d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885

Analysis

max time kernel
256s
max time network
352s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe
Size

516KB
MD5

bcabfaa80e73c984229f810d47f57e3d
SHA1

6a213bed666b039bf1b9c4218dd1af36cfc8b701
SHA256

d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885
SHA512

f16c42287eced00fd64cbd6594f07a40b3157c3ff961065e80a7852d55e9448964488346dcff12c305a52dfff8513bc695a9ff85448468b4f1ced52322a075f6
SSDEEP

6144:qGFBYR8QaB8F6SXXMf2J1xWOHSCKN2xPazeFwhTqPrABl/djGzK7j3X:qKaR8TBL

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Download	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000ef4be95f8c58a3188a6e110f7ecc95a3db2721042ee7082a638121f2fd57a1c4000000000e8000000002000020000000690505ae1267522049efe0ec8dec146b1eb0ca2236b29f55a6f6f7ba6e5121ab900000004240e3b1f3e65b517ecd88217ed754a72192133a89fd2df216b49972dda4cbd5b7582cc4a37ef9d547c3129b72b56279018dc8f87c8e00dee031adbe4cc7d5df12dc3d90070b423a1e566a850a85eec726626f7aa9bd8ded8879a4c88403d21195d19ac40f61d85fae5e025566899a556fdde2abdf1c2602db97510736ed72abe870fe1185d4cd18eca24d80c82d61aa400000009e97bf98f0b5557a1eba194c51f64952c798688bf38bb77d699e909aa274eab483343a375f240d8e9e4f169854e3fab58d464fb868bb432d0a8a6ebf9141c81e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377471864"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e058bfacdc0cd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A71A2001-78CF-11ED-A1DD-EA20C184BE27} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb800000000020000000000106600000001000020000000c389d29b075fc3cf7cde9f38e3de3d4d19dfea3bf3230763de27bbf6d5723fd5000000000e8000000002000020000000ccfe97791d631508e14f987297f055dec835e632c7e45333094e7babb4d2ee4d20000000e57cb2abf6f85d8342f16b29c5309c36d9aeaa27177a5329776e7adaeb9684b140000000ff601e60042ddfce6e0dc906e9da95b87e276f1b0a5ae2d6d4c6066fa23ca5d2114d621af5b26b6758f2bd900a9b0893c41fcb34ba397d9c3560e54e00f59334	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1164	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1476	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe
1164	iexplore.exe
1164	iexplore.exe
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1164	1476	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe	28
PID 1476 wrote to memory of 1164	1476	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe	28
PID 1476 wrote to memory of 1164	1476	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe	28
PID 1476 wrote to memory of 1164	1476	d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe	28
PID 1164 wrote to memory of 2008	1164	iexplore.exe	30
PID 1164 wrote to memory of 2008	1164	iexplore.exe	30
PID 1164 wrote to memory of 2008	1164	iexplore.exe	30
PID 1164 wrote to memory of 2008	1164	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe
"C:\Users\Admin\AppData\Local\Temp\d6a6a4672e74518b08455e014b57cc1b3c57d21c0fb61835869498edf1025885.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/watch?v=gOO_UqzEc5Y
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1164 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
238efa66b46e1320f1452bbb335e83e8

SHA1
9d77fed63c7ce91bc62dfe0c1d9c354f04591acb

SHA256
cfc1bbbc67d33c03f3a7b57f7e434dd3809c48992f1dcd92f0143ceb3be26ace

SHA512
74b881c9b7fe3dcca4687860185d180d7373ea18acb358381f8015bc6015546d7ac067caf3b4e4cc05ecad05775cc81a5b5b12653a5696e66c713e760450b565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\mlf2v8h\imagestore.dat

Filesize
1KB

MD5
65c5f1308b1783ab8925407a9cd6f725

SHA1
513c12dd7c51ee7b376b9c7037804c9c6bcd11ed

SHA256
3167c2a6b6a2937403d48e1101977e469e9c85f1872b7283b7042dc25980db89

SHA512
3f88cd884630ab33e320374c7372346dffa054b2e6f20da98bc3ff581b2e1572293d11be61b6e78467cdae6b9295f87b34715b7127e943d67c31ce6dda01b2ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2EB6NUAO.txt

Filesize
608B

MD5
11b8f7dfd60cc40d4c7a424552dd228e

SHA1
573303cdccd9b0aaee71bbb3eb52a104e7d5cb1d

SHA256
eb3b5f592689413ec79ddb052e4d2644aa0fae557d99640e0d90f031efa0189d

SHA512
76b9d9007bdf535247ebe52e2a9537cb200185781889a4b3a660c26cd0ed79233583b3f66d82a295148aa737ebfe27bc4e23f4948ccc199defb0a332632a339c

Download Submit
memory/1476-54-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1476-57-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1476-59-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads