Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 18:02
Static task
static1
Behavioral task
behavioral1
Sample
f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe
Resource
win10v2004-20220812-en
General
-
Target
f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe
-
Size
52KB
-
MD5
d6e7e97b595a5da8f8a53e6dc168df1c
-
SHA1
aec05e6a8a178d291c96267a59c4a483101d50ac
-
SHA256
f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865
-
SHA512
b8b247e9623edb69f43a69fd2f18e5b26481c2b7bbe574c10842a5efce41f3616afc6102f838a62edbf40c18ed254eae40301f58a1e8062d1d2e798f87e7a18d
-
SSDEEP
768:CwGI4s6XiKMAkjnlh7nTv+7SQBRJ0hLSqvIakyewLk13DTRy:d42Xnlh/W79JkL7IaNJLSR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4656 romeo13.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\romeo13.exe f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe File created \??\c:\windows\romeo13.exe f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe File opened for modification \??\c:\windows\b4657.dat romeo13.exe File created \??\c:\windows\b4657.dat romeo13.exe File opened for modification \??\c:\windows\romeo13.exe romeo13.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1037764114" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377516426" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001924" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001924" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001924" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{68FA2200-7937-11ED-AECB-F639923F7CA1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1105256789" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1037764114" iexplore.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml\Extension = ".xml" regedit.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml\Encoding = 08000000 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Mime\Database\Content Type\application/xhtml+xml regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml\CLSID = "{25336920-03F9-11cf-8FD0-00AA00686F13}" regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2984 regedit.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1484 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1484 iexplore.exe 1484 iexplore.exe 1476 IEXPLORE.EXE 1476 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2440 wrote to memory of 4656 2440 f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe 80 PID 2440 wrote to memory of 4656 2440 f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe 80 PID 2440 wrote to memory of 4656 2440 f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe 80 PID 2440 wrote to memory of 4908 2440 f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe 81 PID 2440 wrote to memory of 4908 2440 f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe 81 PID 2440 wrote to memory of 4908 2440 f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe 81 PID 1484 wrote to memory of 1476 1484 iexplore.exe 85 PID 1484 wrote to memory of 1476 1484 iexplore.exe 85 PID 1484 wrote to memory of 1476 1484 iexplore.exe 85 PID 4656 wrote to memory of 2984 4656 romeo13.exe 86 PID 4656 wrote to memory of 2984 4656 romeo13.exe 86 PID 4656 wrote to memory of 2984 4656 romeo13.exe 86 PID 4656 wrote to memory of 3520 4656 romeo13.exe 87 PID 4656 wrote to memory of 3520 4656 romeo13.exe 87 PID 4656 wrote to memory of 3520 4656 romeo13.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe"C:\Users\Admin\AppData\Local\Temp\f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\windows\romeo13.exec:\windows\romeo13.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\windows\SysWOW64\regedit.exeregedit /s c:\2.reg3⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\353454543.bat3⤵PID:3520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\353454543.bat2⤵PID:4908
-
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵PID:2664
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1476
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD5228d25dd7d377af29848012a2b059814
SHA1a29a3c1e167f3581b0aa4be90b1769a89beab01c
SHA2569d4e26398806093c8af5a60e646afb3c2fc110ea0dc93821e29dc48da62280bb
SHA5121d004bb21f7225fe220aae71d7836c0f5b2e58cb855209e2cc7f1a903ae73b67c408f59108b31faf7caed420758f4753b476c927299da5d607304b5d3a45bc61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize434B
MD57f01dfadcbf00a084170fb3cb0c2f04d
SHA1707827d3b3ddee0f98d24568260963a05d9f6551
SHA2563d1e49df7ccc887d970da112b131267310f540de959358c79516fd6ef0cb0020
SHA512e3a4ae82572fa367930e4851e032330a118f90e2c7e5cbdf85515552c0de8243dc7205b51423ab3b0746b8079a1ad6d8de67112a5abf6aa019a280ddbb5700d5
-
Filesize
52KB
MD5d6e7e97b595a5da8f8a53e6dc168df1c
SHA1aec05e6a8a178d291c96267a59c4a483101d50ac
SHA256f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865
SHA512b8b247e9623edb69f43a69fd2f18e5b26481c2b7bbe574c10842a5efce41f3616afc6102f838a62edbf40c18ed254eae40301f58a1e8062d1d2e798f87e7a18d
-
Filesize
202B
MD5428090d84a47f875c8fdd6d0258f00c5
SHA196c029720065ac1dc5ece2a5481b780267d7b439
SHA2568c8668f6339728aebfc08e547f15b0e250f6a551be86f47fcb6098ffe37f0404
SHA512f752bf52b359a5a82e821ee288e11cd4176c39ac3c932c6f44db69780c6e2597e654bbb3a9db9c32f8659d5af66fa9578b5625758b1f6db70c1314369dbadf7d
-
Filesize
116B
MD5b420c64e5c921987cd2f92cb494e5d28
SHA1045987d605e6b21329f4ef17dc692a3c7d740af5
SHA256725acb501ded659a00f2d3e47b1b883bc51d9e86e3bcd43bc24950558d19fbfa
SHA512bb462c62642c582bca3af499a6f5035e6dfd842330a70f3a31117b1ac5db6574b082cd8fc9922e1f66f308a9c7dc5f35aedad548d800616ac803b33c02a52296
-
Filesize
276B
MD577f7828ebf4855db1db809269c85b8e2
SHA105ea2a3d17f1b0698a624477ee15e94fc8e57f94
SHA25645453bc0f247aaaeca26d949d523bdecce5e09b7343fd39cf891c85922f0be9f
SHA512f89ec4bd79fbbcf893a308cd0666b764a35c997b31852cf1790683a98e97c9ec4dc18f25db81f21429b43c063cb29945c280bece2ea40e4c94cba3499debfa1b
-
Filesize
52KB
MD5d6e7e97b595a5da8f8a53e6dc168df1c
SHA1aec05e6a8a178d291c96267a59c4a483101d50ac
SHA256f8f46a0dd702c4dc25bc7fe45a0e5c1b173e76adaf01e9c6eced2d0a320e6865
SHA512b8b247e9623edb69f43a69fd2f18e5b26481c2b7bbe574c10842a5efce41f3616afc6102f838a62edbf40c18ed254eae40301f58a1e8062d1d2e798f87e7a18d