Overview

overview

3

Static

static

1

URLScan

urlscan

1

https://www.sendspac...

windows10-2004-x64

3

Analysis

  • max time kernel
    91s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2023, 12:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.sendspace.com/file/b3nqja

Score
3/10

Malware Config

Signatures

  • Program crash 4 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.sendspace.com/file/b3nqja
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4528 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:648
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4528 CREDAT:82960 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2140
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1776
    • C:\Users\Admin\AppData\Local\Temp\Temp1_Idiot.zip\YouAreAnIdiot.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_Idiot.zip\YouAreAnIdiot.exe"
      1⤵
        PID:2248
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1200
          2⤵
          • Program crash
          PID:3648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2248 -ip 2248
        1⤵
          PID:4080
        • C:\Users\Admin\Documents\Idiot\YouAreAnIdiot.exe
          "C:\Users\Admin\Documents\Idiot\YouAreAnIdiot.exe"
          1⤵
            PID:3472
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1556
              2⤵
              • Program crash
              PID:3556
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3472 -ip 3472
            1⤵
              PID:4864
            • C:\Users\Admin\Documents\Idiot\YouAreAnIdiot.exe
              "C:\Users\Admin\Documents\Idiot\YouAreAnIdiot.exe"
              1⤵
                PID:5096
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1528
                  2⤵
                  • Program crash
                  PID:4464
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5096 -ip 5096
                1⤵
                  PID:1040
                • C:\Users\Admin\Documents\Idiot\YouAreAnIdiot.exe
                  "C:\Users\Admin\Documents\Idiot\YouAreAnIdiot.exe"
                  1⤵
                    PID:4128
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1536
                      2⤵
                      • Program crash
                      PID:2740
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4128 -ip 4128
                    1⤵
                      PID:4072

                    Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                            Filesize

                            471B

                            MD5

                            9cae92cd10c808776c6c5bdc06b1e94e

                            SHA1

                            41c61f2ac2d1ad4680e70a5299e5b90465edb55d

                            SHA256

                            39da043a7022ce176b387cac9ef8c4735eaf8c69fc0c303deaacdc232ee73181

                            SHA512

                            6349fa3798e5447cc38c7e35ec3d33e355112f6dd191c0d0f185ed70157323176cacd129ae06e3491f402626567746b21ea5d31eb318b565d491a5abdbb394c8

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                            Filesize

                            434B

                            MD5

                            ed34e21ddd2f6334e147d7da2fb79f0c

                            SHA1

                            adc76a332f6592a50dc020ca510e6aeed1609212

                            SHA256

                            eb73fe4f0f2405f4a9e024edd7bac6d87168fb3a46a7c89e638517d53b31d71f

                            SHA512

                            0e917c635399bfc3aaf2eba116fca2561c02c1e6d0a8c0a41b323e551da07535e935a75c07f1e8c02fbe4f162f7f5cced2aa3f1f80cb8b068b543583e36134fc

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NQWXWWJ6\iqbroker[1].xml
                            Filesize

                            3KB

                            MD5

                            1f74366506ef1d10c9ecf62a124ba3b1

                            SHA1

                            eb5c11de9ea3db1205e7ec4caf6986b63004ece0

                            SHA256

                            66ee81a93a7c89318a4d4499952360b32f7ce6f33487670ae0fe034db59a8ea9

                            SHA512

                            b0c1a35a045cfccf456970a1bfea22a05f1ff87158101ae299671b6f0010ed0319aac073b11cab7d5d50f4e933da73d1a0f1f6c0e674bd64ffe9f9a9432a30c5

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NQWXWWJ6\iqbroker[1].xml
                            Filesize

                            702B

                            MD5

                            a88cacea4419a8348d451a1d1bb76d1b

                            SHA1

                            48b67cda697f26c2f5737a130d4ff6204f560713

                            SHA256

                            2b881d904229f8970db90fbef5d736baf48b4a8a1a19af1b20d263e32f0c0c55

                            SHA512

                            c45bcbde4b8b02781f5dff021e15b5b8685215cdae9da35141f2c502267d3db135d7adb7147305a225f9c9e64ac9af27df861caf8c0a9659a45224842e51b72e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NQWXWWJ6\iqbroker[1].xml
                            Filesize

                            2KB

                            MD5

                            762fd4b04f3fcce8df07fc0ebbbb83c3

                            SHA1

                            3cb2d032c8dbf0bba392f3906c23fc42356dcadb

                            SHA256

                            11648213e6f0cfc6b279eb375a9440c42aef40fdf105755a16679c86958c603a

                            SHA512

                            1fe1f0d45dd563592f086b767107fda8fa302523657572036afec0e91722048ab858bf1b3c6c9c3a94eeeeb0717fc89f5c71eff29fdff26acc3f6d4731b0589f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat
                            Filesize

                            1KB

                            MD5

                            3cd4c3fdbde97586103efdf27c590887

                            SHA1

                            a9d4d086a583d8eabc85e7a85b5c9d2476e49cdf

                            SHA256

                            a109752416aed6a067c748a2782fc889e6470ce9f434df36127e1d28fb79bff1

                            SHA512

                            f1b13d993508975a8d7f32ecb7c70a98875623a4250a617c284879bef77b9d5f9c84604eeb75cd7e595e50b2e13b63794be40955cf3809c58fe627e881bef147

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\osplltc\imagestore.dat
                            Filesize

                            2KB

                            MD5

                            8488861106a8537cc81fede705cf91af

                            SHA1

                            84fd068bcb5ed088b32865d1160fe4d2dc9e2abd

                            SHA256

                            a4cf624111988bef286fad0b2d9005ac7f088461e76ee22cf69949d650d60ad1

                            SHA512

                            3837158720487c8af1a1827de246a2eb6e669b8c89b6bc3beb8d92d7da7922b8e05c878a0caf9332798310d989f52ce8f5c15406934ef8b662f5d3b9c45e5bee

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\favicon-32x32-4818c58847b8c850ac39bfe67cbb2328[1].png
                            Filesize

                            870B

                            MD5

                            4818c58847b8c850ac39bfe67cbb2328

                            SHA1

                            f01fcda73264f347db805d995d9c1660995b96ef

                            SHA256

                            90df719487d9208c271d7514b263ee5553c2f109873cb19a0c5cf6351a94efc1

                            SHA512

                            413ce8f85cbb7349aba5a8cbdec85170544f1b3eb18dd44bca01a977688f0a5f66562a24ac63987f66be6ba8c6ff6954f92ed89d3df5893529f83d536cc20dbd

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\Idiot.zip.q0tm8ie.partial
                            Filesize

                            232KB

                            MD5

                            d65cd3364f1054d810315c51eedd837d

                            SHA1

                            bae2aaa5d0a5a34f7d58bacc4e0eb9add69dcef1

                            SHA256

                            ac2aef094f56ac3356cfdc41f722a055255c16f5908fbfc38f5b8f8a3b091812

                            SHA512

                            696c52452e4099c2259d7bc4acee39335fcf386f6acbf17fe638cd3caa7a12231ed1fe907c97ec9570917ed729a85d381c6a936cfd71d86bafd290482f5e97c1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\Idiot[1].zip
                            Filesize

                            232KB

                            MD5

                            d65cd3364f1054d810315c51eedd837d

                            SHA1

                            bae2aaa5d0a5a34f7d58bacc4e0eb9add69dcef1

                            SHA256

                            ac2aef094f56ac3356cfdc41f722a055255c16f5908fbfc38f5b8f8a3b091812

                            SHA512

                            696c52452e4099c2259d7bc4acee39335fcf386f6acbf17fe638cd3caa7a12231ed1fe907c97ec9570917ed729a85d381c6a936cfd71d86bafd290482f5e97c1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\analytics[1].js
                            Filesize

                            49KB

                            MD5

                            54e51056211dda674100cc5b323a58ad

                            SHA1

                            26dc5034cb6c7f3bbe061edd37c7fc6006cb835b

                            SHA256

                            5971b095cff574a66d35ada016d4c077c86e2dea62e9c0f14cf7c94b258619de

                            SHA512

                            e305d190287c28ca0cc2e45b909a304194175bb08351ad3f22825b1d632b1a217fb4b90dfd395637932307a8e0cc01da2f47831fa4eda91a18e49efe6685b74b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\favicon[1].ico
                            Filesize

                            2KB

                            MD5

                            daabbd03aa994f0cb3aa7804a20fb0a5

                            SHA1

                            57b8ff4e6889f1a443e565b847da0b09e09edb31

                            SHA256

                            2fd3512d9d6a9fdec0b7d3b03028eae3ef84ac1382114a454f5671e33fe67ece

                            SHA512

                            f1dbe848a16488c245fb63a5e166a00fc209171c31b2effc6f3c55441ee8e645a74a7595128016ad12a9e552a938d57e2d24d803f20b5d8ba3c51b07ebb00d05

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\favicon[1].ico
                            Filesize

                            2KB

                            MD5

                            daabbd03aa994f0cb3aa7804a20fb0a5

                            SHA1

                            57b8ff4e6889f1a443e565b847da0b09e09edb31

                            SHA256

                            2fd3512d9d6a9fdec0b7d3b03028eae3ef84ac1382114a454f5671e33fe67ece

                            SHA512

                            f1dbe848a16488c245fb63a5e166a00fc209171c31b2effc6f3c55441ee8e645a74a7595128016ad12a9e552a938d57e2d24d803f20b5d8ba3c51b07ebb00d05

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\suggestions[1].en-US
                            Filesize

                            17KB

                            MD5

                            5a34cb996293fde2cb7a4ac89587393a

                            SHA1

                            3c96c993500690d1a77873cd62bc639b3a10653f

                            SHA256

                            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

                            SHA512

                            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

                            Download Submit

                          • memory/2248-422-0x0000000005130000-0x00000000051CC000-memory.dmp

                            Filesize

                            624KB

                            Download

                          • memory/2248-423-0x0000000005780000-0x0000000005D24000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/2248-424-0x00000000051D0000-0x0000000005262000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/2248-425-0x00000000050C0000-0x00000000050CA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/2248-426-0x00000000053C0000-0x0000000005416000-memory.dmp

                            Filesize

                            344KB

                            Download

                          • memory/2248-427-0x0000000005110000-0x0000000005120000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2248-421-0x0000000000690000-0x0000000000702000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/3472-428-0x0000000005A80000-0x0000000005A8A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/3472-429-0x0000000005B00000-0x0000000005B10000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3472-430-0x0000000005B00000-0x0000000005B10000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4128-442-0x00000000051D0000-0x00000000051E0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/5096-441-0x0000000005060000-0x0000000005070000-memory.dmp

                            Filesize

                            64KB

                            Download