cbe005a1b13a85b5f6bed4fa213e1bb837b222521f8e83ac3879d5bf791d5288

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-01-2023 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoClickers.exe
Size

939KB
MD5

27d5a6c9274255cf89b38f28480edcf0
SHA1

88036bf7a8956dd7f7e53ffabb6d29a7508060dc
SHA256

cbe005a1b13a85b5f6bed4fa213e1bb837b222521f8e83ac3879d5bf791d5288
SHA512

46997fde9001405998beca19ee0be329743dc5aee7cda525add25309c795dfee0e5859ef4c4b1bf9e1cdce21f2ac5e90f1f336ee1f0b9e5372581c7f254ec075
SSDEEP

12288:UaWzgMg7v3qnCijErQohh0F4CCJ8lnyEQzHlV0RlPWhq2zXfu4uS0:LaHMv6C/rjinyEQzr0XP0q2zXfu4U

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009add1efb74f59d45a956201ee389b65900000000020000000000106600000001000020000000ea026df30c75ce7e7f0db736a7f1b4e94174820364da626dfaab0e3ec7d51f35000000000e80000000020000200000002280b8d7afe89714515311beaf2a7b1ed1041993285da2bb512b26d29bcfa3a690000000f335ea9501c4ed6d2d09a2965320c3f84bfaa853eb077d7581c4df5f499eb7af82f14b81937cee1e6b0781aa9f3c531d7fbaf1b573f837c9752047ce96935b36aa14a74aab4449786e98c7c42d6ea51affab1896f43e1ef7de14f414cf62e53d78961d96f04d3345956f1807358e9160a66dfe5cbd0dbe517027c5dcf7db2a9c192b0ab0b68dabaf25c573b918bf916d40000000496008d9b939ee0ebe4f28205b60c2de1d8ad484db14afd5258bb9b55832f1073a4656530bb5ca7a829100dbea5794540f0c101779562485804103dd5ca25d1d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380149261"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009add1efb74f59d45a956201ee389b65900000000020000000000106600000001000020000000411bb258a44936e8d4c5e0ffb23ab3861e39a196cad3b0fb7421433d5813b18a000000000e80000000020000200000007e9a0dd1243290dac3a189428585af95facfc29fd3968f7e0143dc4f6c0d1d47200000009ca7f04e96779382a725609dcbf6dce7348bdd0f9c75395c3e8cb7e3cabadfec40000000f89af3cec710721f0c09fac783ae06e4e71f5a51ea8e233ee852ffedf9d6f5500dd4b371c00c631b4b22391c2a23fd50e608ded3190f111d0af229b458d17738	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60c0945a3625d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A19EF01-9129-11ED-8B83-6A6CB2F85B9F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
800	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1752	AutoClickers.exe
800	vlc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1868	iexplore.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe
1752	AutoClickers.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1868	iexplore.exe
1868	iexplore.exe
836	IEXPLORE.EXE
836	IEXPLORE.EXE
1868	iexplore.exe
836	IEXPLORE.EXE
836	IEXPLORE.EXE
800	vlc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 836	1868	iexplore.exe	28
PID 1868 wrote to memory of 836	1868	iexplore.exe	28
PID 1868 wrote to memory of 836	1868	iexplore.exe	28
PID 1868 wrote to memory of 836	1868	iexplore.exe	28

C:\Users\Admin\AppData\Local\Temp\AutoClickers.exe
"C:\Users\Admin\AppData\Local\Temp\AutoClickers.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1752

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1868 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:836

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
132944710913f7c0fdc8e1b8dc2f2525

SHA1
1a8e54afe628adc2cddf1b2b0ede233ab9c717f6

SHA256
5552262c10c0c68b707fa2b1c7f50ef2ef06b3f7efe0e25c5f755973b6a3c598

SHA512
b9e0474561fb9ce07d1a1abe2a2a18464283a229c14eff366ceb0ac78e4495b29f622ab4605ccbfe6b1a92140db4a39ab1d314384af0081812e438c8db15fd24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
f49dae5cda070c954feaba8415bbe203

SHA1
fa8fae369c736d3dd9d1b79989f0fc5414466865

SHA256
f983da5a86c4c3028809791447cd26752066a41cd89be422d3c6940c4f6c5b40

SHA512
83520f8ec57bd20b9299e9e35f81b6eb105c89ddab143d73ceb13c0d0508efec08330e9867f11c5737233d5779095355a951a062045e3ae8415667efd8b813f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
02c5aca35f2495c71b52d5b6d1a5a663

SHA1
a472ffc78d6a7e90bc87bc7b707c6eb34e901666

SHA256
d463df97523dfb8ad73811b68ff6c172b9d003cd11e52ab1bf3b876f501e6bac

SHA512
fb98b0cd227bfe616f94275477b490135478cc0e93892f4ad3b6661b52be8c8fc94d54d89fd2fba61748187c7de201660dc956a5eb91fcf46c00f348716e732d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
12KB

MD5
8897a21f612fc073e1fe2a3dd6ebd797

SHA1
550d3974f7a80387bf5725d8fb7d778820b7439b

SHA256
2ba240033d3c72d9b8715d98e50b51a23b535976ecdc0feb7005430d57c0702a

SHA512
7585df9fa31bedaec7760e99bd0e26c1204b43c57e5eed53adb7c91e27a576e088de65a8c16aa66023085944c5ffe3187cc2af0d3ff7dddfb8359c6e6c0ca9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
12KB

MD5
8897a21f612fc073e1fe2a3dd6ebd797

SHA1
550d3974f7a80387bf5725d8fb7d778820b7439b

SHA256
2ba240033d3c72d9b8715d98e50b51a23b535976ecdc0feb7005430d57c0702a

SHA512
7585df9fa31bedaec7760e99bd0e26c1204b43c57e5eed53adb7c91e27a576e088de65a8c16aa66023085944c5ffe3187cc2af0d3ff7dddfb8359c6e6c0ca9b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SRZ6M4S3.txt

Filesize
606B

MD5
082bdaa13d691f9285bad472283a20e3

SHA1
35a1237278521674d06639114dc9104aee2d72bf

SHA256
740c64f050c5aee542769695cfed5edfa1e6dcd14f343248cbeeccf90cf217ac

SHA512
228ba5240b555924a20b06913945727ab295b3e7f099bb46d72cbc11c446b58393f7aea2d752daa18fcf1a4d1068a764d7361acf12d4f8801fdf2b8afab49b40

Download Submit
memory/800-61-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1752-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download