpkgcmieawoc.exe -
Loads dropped DLL 1 IoCs
pid Process 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64B73EA0-7857-11ED-9F7B-6E705F4A26E5} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 1420 vrnxtpkgcmieawoc.exe 1420 vrnxtpkgcmieawoc.exe 1420 vrnxtpkgcmieawoc.exe 1420 vrnxtpkgcmieawoc.exe 1420 vrnxtpkgcmieawoc.exe 1420 vrnxtpkgcmieawoc.exe 1420 vrnxtpkgcmieawoc.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1340 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1340 iexplore.exe 1340 iexplore.exe 436 IEXPLORE.EXE 436 IEXPLORE.EXE 436 IEXPLORE.EXE 436 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1420 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 28 PID 2040 wrote to memory of 1420 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 28 PID 2040 wrote to memory of 1420 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 28 PID 2040 wrote to memory of 1420 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 28 PID 2040 wrote to memory of 1340 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 29 PID 2040 wrote to memory of 1340 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 29 PID 2040 wrote to memory of 1340 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 29 PID 2040 wrote to memory of 1340 2040 91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe 29 PID 1340 wrote to memory of 436 1340 iexplore.exe 31 PID 1340 wrote to memory of 436 1340 iexplore.exe 31 PID 1340 wrote to memory of 436 1340 iexplore.exe 31 PID 1340 wrote to memory of 436 1340 iexplore.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe"C:\Users\Admin\AppData\Local\Temp\91e4ac5d14b94b82630120c23a45f2bdc6993279a62f39a95032bbc0690ea525.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Temp\vrnxtpkgcmieawoc.exeC:\Temp\vrnxtpkgcmieawoc.exe run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1420
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1340 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:436
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
361KB
MD51d6db2f1cc3e67af64221d9d4a7ca81c
SHA13419338038fc5833921e968cf9711b3ff0918d6f
SHA256a9efc8a3ccea002edc10349ca6a9be6d65c9bd578d24328d55c711836f4b0ff8
SHA512d68032e7bd6b39709829690184a94e6ecb92d2971dbc63106d3e0a3e85ee6c4cc73a07d9b0fce7296a485ea54032a2a04a687ffff54065aeaa2469f8ae7f8c36
-
Filesize
361KB
MD51d6db2f1cc3e67af64221d9d4a7ca81c
SHA13419338038fc5833921e968cf9711b3ff0918d6f
SHA256a9efc8a3ccea002edc10349ca6a9be6d65c9bd578d24328d55c711836f4b0ff8
SHA512d68032e7bd6b39709829690184a94e6ecb92d2971dbc63106d3e0a3e85ee6c4cc73a07d9b0fce7296a485ea54032a2a04a687ffff54065aeaa2469f8ae7f8c36