Analysis
-
max time kernel
106s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2023, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
2.0
Resource
win7-20221111-en
windows7-x64
5 signatures
600 seconds
Behavioral task
behavioral2
Sample
2.0
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
600 seconds
General
-
Target
2.0
-
Size
111KB
-
MD5
65b3dfab29c25a55492efe21ad92632e
-
SHA1
6c08046143b7c44f64adf7e8f7ac67c464b97a8f
-
SHA256
6085485bc58d32c53afe30d8d41ddc8d8551186cd8d3e4bb301dac094bf7b24b
-
SHA512
7309a1ae67d4bcefbd0b23531586c2994077ea7539fd5d73073d2c8b4bb280fc98911f5df7e2e2e0f060c61970fa82a752ace10d0e4e99afe621ec87d1248e52
-
SSDEEP
3072:FoYEgdNJbIw0SBNMHBTnR6IGREQu3ObCDuqJLFtX6ts5ttlBnShSPMMaRYVR3ZGY:YDuqJRtX6ts5tfBnShSPMMaRYVRJGRJE
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005174569abc55a3488c2a9f673467e905000000000200000000001066000000010000200000006910e90c365df50c5484c23faf0ea31b843082fe941c418b6d95ae41e5638971000000000e8000000002000020000000b4a5a2d2e4824499cd1f0cddaa9cb7f84ddd1bbb09511878fd2ccaa1637f8c0120000000202ab37b4d290ffaee3a8d90730c9dd72d5eecd20d340b1db9dfb2e4fc772ea140000000738cccd68b41c1fefe7df94b18d5055d8bbd17721769c119656dffa49f0aa7241b8391a61e87438e716610bfc1bf5fce54e05e6847259ccc04f0d5844f4700b8 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005174569abc55a3488c2a9f673467e905000000000200000000001066000000010000200000002889c1115b22f1590b13a524b9b0dd69ed96a6a15dbe455d6830cfd770c0d478000000000e8000000002000020000000e0f9339d89d4b2c397abb49f05b47780817f1a2b6186f04d315982bba37140c320000000ced1cf7779a632500ba96889a7ada5dfc3285818129450b8b498bf625f9ca089400000006fc28dc3b3b1818072a94d7ebe78cdea515435fb9b6f0019916b61a9f439f2fe96ec13f1392c498ae0106f61c655dd218eae0fa76f4f609623b6891ebc53f179 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 000b075c8621d901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40dde65f8621d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a0e55b8621d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005174569abc55a3488c2a9f673467e90500000000020000000000106600000001000020000000df50b978bf7bb540175ef76b5b9b7e104200dce7a1ef4489d3486fcbc3eb1f5e000000000e8000000002000020000000d29ea05ef69ba3cbd1403a6c1f629625081b20f2008789e4f6e4af19c0758e35200000003e5b4c7bc5c9b1cee3b912dd11fd1ad45f8918f69abac0d74e8826a0a45b21d5400000005a0d2dbc4ce24f1a7d2d6b13b18d3844204a93e3365bd5a2015ea7e783047f30336ff4cf6cdecd9c4feae4c7e136533ac198aa025d2bc9ea4669d581e3b666c8 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7F33CF3F-8D79-11ED-A0EE-E289BC6C3020} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0d3a2638621d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005174569abc55a3488c2a9f673467e905000000000200000000001066000000010000200000005b3cdc81743503324e1bfce6e6b967587a1fa282d164066a8eed9d458ea93e73000000000e800000000200002000000003b50883659809477043cb20f041fb067980a03b5ed3a4fd255ebe77f41fa002200000001ce4c5a28be81f3bcb812662835aa1e295298bd1a6d43f73d4d55bc311b47a7b400000009404f002eb48a6431b61120f49c536ef70ff738add99fc459594e35ffb16dece4b6450a04c4e2c0e81a949bea77f3cc3d46fab1502f962cebd9848303fbf8d97 iexplore.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2316 OpenWith.exe -
Suspicious behavior: LoadsDriver 10 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 656 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2172 iexplore.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2316 OpenWith.exe 2172 iexplore.exe 2172 iexplore.exe 3460 IEXPLORE.EXE 3460 IEXPLORE.EXE 3460 IEXPLORE.EXE 3460 IEXPLORE.EXE 3460 IEXPLORE.EXE 3460 IEXPLORE.EXE 3460 IEXPLORE.EXE 3460 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2172 2316 OpenWith.exe 90 PID 2316 wrote to memory of 2172 2316 OpenWith.exe 90 PID 2172 wrote to memory of 3460 2172 iexplore.exe 92 PID 2172 wrote to memory of 3460 2172 iexplore.exe 92 PID 2172 wrote to memory of 3460 2172 iexplore.exe 92
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2.01⤵
- Modifies registry class
PID:1808
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2.02⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3460
-
-