a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65

Analysis

max time kernel
170s
max time network
184s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe
Size

141KB
MD5

3f6d9c8db25f4a2b3797927b2a58cece
SHA1

68e5997f8d7551e156f41971e3bc86d3fa80642e
SHA256

a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65
SHA512

e3ab723fbdb2bd8824763cb2030c3b5a0182c62d40734e3ec6946082dedf151966222dd55019928f94e270ccb83872ed389c96a3c65448e81d6559004d9d20d5
SSDEEP

3072:RZGAPBUo2hUE+6c4AUH7tSH2zZuYiMTkISJyeu8o:nxZUoqUE+6chUZSH2zZu4AIlU

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f69f1b850dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{246DB781-7978-11ED-8639-62E10F117DDC} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000257a1fd27da0bba54a6f365a50d27e53fc4f9072f002c07f19a64903a9efbbc9000000000e80000000020000200000004893a4623f9a5f91dbb441b348e396e47b1637f43a190a02c4034f9b1474dfaa900000001390db7b97d21ff404ce7dee49dc211a7fc6acc40743b696c969ee11dc493f742a793b7066610d8c3f329969d47e2c5ef1afdfd8822559e6a456e84cd1fab64e5dfeb4b36273c12f74314811417d4d05f7f7c2fdcb46b051b17a702015be6bbfede858095d4baa1ec4a78062ec323e6298a2c10556c6b78754adef11d9a6a5499a6c7783cb2dd742c031a4e73037e9da400000001fd86d014a384967a8ce24c19521a616d8fc7402af8755e354de42a3d356218a326b27528da5f0ef50ad8a032512db445197cd2fb684edddede42a9aa94198ed	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377544225"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000a07debc9cc7be6e58f9ca219626ce0822418da5fe7bad6f74e8397485052e10a000000000e8000000002000020000000a0f2474d6b645cfda523b6911729ae1bb802c33284d6083640e294b7849d86b220000000d9bfb7a8b6584c5c86cf53e5d5df89aa1c296cc4c986fb1b6313f09902eccfc240000000ca24da29a32d18e22a2115e0c149c66bb2dec9b78faa0da2fb3a7ca377aa479d37c2fc16c590af24808fb468df1efdf14cf27291a95dc47f8109a23e050103dd	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
268	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2028	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe
268	iexplore.exe
268	iexplore.exe
852	IEXPLORE.EXE
852	IEXPLORE.EXE
852	IEXPLORE.EXE
852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 268	2028	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe	28
PID 2028 wrote to memory of 268	2028	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe	28
PID 2028 wrote to memory of 268	2028	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe	28
PID 2028 wrote to memory of 268	2028	a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe	28
PID 268 wrote to memory of 852	268	iexplore.exe	30
PID 268 wrote to memory of 852	268	iexplore.exe	30
PID 268 wrote to memory of 852	268	iexplore.exe	30
PID 268 wrote to memory of 852	268	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe
"C:\Users\Admin\AppData\Local\Temp\a5040f3bf79a7bb249c930f0a97ca947d2cf7e499f1493ec9351decefef7ff65.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=vsd3g0h_vs0
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bf33330c6bde02fdb4edb31ebad85db

SHA1
e1e0ffd3f2e491c1e87512d9c417f6d834833ae7

SHA256
d502793f037436edc287638c2a2732da36577544cdcec668a3a8945c1f9bee99

SHA512
1a55b20e825134c6b5603a2ed06922c0543572c8858fcbfada78c904d049bafe27c340565095da235cab703206e8067f8aac09727840fbc13142efc69a6911c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
1KB

MD5
5e182e1bcc71a29782275cb3c7649cc9

SHA1
26c98ec6c0a0838c79eca196d2026253f5ef5f88

SHA256
3121cbcd50f78eaaf944a830ebd5c3ddaa45b0af74fe1295d918960ec462c811

SHA512
12d1bce72af4f210910d3898ef9505ec3efb718e2f8a3deba991016754ebf6a442ec555e00f8380ccadb46a3a66bbd438959b631f14af1c5ab4a6ec8d6812adc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I1GDIW2L.txt

Filesize
601B

MD5
ce076a6fb1accc2d6f3337816be1e0a5

SHA1
aa68bc85d1adf7f7eda3ebfd5023f4ef7bbe8ee1

SHA256
09afc285888f2816b4a5ccf8b20880c596e61a6ba062f8965cf6f15263c744ea

SHA512
3c800dc3b80e7b534e0a5f7ba1ef4b95cb12b2f1a65ec16c0da26095150fa314a75e83c9de7baafc7a59e95c877e9798c7ab275f8c6ae9b493c8fcb9b9ba7c1b

Download Submit
memory/2028-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2028-55-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download
memory/2028-58-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/2028-60-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2028-61-0x0000000000310000-0x0000000000356000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads