Analysis
-
max time kernel
101s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2022 23:50
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ewydrfdndsbrt.shop/index.php?key=116614230752
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
https://ewydrfdndsbrt.shop/index.php?key=116614230752
Resource
win10v2004-20221111-en
General
-
Target
https://ewydrfdndsbrt.shop/index.php?key=116614230752
Malware Config
Signatures
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1668 1392 WerFault.exe IEXPLORE.EXE 4320 2352 WerFault.exe IEXPLORE.EXE -
Processes:
IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1894964400" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31002856" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{97C6EFFD-7CDB-11ED-BF5F-FAE5CAF4041A} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31002856" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705e0f71e810d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb00000000020000000000106600000001000020000000b31ee5761dce84ec47eb9d5318f6c065015dc46e9138831534cf13198cb2ca51000000000e80000000020000200000006981c695f7bf6b69bd5b67f81036e86c435de37ec8a3102004731b63b07348532000000048efcb7234edb3ed29c9e09145d80e2490e5f5f36da46ce6dda00b563760d37d400000001ac8affee9e17d362162b949f417014392240e08e8645f631e1eb5218c948bb9be6f2e430e1f1b1c37d2d67a864406e4f84392827e72034d07a99dd0ffded0c5 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377916786" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1816994539" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a04bfc70e810d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1816994539" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31002856" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000eef4ddb70fa9964f8bf69d510f57c1eb000000000200000000001066000000010000200000005d38c04c1b6828a839ad37308267ecc35bf42abf20c0c23b8aed1304b83cea37000000000e8000000002000020000000aba67fff902fea38b05dbe8dcd94a1830bc8327a156cb66f6eefcf14ea2a6c622000000047cb118b814343c380af97965428cba4614ed7c7d00b58aa282a7c64db71b3d34000000021d10aa510a66434ecae79ceb3a81f8683d964bf1c175cad719df8cd4ad7bdf962a252873c647264b73b8c69c42cad7fecb63bd87147390d81f17a71dac92900 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 4888 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4888 iexplore.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 4888 iexplore.exe 4888 iexplore.exe 1392 IEXPLORE.EXE 1392 IEXPLORE.EXE 2352 IEXPLORE.EXE 2352 IEXPLORE.EXE 2012 IEXPLORE.EXE 2012 IEXPLORE.EXE 2012 IEXPLORE.EXE 2012 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
iexplore.exedescription pid process target process PID 4888 wrote to memory of 1392 4888 iexplore.exe IEXPLORE.EXE PID 4888 wrote to memory of 1392 4888 iexplore.exe IEXPLORE.EXE PID 4888 wrote to memory of 1392 4888 iexplore.exe IEXPLORE.EXE PID 4888 wrote to memory of 2352 4888 iexplore.exe IEXPLORE.EXE PID 4888 wrote to memory of 2352 4888 iexplore.exe IEXPLORE.EXE PID 4888 wrote to memory of 2352 4888 iexplore.exe IEXPLORE.EXE PID 4888 wrote to memory of 2012 4888 iexplore.exe IEXPLORE.EXE PID 4888 wrote to memory of 2012 4888 iexplore.exe IEXPLORE.EXE PID 4888 wrote to memory of 2012 4888 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://ewydrfdndsbrt.shop/index.php?key=1166142307521⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4888 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 28883⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4888 CREDAT:82952 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 24083⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4888 CREDAT:17418 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1392 -ip 13921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2352 -ip 23521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1TQVPNOO\flash[1].jsFilesize
46KB
MD53013841acc5ef22bd5c0263b1fa996a7
SHA18fcc6136c900a3655a242a49f1e596a2a6fed0ee
SHA25606ae1fc65527da0820ace271a8518e3fe1b45f416c05ce1bbbb98476262beb3a
SHA51296cd6388d580464b9a6f870ca4b38adeb901917c1d12b17b105a72de066426eb0f9424d21412bfca6f00be4f0449e36af3dc41ee541b1874da2ecb21a1824d01
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1TQVPNOO\zepto.min[1].jsFilesize
25KB
MD550a4556b0089cfa1cb61e88ea23bbcce
SHA16865443a258954fa19b8aa682e1f4c77d42493d1
SHA256beb9f5e32ed61fbce010497242a9b6b8219242b5ffc636038e7891510c773725
SHA51206bbd560d84a87ac924f6e04e4363f2e8a4b3b977ef0a626217caba41209d8f2be0b2c89c3f70b486fc17c9a2658b0b521b94dae688958696b1ae78a2ddfc493
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\54DSOF0M\index[1].htmFilesize
22KB
MD53c077d4c24791225dafd09b3d50f0833
SHA1cb5ada754a189dc85a5387df1ded13eddab6cd98
SHA2566434d8d1801032ba74c839e9ffe6184442cbbb42f46cd77447794692d86135c9
SHA5128c464e2320205e4d15a365430916de71eb516dde5029adbc63f9cd4d6fba499ee2aae1c8d5bd8fee78cf509a9d180c39b1cad8ed9ca939f15d19e0b59fbba033
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\90MK9CXD\aes.min[1].jsFilesize
2KB
MD5b2c1e560bfa05e6a2fb04a78c09f824d
SHA1a38f5bb31ccbcd24fc8ca707b9479325526a90d8
SHA2569d2324da115b05d11b9876e759bb7bd2589fa772abde237c9dbdb572f6e2d5fe
SHA5127aa6d0bbd50df33b35197628a599a74c516d271a59d37147681328537770a0a8ab80646cb3d76262a56979c520b6a5b6611164215824c9c19057ce76703e3afb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CYD2NY1G\crypto-js.min[1].jsFilesize
46KB
MD5cf3402d7483b127ded4069d651ea4a22
SHA1bde186152457cacf9c35477b5bdda5bcb56b1f45
SHA256eab5d90a71736f267af39fdf32caa8c71673fd06703279b01e0f92b0d7be0bfc
SHA5129ce42ebc3f672a2aefc4376f43d38ca9ed9d81aa5b3c1eef60032bcc98a1c399be68d71fd1d5f9de6e98c4ce0b800f6ef1ef5e83d417fbffa63eef2408da55d8